top of page
C3PAO Logo

CMMC

What is CMMC?

Cybersecurity Maturity Model Certification (CMMC) is coming. Businesses that perform work for the federal government are feeling the pressure to comply with standards for safeguarding, handling, and marking Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) is working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry to develop the Cybersecurity Maturity Model Certification (CMMC) to help them secure the Defense Supply Chain (DSC). This model is based on companies being evaluated on the level of maturity of their cyber security practices and processes. The CMMC-AB has developed the “Ecosystem” to outline the various organizations and components.

The CMMC-AB is responsible for overseeing the training, certification of assessors and C3PAO organizations.. All DIB organizations will need to be certified at a level equal to or greater than the required level within their contract.

To be clear, the CMMC requirement is only that an OSC be assessed by a C3PAO, the C3PAO will evaluate the OSC's implementation of NIST SP800-171. 

 

Are you ready? Do you know what is required of your organization, whether you are a 3-person shop or a 3,000-person shop? The Maturity Level certification is a Pass/Fail assessment, this means you need to meet 100% of all practice areas.​

There are 3 levels of maturity that an organization may obtain a certification, these are:

  • CMMC Level 1: 17 Practices 

  • CMMC Level 2: 110 Practices (Based on NIST SP800-171) 

  • CMMC Level 3: 130 Practices (Level 2 + NIST SP800-172) 

Who is conducting CMMC Assessments?

There are a large number of RPs, RPOs and CCPs, while the number of CCAs is small it is growing. Companies are becoming Authorized as CMMC Third Party Assessor Organizations (C3PAO). The CMMC Ecosystem is starting to grow and preparation for the DoD CMMC requirement is under. CISEVE is an Authorized C3PAO and has a CMMC-AB accredited CCA on the team that can provide “prep” services that can assist you to identify your weak areas and what evidence you will need. If you are “ready” for an assessment, we can help you there too, we can conduct your independent assessment. Ethically, however we are only able to assist with either preparation or assessment.

Picture

When is CMMC being Implemented?

The CMMC requirement rollout will be determined by the DOD, as the Proposed Rule has been published as of 12/26/2023, There are estimated rollout dates and numbers of OSCs.

The Final Rule is due out sometime in 2024, the DoD will be allowing and providing incentives to OSC that participate in the Joint Surveillance Voluntary Assessment (JSVA) program.

Where is CMMC?

DoD DFARS clause (252.204.7021) which when added to a contract will require OSCs to be assessed by a C3PAO prior to award.  This certification process is to evaluate what level of maturity your organization's security program is at and whether you can properly secure FCI and CUI.

bottom of page