CMMC Readiness – Newark (NJ)

Home > CMMC Readiness – Newark (NJ)

GET A QUOTE

CMMC Compliance – Newark (NJ)

Newark and New Jersey Department of Defense (DoD) contractors and subcontractors will soon be required to comply with the new Cybersecurity Maturity Model Certification (CMMC) 2.0 requirements. The CMMC program is intended to better enforce cybersecurity requirements across the Defense Industrial Base (DIB) to better protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Three CMMC Maturity Levels (ML)

Once implemented, DoD contract solicitations will indicate the required maturity level for the winning contractor. If a contractor does not have the appropriate certification in the DoD’s Supplier Performance Risk System (SPRS), then the contractor will be ineligible for contract award.

CMMC Level 1 will be added to contracts where FCI only will be received or generated by the contractor. Level 1 will require organizations to annually self-assess and affirm their compliance with the 17 Level 1 practice requirements, which are composed of 59 assessment objectives.

CMMC Level 2 requires a triennial third-party assessment and annual affirmation of compliance with 110 practice requirements, which are composed of 320 assessment objectives. Level 2 also expands the type of information system assets that are in scope for assessment, compared to Level 1.

CMMC Level 3 requires an existing Level 2 certification, and contractors will be assessed by the DoD for compliance against an additional 24 practice requirements. Level 3 also expands the type of information system assets that are in scope for assessment, compared to Level 2.

Readiness Preparation

By most estimates, organizations are likely to require 12-18 months to prepare for a Level 2 assessment. With the CMMC final rule likely taking effect during the first half of 2025, New Jersey DoD contractors who wish to participate on new DoD contracts should start preparing as soon as possible.

New Jersey Top DoD Spending Locations

Newark CMMC Services

Many Newark DoD contractors will need assistance performing initial assessments to uncover issues, establish corrective actions, and chart a path toward CMMC readiness.

The CMMC is complex. ML 3 contains 381 discrete cybersecurity requirements spread among 130 practices and 310 policy/procedure requirements spread among 51 process maturity requirements. The requirements are complex, and our team has almost 20 years of experience providing cybersecurity compliance services across many complex frameworks, such as NIST SP 800-171, NIST SP 800-53, HIPAA, and others. As a CMMC Registered Provider Organization (RPO), our team can help DoD prime and subcontractors with the following:

  • Readiness Assessments and Gap Analyses Against the CMMC Framework
  • Assistance with Remediating Gaps Identified during Readiness Assessment
  • Assistance with NIST SP 800-171 Self-Assessment that is recorded in Supplier Performance Risk System
  • Creating System Security Plans (SSP)
  • Creating Plans of Action and Milestones (POA&M)

 

CMMC Readiness: De-Risk Your Compliance

Security Compliance = Secure Client Base

Scott McAuliffe and Chris Moschella provide an overview of the CMMC requirements and share readiness strategies that can help you reduce noncompliance risk, regardless of where you are in your readiness process.

December 18th, 2024 Webinar Recording

CMMC Frequently Asked Questions

All DoD contractors and subcontractors, and adjacent industries (e.g., cloud service providers (CSP) and External Service Providers (ESP) like MSPs, MSSPs) handling FCI, CUI, or SPD.

  • FCI. Federal Contract Information – Information not intended for public release that is provided by or generated for the Government. Excludes simple transactional information and information provided by the Government to the public.
  • CUI. Controlled Unclassified Information – Unclassified information created or possessed by, for, or on behalf of Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
  • SPD. Security Protection Data – Data stored or processed by Security Protection Assets (SPA) that are used to protect a contractor’s assessed environment.

The only exemption to CMMC requirements is if the company exclusively provides commercial off-the-shelf (COTS) products. For example, a subcontractor provides software licensing to a prime contractor who provides IT services to the Government.

Companies cannot receive a CMMC waiver; however, the Service Acquisition Executive (SAE) or Component Acquisition Executive (CAE) can approve waivers of the CMMC assessment requirements for specific RFPs. Expect these waivers to be exceptionally rare.

Level 1 Level 2 Level 3
Only handle FCI Handle CUI Handle CUI
FAR 52.204-21 NIST 800-171 Select Controls in NIST 800-172
59 Assessment Objectives 320 Assessment Objectives 320 Assessment Objectives + 24 Additional Controls
Annual self-assessment Triennial self-assessment (only applicable if CUI handled is outside the National Archives CUI Registry Defense Organization Index Grouping) Triennial assessment

performed by government
Triennial assessment

performed by C3PAO
Annual Affirmation Annual Affirmation Annual Affirmation

Identify the Type of Data You Handle – The required CMMC level depends on whether your organization processes Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) responsive to a DoD contract.

