CMMC Services

Helping your business adopt the CMMC

The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework that the Department of Defense (DoD) has instituted for prime and subcontractors wanting to provide products or services to the DoD.

History and Key Facts

HistoryKey Facts
In 2016, Defense contracting regulations mandated compliance with NIST SP 800-171. • DoD contractors will need to retain a CMMC Third Party Assessor Organization (C3PAO) to perform the assessment.
Compliance was achieved via self-certification. CMMC Accreditation Board is in the process of vetting C3PAOs.
Self-certification was determined to be insufficient. CMMC requirements in contracts will not likely start to appear in contracts until there are enough C3PAOs to perform the assessments (likely mid-2021).
CMMC builds on this by providing a tiered, maturity-focused, compliance framework with a requirement for external certifications. CMMC Accreditation Body recommends at least six months to prepare.
In December 2020, the DoD published the first set of CMMC testing requirements (applicable for Level 1 and Level 3 contracts).

The DoD is using a phased rollout of the CMMC program through September 30, 2025, at which time all solicitations will require compliance with CMMC. Prior to that time the Office of the Under Secretary of Defense for Acquisition and Sustainment must approve the inclusion of a CMMC requirement in a solicitation.

CMMC Maturity Levels

The CMMC framework has five maturity levels (ML). ML-1 is the least rigorous, ML-5 the most. DoD expects that roughly 80% of DoD contracts will only require ML-1 compliance

ML-1 will be required contractors who only have access to Federal Contract Information (FCI). ML-3 or ML-5 will be required for organizations who generate or receive Controlled Unclassified Information (CUI). ML-2 and ML-4 are transitional stages, and we do not expect those levels to be required.

(Read more about FCI and CUI here)

DoD will specify the certification required by the prime contractor in the government’s request for proposal (RFP) based on the type of information the prime contractor generates or is provided under each contract.  The prime contractor determines the compliance level for the subcontractors.  If a prime contractor does not have the required certification at the time of contract award, the company will simply be ineligible.

CMMC Maturity Levels

Level 1 | Performed
Basic Cyber Hygiene
Safeguarding of Federal Contract Information (FCI)
Level 2 | Documented
Intermediate Cyber Hygiene
Transition Step to Protect Controlled UncIassified Information (CUI)
Level 3 | Managed
Good Cyber Hygiene
Protect Control UncIassified Information
Level 4 | Reviewed
Proactive Cyber Hygiene
Protect CUI and Reduce Risk of Advanced Persistent Threats (APTs)
Level 5 | Optimizing
Advanced/Progressive Cyber Hygiene
Protect CUI and Reduce Risk of Advanced Persistent Threats (APTs)

What dod contractors need to do

DoD contractors need to ensure they are certified at the appropriate level when their current contracts come up for rebid or when they expect to bid on new contracts.

DoD contractors first need to determine the CMMC Maturity Level with which they need to comply. Contractors should review their current contracts and speak with their contracting officers, contracting officer’s technical representative (COTR), or other DoD representative to determine what type of information (CUI vs FCI) the government considers the contractor to have.

Once the Maturity Level is determined, contractors should perform an assessment to determine if there are any CMMC requirements that it is not meeting for their specific Maturity Level. If gaps are identified, the contractor needs to implement corrective actions to resolve the gaps.

Additionally, if not already performed, DoD contractors will need to perform a self-assessment against NIST SP 800-171 and self-report in the DoD Supplier Performance Risk System (SPRS).

keiter cmmc services

Many DoD contractors will need assistance in performing their assessments, identifying gaps, and developing corrective action plans. Keiter’s Risk Advisory Services team has been providing cybersecurity services and consulting on the major IT frameworks such as NIST SP 800-171, NIST SP 800-53, HIPAA, and others for close to 20 years. Our team can help DoD prime and subcontractors with the following:

  • Readiness Assessments and Gap Analyses Against the CMMC Framework
  • Assistance with Remediating Gaps Identified during Readiness Assessment
  • Assistance with NIST SIP 800-171 Self-Assessment that is recorded in Supplier Performance Risk System

 

 

Your Opportunity Advisors


Contact

How Can We Help You and Your Business?

Innsbrook Corporate Center
4401 Dominion Boulevard
Glen Allen, Virginia 23060

804.747.0000 or 804.273.6200

Directions