CMMC Compliance – Cybersecurity Maturity Model Certification

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) independent verification model designed to ensure the protection of Controlled Unclassified Information (CUI) that resides on the Defense Industrial Base (DIB) systems and networks.

CMMC Model 2.0 is more than checking off security controls from NIST SP800-171. Earning CMMC Level 2 Certification requires a good grasp on how to weave through specific requirements, such as scoping your environment, developing a detailed System Security Plan, and instituting appropriately shared responsibility matrices (SRM), to name a few.

The DoD is encouraging DIB contractors to improve their cybersecurity posture before the Final Rule is published around May 2023.  SecureStrux’s™ expert CMMC consultants are here to help you achieve and maintain CMMC compliance.  We have Certified CMMC Assessors (CCA) and Certified CMMC Professionals (CCP) available to help you on your journey to CMMC compliance and certification. We have a CCA, who has undergone a formal assessment for a CMMC Level 3 certification (Model 1.0), and has insight into how CMMC practices are evaluated. Our team of CMMC professionals assists you with understanding the comprehensive CMMC assessment process and prepares you for a successful CMMC assessment.

CMMC Asessment – Preparing for Your Audit

We recognize that CMMC has created a number of questions for you and your team, such as:

We’ll connect the dots, using what we’ve learned over the past decade to help you move quickly and efficiently through to compliance and beyond. As experienced CMMC compliance consultants, we not only walk you through the CMMC assessment process, but we can also provide a gap analysis, develop your key documentation, assist with remediation, and provide continuous monitoring to maintain your compliance.

Recommended Steps You Can Take on our Path to CMMC Compliance:

1. Configure your existing environment or build a new environment to NIST 800-171 and CMMC compliance standards. 

2. Develop a Systems Security Plan (SSP) and a Plan of Action and Milestones (POA&M).

3. Determine the budget required for preparing for and maintaining CMMC compliance.

4. Conduct a self-assessment.

5. Hire an independent consultation to conduct a CMMC / NIST SP 800-171 gap analysis (after all, it is tough to see the forest through the trees).

6. Remediate the known gaps before scheduling for the formal CMMC assessment for certification.


Flexible Services for Your CMMC Needs

No matter what level of support your organization needs, we will ensure you are ready for CMMC. Our team of professionals can assist you with a comprehensive suite of services, ranging from a routine assessment to fully implementing all the new CMMC measures.

CMMC 2.0 Explained

The intent of CMMC 2.0 is to reduce impact to the DIB with:

DFARS Clauses are still effective


CMMC Gap Analysis

This is your first step in preparing for CMMC compliance. We will perform a traditional CUI gap analysis with all 110 controls in NIST SP 800-171, along with an analysis of your preparedness to meet CMMC compliance requirements.  We will also assist with determining your SPRS score

Depending on your organizational layout and infrastructure, we will complete the compliance assessment onsite or through remote access. Upon completion of the CMMC gap analysis, we will provide a detailed list of all the action items needed to achieve your desired level of compliance. Also, we will have an executive-level briefing addressing significant concerns.


CMMC System Security Plan (Policies & Procedures) Engagement

For organizations that have more robust IT knowledge, we will work alongside the organization’s stakeholders to manage the compliance documentation, policies, and procedures while they implement the CMMC practices (security controls).

The SSP Engagement includes writing and maintaining the CMMC SSP Plan based on the organization’s architecture to isolate CUI.   We will write policies for the protection of FCI and CUI across the organization. The SSP Engagement will include quarterly and annual updates.


Assured Defense – Managed Security Support Plan

For organizations in need of a more hands-on approach, we can manage and implement any part of your CMMC compliance transition. Our Assured Defense Plan is a menu style offering where you decide what services work best for your organization’s needs. The Assured Defense Plan provides solutions and drafts a POA&M to track the progress. Our team will create and maintain your SSP policies and procedures with monthly and quarterly updates to meet the NIST SP 800-171 and CMMC compliance requirements.  We will assist with determining your SPRS score. In addition, our continuous monitoring will include audit reviews, vulnerability management, anti-malware / firewall monitoring and management, and web filtering monitoring. As needed, we will implement and configure hardware and software to meet CMMC compliance.

Build Your Path to CMMC Compliance Success

Not sure what CMMC will mean to your organization? Schedule a gap assessment to stay ahead of new requirements and learn more about how our team can help.

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) newest verification system designed to ensure the protection of Controlled Unclassified Information (CUI) that resides on the Defense Industrial Base (DIBNet) systems and networks. As early as the end of 2020, some new DoD contracts will begin to specify CMMC maturity level requirements. Learn more.

Controlled Unclassified Information (CUI) is sensitive, but unclassified, information that the government requires its handlers to keep safe. The handlers of CUI include private defense contractors. CUI was born out of the fact that agencies and services have different ways of managing sensitive unclassified information.

Learn more about CUI in this CMMC Certification Tips Webinar or contact SecureStrux.

There are strict rules concerning dissemination of CUI. CUI requirements are currently outlined only by NIST-800-171. It is regulated by the Information Security Oversight Office (ISOO) that as part of the National Archives, was established in September 2016 with an executive order from President Barack Obama. Commonly, it’s contractually obligated through the DFARS Clause 252.204-7012. As of October 2020, Executive Order 13556 and 32 CFR, part 2002 designates the National Archives and Records Administration (NARA) as CUI Executive Agent for the CUI Registry. Their guidance is binding.

Learn more about CUI in this CMMC Certification Tips Webinar or contact SecureStrux.

CUI is information that requires safeguarding or dissemination controls that’s consistent with applicable laws, regulations, and government policies. There are two main types of CUI: Basic and Specified. Examples of Basic CUI include Controlled Technical Information (CTI) and International Traffic and Arms Regulations (ITAR).

There are currently 24 categories of CUI, 92 sub-categories, and 110 types, all of which is detailed in the CUI registry. If the government wants to protect data that does not fall into one of those categories or types, they can add another category, sub-category, and type to the CUI registry.

Some of the data that falls into CUI territory includes:

  • Government financial information
  • Research data
  • Critical infrastructure plans & policies
  • Procurement & government supply information
  • Export control and restriction information
  • …and much more; you can find a complete list on the CUI Registry.

CUI can be digital, physical documents, representations, images, and items (parts). For example, CUI can be either electronic information stored on a PC or it can be a printed document. It can be a part, like a circuit board, or it could be an image of that board. You need to have the proper marking and protections in place.

Learn more about CUI in this CMMC Certification Tips Webinar or contact SecureStrux.

CUI does not include information that is lawfully publicly available without restrictions or classified information.

Learn more about CUI in this CMMC Certification Tips Webinar or contact SecureStrux.

Build Your Path to CMMC Compliance Success

Not sure what CMMC will mean to your organization? Schedule a gap assessment to stay ahead of new requirements and learn more about how our team can help.