CMMC Readiness – Washington D.C.

Home > CMMC Readiness – Washington D.C.

GET A QUOTE

Cybersecurity Maturity Model Certification (CMMC)

Washington D.C. Department of Defense (DoD) contractors and subcontractors will soon be required to comply with the new Cybersecurity Maturity Model Certification (CMMC) 2.0 requirements. The CMMC program is intended to better enforce cybersecurity requirements across the defense industrial base (DIB) to better protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Three CMMC Maturity Levels (ML)

Once implemented, DoD contract solicitations will indicate the required maturity level for the winning contractor. If a contractor does not have the appropriate certification in the DoD’s Supplier Performance Risk System (SPRS), then the contractor will be ineligible for contract award.

CMMC Level 1 will be added to contracts where FCI only will be received or generated by the contractor. Level 1 will require organizations to annually self-assess and affirm their compliance with the 17 Level 1 practice requirements, which are composed of 59 assessment objectives.

CMMC Level 2 requires a triennial third-party assessment and annual affirmation of compliance with 110 practice requirements, which are composed of 320 assessment objectives. Level 2 also expands the type of information system assets that are in scope for assessment, compared to Level 1.

CMMC Level 3 requires an existing Level 2 certification, and contractors will be assessed by the DoD for compliance against an additional 24 practice requirements. Level 3 also expands the type of information system assets that are in scope for assessment, compared to Level 2.

Readiness Preparation

By most estimates, organizations are likely to require 12-18 months to prepare for a Level 2 assessment. With the CMMC final rule likely taking effect during the first half of 2025, Washington DC DoD contractors who wish to participate on new DoD contracts should start preparing as soon as possible.

Map of Washington D.C. – 20001

Washington D.C. CMMC Services

Many Washington D.C. DoD contractors will need assistance performing initial assessments to uncover issues, establish corrective actions, and chart a path toward CMMC readiness.

The CMMC is complex. ML 3 contains 381 discrete cybersecurity requirements spread among 130 practices, and 310 policy/procedure requirements spread among 51 process maturity requirements. The requirements are complex, and our team has almost 20 years of experience providing cybersecurity compliance services across many complex frameworks such as NIST SP 800-171, NIST SP 800-53, HIPAA, and others. As a CMMC Registered Provider Organization (RPO), our team can help DoD prime and subcontractors with the following:

  • Readiness Assessments and Gap Analyses Against the CMMC Framework
  • Assistance with Remediating Gaps Identified during Readiness Assessment
  • Assistance with NIST SIP 800-171 Self-Assessment that is recorded in the Supplier Performance Risk System
  • Creating System Security Plans (SSP)
  • Creating Plans of Action and Milestones (POA&M)

 

CMMC Frequently Asked Questions

All DoD contractors and subcontractors, and adjacent industries (e.g., cloud service providers (CSP) and External Service Providers (ESP) like MSPs, MSSPs) handling FCI, CUI, or SPD.

  • FCI. Federal Contract Information – Information not intended for public release that is provided by or generated for the Government. Excludes simple transactional information and information provided by the Government to the public.
  • CUI. Controlled Unclassified Information – Unclassified information created or possessed by, for, or on behalf of Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
  • SPD. Security Protection Data – Data stored or processed by Security Protection Assets (SPA) that are used to protect a contractor’s assessed environment.

The only exemption to CMMC requirements is if the company exclusively provides commercial off-the-shelf (COTS) products. For example, a subcontractor provides software licensing to a prime contractor who provides IT services to the Government.

Companies cannot receive a CMMC waiver; however, the Service Acquisition Executive (SAE) or Component Acquisition Executive (CAE) can approve waivers of the CMMC assessment requirements for specific RFPs. Expect these waivers to be exceptionally rare.

Level 1 Level 2 Level 3
Only handle FCI Handle CUI Handle CUI
FAR 52.204-21 NIST 800-171 Select Controls in NIST 800-172
59 Assessment Objectives 320 Assessment Objectives 320 Assessment Objectives + 24 Additional Controls
Annual self-assessment Triennial self-assessment (only applicable if CUI handled is outside the National Archives CUI Registry Defense Organization Index Grouping) Triennial assessment

performed by government
Triennial assessment

performed by C3PAO
Annual Affirmation Annual Affirmation Annual Affirmation

Identify the Type of Data You Handle – The required CMMC level depends on whether your organization processes Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) responsive to a DoD contract.

Review Your DoD Contracts & RFPs – Your contracts and request for proposals (RFP) may specify the required CMMC level. Pre-CMMC contracts may include requirements to implement the security requirements in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, by including DFARS clause 252.204-7012, which indicates at least Level 2 requirements.

