CMMC Certification Preparation for DoD Contractors
What is CMMC?
- The Department of Defense (DOD) Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard designed to ensure protection of information in future DOD acquisitions as it is critical to maintaining national security.
- It is intended to protect and prevent unauthorized access to Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the DOD supply chain and Defense Industrial Base (DIB).
- The CMMC Program will assess and verify the institutionalization and maturity of cybersecurity practices and processes of DOD contractors via a third-party assessment.
How does my company obtain/achieve a CMMC level certification?
- Companies will coordinate directly with a certified independent CMMC Third-Party Assessment Organization (C3PAO) to request and schedule a CMMC assessment.
- As of October 31, 2020, a CMMC Audit Standard is not yet finalized nor published and only a handful of Assessors or C3PAOs are formally accredited or certified to conduct an official assessment.
- Once the assessment process is finalized, upon successful demonstration of the appropriate capabilities and organizational maturity, the organization will receive the corresponding CMMC level certification.
- Certifications are expected to be valid for 3 years.
How is the CMMC Model organized?
- The CMMC Model framework organizes processes and cybersecurity best practices into a set of domains; CMMC Model v1.02 encompasses:
- 43 capabilities across 17 capability domains
- 5 processes across 5 levels to measure process maturity
- Processes range from Level 1 (Performed) up to Level 5 (Optimized) across the organization (see Figure 1).
- 171 practices across 5 levels to measure technical capabilities
- Practices range from Level 1 (Basic Cyber Hygiene) to Level 5 (Advanced/Progressive) (see Figure 1).
- In order to meet a specific CMMC level, an organization must meet the practices and processes within that level as well as those below it.
- Once implemented, offerors will be required to hold a CMMC certificate at a specified level or higher to be eligible for award on DOD solicitations.
Who will be impacted by CMMC?
- All prime contractors and subcontractors doing business with the DOD; this includes IT service providers, accountants, consultants, landscapers, janitorial services, et al.
What is the timeframe for CMMC?
- CMMC requirements will begin to appear in DOD solicitations in FY 2021; an estimated 300,000+ DOD contractors will be affected.
- The DOD recently issued an interim rule effective November 30, 2020, which updates the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the assessment methodology and CMMC framework for DOD procurements as well as adding a new requirement for cybersecurity assessment under the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 framework.
- Under the proposed rule, contracting officers must verify that an offeror has a current NIST SP 800-171 (110 controls) DOD Assessment on record, prior to contract award, for applicable solicitations.
- Assessment scores must be posted in the Supplier Performance Risk System (SPRS).
- CMMC requirements are expected to be fully implemented in DOD contracts in FY 2026.
How is Sawdey well-positioned to help your organization prepare for CMMC?
- We have a dedicated team of cybersecurity experts actively reviewing all CMMC developments.
- We are a Capability Maturity Model Integration for Services® (CMMI-SRV) Maturity Level 3 (ML3)-appraised company following International Organization for Standardization (ISO) 9001 certified processes.
- Our experience in obtaining our CMMI and ISO certifications has provided firsthand knowledge and experience that is incredibly valuable in helping other companies obtain their CMMC certification.
- We have been selected by a major university as a partner responsible for educating suppliers on the CMMC Standard and requirements within the state of Ohio.
- Through this partnership, we provide cybersecurity subject matter expertise in support of content development, delivery of seminars, working groups, and roundtable discussions.
Specifically, what CMMC services can Sawdey provide your organization?
- Identification of the needed CMMC level based on current DOD work, CUI being handled, and existing contract clauses.
- Pre-Assessment Gap Analysis – a comprehensive pre-assessment of your organization’s cybersecurity posture, identifying any deficiencies per the current NIST Standards, CMMC Standard, and DFARS cybersecurity requirements.
- Risk Mitigation Strategies – strategies to eliminate or reduce cybersecurity risks.
- Documentation/Deliverables – including, but not limited to, System Security Plan (SSP), Plan of Action and Milestones (POA&M), policies and plans, etc.
- Quality Analysis – additional assessment(s) to evaluate progress and address any outstanding POA&Ms.
- Education – initial and continuous guidance as DOD cybersecurity standards and policies evolve.
Pass Your Upcoming CMMC Audit with Confidence
Sawdey is helping DOD suppliers throughout the U.S. navigate the complexities of CMMC with ease and confidence.
To gain a competitive advantage in these evolving times, consider being proactive in taking the first step in preparation for the CMMC audit. With us, you can achieve a high-quality evaluation of your current cybersecurity posture and learn how best to obtain CMMC certification at the level most in line with your current and future business objectives.