Review Your DoD Contracts & RFPs – Your contracts and request for proposals (RFP) may specify the required CMMC level. Pre-CMMC contracts may include requirements to implement the security requirements in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, by including DFARS clause 252.204-7012, which indicates at least Level 2 requirements.

Review documents received – Do the documents you receive documents have CUI Markings in the Header or Footer? Do the documents received or produced fall into the National Archives CUI Registry Defense Organization Index Groupings. Contracts with DoD CUI will require at least a Level 2 Certification assessment performed by a C3PAO. Contracts with only non-DoD CUI will require Level 2 Self-Assessment.

Consult your prime contractor (if applicable) or DoD contact – check with the prime contractor or DoD contact on what CMMC level is required under the contract.

  1. Identify Scope – Determine if you handle FCI and/or CUI, where it resides on your network, and who has access (including third-party providers such as MSPs and Cloud Service Providers).
  2. Conduct a Gap Assessment – Compare your current security posture against your CMMC Level requirements.
  3. Remediate Gaps – Implement missing controls, update policies, and implement the necessary technologies.
  4. Assessment Preparation – Prep employees for the assessment and validate compliance with CMMC security requirements. Assemble documentation and validate the finality of all policies and procedures.
  5. Engage a C3PAO (if required) – Interview and engage a C3PAO.
When the ESP processes, stores, or transmits: When utilizing an ESP that is:
A CSP Not a CSP (e.g., MSP, MSSP)
CUI (with or without SPD) The CSP shall meet the FedRAMP requirements in 48 CFR 252.204-7012 (FedRAMP Moderate or Higher Authorized or Equivalent). The services provided by the ESP are in the OSA’s assessment scope and shall be assessed as part of the OSA’s assessment.
SPD (without CUI) The services provided by the CSP are in the OSA’s assessment scope and shall be assessed as Security Protection Assets. The services provided by the ESP are in the OSA’s assessment scope and shall be assessed as Security Protection Assets.
Neither CUI nor SPD A service provider that does not process CUI or SPD does not meet the CMMC definition of an ESP. A service provider that does not process CUI or SPD does not meet the CMMC definition of an ESP.

MSPs and MSSPs that support many DoD contractors may find it more economical to obtain a CMMC assessment as a way to reduce the time spent supporting multiple customer assessments.

CMMC Level 1 and Level 2 Self-Assessment requirements will appear in new solicitations on the “effective date.” The CMMC requires two Federal rules to be final and effective for the rule to take effect. They are referred to as the Title 32 Rule and the Title 48 Rule. The Title 32 Rule, which sets out requirements for the CMMC program, is final and effective. The Title 48 Rule, which instructs DoD to include CMMC requirements in its contracting process, is not yet final. 60 days after it is published, it too will become effective. That date will be the “effective date.” One year after the effective date, Level 2 Certification requirements will appear, as required, in new solicitations. Two years after the effective date, Level 3 Certification requirements will appear, as required, in new solicitations.

CMMC Frequently Asked Questions

All DoD contractors and subcontractors, and adjacent industries (e.g., cloud service providers (CSP) and External Service Providers (ESP) like MSPs, MSSPs) handling FCI, CUI, or SPD.

  • FCI. Federal Contract Information – Information not intended for public release that is provided by or generated for the Government. Excludes simple transactional information and information provided by the Government to the public.
  • CUI. Controlled Unclassified Information – Unclassified information created or possessed by, for, or on behalf of Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
  • SPD. Security Protection Data – Data stored or processed by Security Protection Assets (SPA) that are used to protect a contractor’s assessed environment.

The only exemption to CMMC requirements is if the company exclusively provides commercial off-the-shelf (COTS) products. For example, a subcontractor provides software licensing to a prime contractor who provides IT services to the Government.

Companies cannot receive a CMMC waiver; however, the Service Acquisition Executive (SAE) or Component Acquisition Executive (CAE) can approve waivers of the CMMC assessment requirements for specific RFPs. Expect these waivers to be exceptionally rare.

Level 1 Level 2 Level 3
Only handle FCI Handle CUI Handle CUI
FAR 52.204-21 NIST 800-171 Select Controls in NIST 800-172
59 Assessment Objectives 320 Assessment Objectives 320 Assessment Objectives + 24 Additional Controls
Annual self-assessment Triennial self-assessment (only applicable if CUI handled is outside the National Archives CUI Registry Defense Organization Index Grouping) Triennial assessment

performed by government
Triennial assessment

performed by C3PAO
Annual Affirmation Annual Affirmation Annual Affirmation

Identify the Type of Data You Handle – The required CMMC level depends on whether your organization processes Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) responsive to a DoD contract.

