Cyber Security

CMMC

The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the defense industrial base (DIB).

CONTACT US

Name
Email
Telephone
Message

We will only use your details for this request, they will not be used for any marketing. Read our privacy policy for more information.

We won't pass your details on to third parties.

What is CMMC (Cybersecurity Maturity Model Certification)?

The United States Department of Defense (US DoD) recognizes that information security is a foundational requirement for the Defense Industrial Base (DIB) supply chain. As such, the US DoD is committed to developing and requiring a consolidated Cybersecurity standard to identify required security practices and controls through the DoD Acquisition process beginning in late 2020. 

This program, known as CMMC (Cybersecurity Maturity Model Certification) will define 5 levels of cybersecurity readiness, which all US DoD contracts will invoke on the DIB supply chain. It is estimated that over 300,000 DIB contractors will be affected throughout the 3 to 5 year roll-out, with most requiring a Level 1 through Level 3 certification.
 
The various levels of CMMC include increasing levels of practices focused on the handling of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).  These levels are based on the sensitivity of the information to be protected and the associated range of threats that may be encountered.  The processes and practices come from various existing cybersecurity standards and frameworks including ISO 27001, NIST 800-171, and others.

  • Level 1 – Basic Cyber Hygiene (Performed) – 17 practices

  • Level 2 – Intermediate Cyber Hygiene (Documented) – 72 practices

  • Level 3 – Good Cyber Hygiene (Managed) – 130 practices

  • Level 4 – Proactive Cyber Hygiene (Reviewed & Improved) – 156 practices

  • Level 5 – Advanced Cyber Hygiene (Optimized) – 171 practices

Helps you with

  • US DoD Contract Compliance (FAR 52.204-21 & DFARS 252-204-7012)

  • Required to Obtain/Renew DoD Contracts

  • FCI and CUI Management

  • DIB Supply Chain Trust & Integrity

  • Cybersecurity Processes and Practices

  • ​Alignment to ISO 27001 Annex A Controls

Overview of CMMC practices

As with other cybersecurity standards, CMMC is organized in to domains:

Access Control

Asset Management

Audit & Accountability

Awareness & Training

Configuration Management

Identification & Authentication

Incident Response

Maintenance

Media Protection

Personnel Security

Physical Protection

Recovery

Risk Management

Security Assessment

Situational Awareness

System & Communications Protection

System & Information Integrity

 
CMMC builds on existing regulations under DFARS 252.204-7012 by adding an independent verification via a third-party audit and actual registration of an official CMMC Certification from the CMMC-AB (CMMC Accreditation Body).

Who is this standard applicable to?

  • US DoD Prime Contractors

  • US DoD Subcontractors

  • US Federal Contractors for other Departments/Agencies

  • Private Sector businesses seeking DoD work​

Why choose NQA?

  • ​Early involvement with CMMC-AB and Working Groups

  • Existing Competence with ISO 27001 and NIST 800-171

  • Strong and growing stable of cybersecurity assessors

  • Business Unit presence in the DC Metro area

  • Experience with both large and small Federal contractors

  • Availability of CMMC Gap Assessment audits now!

​NQA has been involved in the CMMC Working Groups since their early inception in late 2019 and expects to become an accredited CMMC C3PAO (Certified 3rd Party Assessment Organization) once accreditation is available. In the meantime, NQA is able to help organizations prepare for CMMC by better understanding the process and underlying requirements, and by offering gap assessment audits to various CMMC levels.

Benefits of certification to CMMC

​Meet DoD Contract Eligibility: CMMC Levels will be specified on US DoD contracts; Contracting organizations will need to have the applicable CMMC certification prior to contract award. Organizations without CMMC certification may be disqualified from contracts requiring certified suppliers.

Meet Flow-down Requirements: CMMC requirements will apply to all DIB contractors throughout the supply chain. Prime contractors will be required to flow-down cybersecurity requirements included in CMMC. Most DIB subcontractors will need to achieve Level 1 or Level 3 certification depending upon the type and nature of information flowed down from the prime.

Improve Security Posture: The cybersecurity practices defined within CMMC have been carefully selected from globally-recognized best practices from both the private and public sector. In short, these practices will provide clarity on how organizations of all sizes and shapes can improve their cybersecurity posture via the concise and well-defined requirements.

“Allowable Costs”: CMMC certification costs have been deemed allowable, reimbursable costs under the FAR rules as reasonable and allocable to the requiring contract. As such, organizations may be able to build-in costs associated with certification, thus subsidizing their over-arching security posture improvements.

Confidence in a “Trust, But Verify” Methodology: Unlike existing NIST compliance, CMMC will require 3rd Party verification of controls, allowing an organization’s customers to have a great sense of security and providing great value throughout the supply chain. As CMMC flows through the supply chain, all parties will eventually have a common understanding and assurance of where organizations stand in relation to information (and thus supply chain) security.

Book your gap assessment

The Gap Analysis is a tool that identifies the gaps and therefore enables you to put together an action plan to gain successful certification. It can also provide a reality check as to where you are in the process – helping with planning resources and timeframes. 

This report will enable your business or organization to implement a plan to remedy these gaps in readiness for the mandatory initial audits for certification.

Ready to start your journey?

We'll give you a clear indication of the costs of gaining and maintaining certification.
Not ready yet? Call us at (800) 649-5289 or request a call back to discuss your certification requirements.