What is CMMC?
Cybersecurity Maturity Model Certification (CMMC), developed by the U.S. Department of Defense (DoD), is a new requirement for DoD contractors and subcontractors that requires third-party certification. A single standard used across all DoD contracts, CMMC is intended to ensure that appropriate cybersecurity practices and processes are in place to safeguard federal contract information (FCI) and controlled unclassified information (CUI) handled by defense contractors during the performance of DoD contracts. DoD Requests for Proposals (RFPs) will include the required CMMC level (1-5) appropriate for the risk profile of the work entailed, and contractors and subcontractors will need proof of certification at the specified level in order to bid. CMMC requirements have begun being included in select RFPs and will continue to roll out until full CMMC implementation in October 2025.
What are the CMMC levels and requirements?
The CMMC framework identifies five levels of certification that require the demonstration of specific practices and processes to achieve each level. The five levels of certification in CMMC build on the controls included in the prior level, progressing from a primary goal of safeguarding FCI (Level 1) to the protection of CUI (Level 3) and advanced persistent threats (Levels 4 and 5):
How can CFONE help my company prepare for CMMC?CFONE is a Registered Provider Organization (RPO), approved by the CMMC Accreditation Body (CMMC-AB) and bound by a professional code of conduct. Our CMMC-AB Registered Practitioner team has decades of experience in cybersecurity compliance and can best guide your company through the necessary steps to prepare you for your CMMC audit as simply, quickly, and painlessly as possible:
- Understand your company: We will work closely with you to ensure your high-level understanding of the CMMC requirements, determine your specific certification needs, and understand the size and complexity of your IT environment. From there, we will develop a plan for CMMC preparation tailored to your company’s cybersecurity posture and goals.
- Assess and prepare:
- Our consultants will conduct a gap analysis to assess the current posture of your cybersecurity program, mapping the relationship of your current cybersecurity program to NIST SP 800-171 and the appropriate CMMC controls for the level of certification your company hopes to attain.
- We will update your System Security Plan (SSP) in accordance with the required CMMC controls and NIST SP 800-171 and create and update a Plan of Action & Milestones (POA&M) based on any deficiencies or issues revealed during the program assessment.
- Our team will provide guidance and assistance to mitigate any deficiencies covered in the POA&M to close those gaps, sharing implementation best practices and ensuring the necessary policies, processes and plans are in place.
- We will also take the lead to ensure your cybersecurity program is appropriately documented and collect the necessary evidence and artifacts to demonstrate that the practices and processes are in place to meet or exceed CMMC requirements: without these documents, from the perspective of an auditor, you cannot prove the maturity of your cybersecurity program.
Our compliance experts provide a roadmap to help your company affordably become CMMC compliant, preparing you and ensuring your cybersecurity practices are in place and documented in accordance with the framework. Cybersecurity compliance requirements can seem overwhelming or complicated when they’re not your area of expertise, but you don’t have to navigate them alone. We’re here to help – contact us today