Review Your DoD Contracts & RFPs – Your contracts and request for proposals (RFP) may specify the required CMMC level. Pre-CMMC contracts may include requirements to implement the security requirements in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, by including DFARS clause 252.204-7012, which indicates at least Level 2 requirements.

Review documents received – Do the documents you receive documents have CUI Markings in the Header or Footer? Do the documents received or produced fall into the National Archives CUI Registry Defense Organization Index Groupings. Contracts with DoD CUI will require at least a Level 2 Certification assessment performed by a C3PAO. Contracts with only non-DoD CUI will require Level 2 Self-Assessment.

Consult your prime contractor (if applicable) or DoD contact – check with the prime contractor or DoD contact on what CMMC level is required under the contract.

  1. Identify Scope – Determine if you handle FCI and/or CUI, where it resides on your network, and who has access (including third-party providers such as MSPs and Cloud Service Providers).
  2. Conduct a Gap Assessment – Compare your current security posture against your CMMC Level requirements.
  3. Remediate Gaps – Implement missing controls, update policies, and implement the necessary technologies.
  4. Assessment Preparation – Prep employees for the assessment and validate compliance with CMMC security requirements. Assemble documentation and validate the finality of all policies and procedures.
  5. Engage a C3PAO (if required) – Interview and engage a C3PAO.
When the ESP processes, stores, or transmits: When utilizing an ESP that is:
A CSP Not a CSP (e.g., MSP, MSSP)
CUI (with or without SPD) The CSP shall meet the FedRAMP requirements in 48 CFR 252.204-7012 (FedRAMP Moderate or Higher Authorized or Equivalent). The services provided by the ESP are in the OSA’s assessment scope and shall be assessed as part of the OSA’s assessment.
SPD (without CUI) The services provided by the CSP are in the OSA’s assessment scope and shall be assessed as Security Protection Assets. The services provided by the ESP are in the OSA’s assessment scope and shall be assessed as Security Protection Assets.
Neither CUI nor SPD A service provider that does not process CUI or SPD does not meet the CMMC definition of an ESP. A service provider that does not process CUI or SPD does not meet the CMMC definition of an ESP.

MSPs and MSSPs that support many DoD contractors may find it more economical to obtain a CMMC assessment as a way to reduce the time spent supporting multiple customer assessments.

CMMC Level 1 and Level 2 Self-Assessment requirements will appear in new solicitations on the “effective date.” The CMMC requires two Federal rules to be final and effective for the rule to take effect. They are referred to as the Title 32 Rule and the Title 48 Rule. The Title 32 Rule, which sets out requirements for the CMMC program, is final and effective. The Title 48 Rule, which instructs DoD to include CMMC requirements in its contracting process, is not yet final. 60 days after it is published, it too will become effective. That date will be the “effective date.” One year after the effective date, Level 2 Certification requirements will appear, as required, in new solicitations. Two years after the effective date, Level 3 Certification requirements will appear, as required, in new solicitations.

Contact Our CMMC Team

Keiter provides CMMC readiness assessments and remediation services to DoD contractors across Newark and the State of New Jersey. If you are interested in learning how we can assist your organization, complete the form below and a team member will follow up promptly.

"*" indicates required fields

We'll never share your email with anyone else.
This field is for validation purposes and should be left unchanged.

 

About New Jersey DoD Contractors

CIty of Newark NJ logoNew Jersey’s Department of Defense (DOD) contractors are essential contributors to national security and technological innovation. The state is home to a robust community of defense contractors, specializing in various fields, including aerospace, technology, cybersecurity, and research and development.

These contractors collaborate closely with DOD agencies and military installations like Joint Base McGuire-Dix-Lakehurst and Picatinny Arsenal. They play a vital role in developing cutting-edge defense technologies, systems, and solutions, contributing significantly to the nation’s defense capabilities.

New Jersey’s DOD contractors also have a significant economic impact on the state by creating jobs and fostering innovation. Their commitment to excellence and their partnership with the military ensure that the United States remains at the forefront of military technology and readiness. New Jersey’s defense contractors play a pivotal role in supporting national defense efforts while driving economic growth and technological advancement within the state. The area codes used in Newark (NJ) 973 and 862.

National Reach

We also provide CMMC services to Department of Defense Contractors in Alabama, Arizona, Colorado, Florida, Hawaii, Illinois, Mississippi, New Hampshire, Pennsylvania, Maine, Rhode Island, Massachusetts, New York, North Carolina, South Carolina, Texas, Vermont, the State of Washington, and Washington D.C.

 

Contact Us