Review documents received – Do the documents you receive documents have CUI Markings in the Header or Footer? Do the documents received or produced fall into the National Archives CUI Registry Defense Organization Index Groupings. Contracts with DoD CUI will require at least a Level 2 Certification assessment performed by a C3PAO. Contracts with only non-DoD CUI will require Level 2 Self-Assessment.

Consult your prime contractor (if applicable) or DoD contact – check with the prime contractor or DoD contact on what CMMC level is required under the contract.

  1. Identify Scope – Determine if you handle FCI and/or CUI, where it resides on your network, and who has access (including third-party providers such as MSPs and Cloud Service Providers).
  2. Conduct a Gap Assessment – Compare your current security posture against your CMMC Level requirements.
  3. Remediate Gaps – Implement missing controls, update policies, and implement the necessary technologies.
  4. Assessment Preparation – Prep employees for the assessment and validate compliance with CMMC security requirements. Assemble documentation and validate the finality of all policies and procedures.
  5. Engage a C3PAO (if required) – Interview and engage a C3PAO.
When the ESP processes, stores, or transmits: When utilizing an ESP that is:
A CSP Not a CSP (e.g., MSP, MSSP)
CUI (with or without SPD) The CSP shall meet the FedRAMP requirements in 48 CFR 252.204-7012 (FedRAMP Moderate or Higher Authorized or Equivalent). The services provided by the ESP are in the OSA’s assessment scope and shall be assessed as part of the OSA’s assessment.
SPD (without CUI) The services provided by the CSP are in the OSA’s assessment scope and shall be assessed as Security Protection Assets. The services provided by the ESP are in the OSA’s assessment scope and shall be assessed as Security Protection Assets.
Neither CUI nor SPD A service provider that does not process CUI or SPD does not meet the CMMC definition of an ESP. A service provider that does not process CUI or SPD does not meet the CMMC definition of an ESP.

MSPs and MSSPs that support many DoD contractors may find it more economical to obtain a CMMC assessment as a way to reduce the time spent supporting multiple customer assessments.

CMMC Level 1 and Level 2 Self-Assessment requirements will appear in new solicitations on the “effective date.” The CMMC requires two Federal rules to be final and effective for the rule to take effect. They are referred to as the Title 32 Rule and the Title 48 Rule. The Title 32 Rule, which sets out requirements for the CMMC program, is final and effective. The Title 48 Rule, which instructs DoD to include CMMC requirements in its contracting process, is not yet final. 60 days after it is published, it too will become effective. That date will be the “effective date.” One year after the effective date, Level 2 Certification requirements will appear, as required, in new solicitations. Two years after the effective date, Level 3 Certification requirements will appear, as required, in new solicitations.

CMMC Readiness: De-Risk Your Compliance

Security Compliance = Secure Client Base

Scott McAuliffe and Chris Moschella provide an overview of the CMMC requirements and share readiness strategies that can help you reduce noncompliance risk, regardless of where you are in your readiness process.

December 18th, 2024 Webinar Recording

Contact Our CMMC Team

Keiter provides CMMC readiness assessments and remediation services to DoD contractors in Washington D.C. If you are interested in learning how we can assist your organization, complete the form below and a team member will follow up promptly.

 

About Washington D.C.’s DOD Contractors

City of Washington DC City LogoThe defense contractor industry in Washington state is a significant component of both the local and national economy, underscored by its substantial contributions to the U.S. defense sector. Washington, known for its technological innovation and manufacturing capabilities, hosts a variety of defense contractors that specialize in aerospace, maritime systems, cybersecurity, and advanced technology development. This industry is bolstered by the presence of major companies like Boeing Defense, Space & Security, a leading global aerospace company, which plays a pivotal role in the region’s defense sector through the production of military aircraft, satellite systems, and advanced information and communication systems. Additionally, the state benefits from a network of smaller contractors and suppliers that contribute to the defense ecosystem, providing a range of services from engineering solutions to logistical support. These contractors collectively support the U.S. Department of Defense (DoD) in maintaining national security, underlining Washington’s strategic importance to military readiness and technological advancement. The synergy between the state’s robust technological sector and its defense contractors fosters innovation and ensures that the U.S. armed forces have access to state-of-the-art technologies and capabilities. The area codes used in Washington D.C. are 202 and 771.

National Reach

We also provide CMMC services to Department of Defense Contractors in Alabama, Arizona, Colorado, Florida, Hawaii, Illinois, Mississippi, New Hampshire, Pennsylvania, New Jersey, Maine, Rhode Island, Massachusetts, New York, North Carolina, South Carolina, Texas, Vermont, the State of Washington.