The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) independent verification model designed to ensure the protection of Controlled Unclassified Information (CUI) that resides on the Defense Industrial Base (DIB) systems and networks.

CMMC Model 2.0 will be replacing the maturity based CMMC Model 1.0.  While you may have heard that CMMC Model 2.0 “is nothing more than checking off security controls from NIST SP800-171,” this is not an accurate statement.  Becoming compliant with CMMC Model 2.0 requires a good grasp on how to weave through specific CMMC requirements, such as scoping your environment, understanding reciprocity, and instituting appropriate shared responsibility matrices, to name a few.

The DoD is encouraging DIB contractors to improve their cybersecurity posture during the transition to CMMC Model 2.0.  SecureStrux’s™ expert CMMC consultants are here to help you achieve and maintain CMMC compliance.  We have a CMMC Provisional Assessor (PA), who has undergone a formal CMMC assessment for Level 3 certification, and a staff of CMMC Registered Practitioners (RP) onboard to assist you with understanding the comprehensive CMMC assessment process and to prepare you for a successful CMMC assessment.

Preparing for Your CMMC Audit

We recognize that CMMC has created a number of questions for you and your team, such as:

  • Are we ready for a CMMC assessment?
  • What do we need to do to get ready for a CMMC assessment?
  • What is the CMMC assessment process?
  • How do we scope our environment to meet with CMMC standards?
  • Are our partners, such as managed service providers and cloud service providers, a part of our CMMC assessment?
  • What should our policies and procedures look like?
  • How do we complete and upload our mandated Supplier Performance Risk System (SPRS) score in accordance with DFARS 252.204-7019?

We’ll connect the dots, using what we’ve learned over the past decade to help you move quickly and efficiently through to compliance and beyond. As experienced CMMC compliance consultants, we not only walk you through the CMMC assessment process, but we can also provide a gap analysis, develop your key documentation, assist with remediation, and provide continuous monitoring to maintain your CMMC compliance.

SecureStrux_CMMC

Recommended Steps You Can Take on our Path to CMMC Compliance:

  1. Configure your existing environment or build a new environment to NIST 800-171 and CMMC compliance standards.
    • Define clear roles and responsibilities.
    • Coordinate appropriate Shared Responsibility Matrices with service providers.
    • Understand how to scope your environment (isolate CUI) in accordance with CMMC requirements.
    • Ensure technical solutions meet CUI / ITAR requirements, such as incorporating Office 365 GCC High or other cloud providers to ease this process.
  2. Develop a Systems Security Plan (SSP) and a Plan of Action and Milestones (POA&M).
    • Implement the security controls / CMMC practices in accordance with the SSP.
    • Manage the POA&M based on the planned controls as annotated in the SSP.
  3. Determine the budget required for preparing for and maintaining CMMC compliance.
    • Evaluate options, such as cloud services and/or managed services to ease the resource (cost, manpower, etc) burden of achieving and maintaining CMMC compliance.
  4. Conduct a self-assessment.
  5. Hire an independent consultation to conduct a CMMC / NIST SP 800-171 gap analysis (after all, it is tough to see the forest through the trees).
  6. Remediate the known gaps before scheduling for the formal CMMC assessment for certification.
Men working on computer stand

Flexible Services for Your CMMC Needs

CMMC Consulting

No matter what level of support your organization needs, we will ensure you are ready for CMMC. Our team of professionals can assist you with a comprehensive suite of services, ranging from a routine assessment to fully implementing all the new CMMC measures.

Talk with a CMMC Expert
Flexible-Services-for-Your-CMMC-Needs

CMMC 2.0 Explained

  • CMMC 2.0 model is streamlined from 5 to 3 levels
  • Eliminates CMMC 1.0 Levels 2 & 4
  • Three levels of progressive sophistication
    • Level 1 (Foundational) – Federal Contract Information (FCI)
    • Level 2 (Advanced) – Controlled Unclassified Information (CUI)
    • Level 3 (Expert) – CUI
  • Level 3 for highest priority programs with CUI
  • Eliminates all CMMC unique practices & maturity processes
  • Mirrors NIST SP 800-171 & NIST SP 800-172
  • Level 2 is directly aligned with NIST SP 800-171
  • Level 3 is aligned with a subset of NIST SP 800-172
  • Allows limited use of Plan of Action & Milestones (POA&M)

The intent of CMMC 2.0 is to reduce impact to the DIB with:

  • Assurance of accountability for companies to implement cybersecurity standards while minimizing barriers to compliance with DoD requirements;
  • Integration of a collaborative culture of cybersecurity and cyber resilience; and
  • Enhanced public trust in the CMMC ecosystem, while increasing overall ease of execution

DFARS Clauses are still effective

  • DFARS Clause 252.204-7012 (2017) (self-attestation of basic safegaurding requirements)
  • DFARS Clause 252.204-7019 (NIST SP 800-171 – Self Assessment) (SPRS)
  • DFARS Clause 252.204-7020 (NIST SP 800-171 – DoD Assessed by DCMA)
  • DFARS Clause 252.204-7021 (CMMC Certification) (Modified due to CMMC 2.0)

CMMC Gap Analysis

CMMC Services

This is your first step in preparing for CMMC compliance. We will perform a traditional CUI gap analysis with all 110 controls in NIST SP 800-171, along with an analysis of your preparedness to meet CMMC compliance requirements.  We will also assist with determining your SPRS score

Depending on your organizational layout and infrastructure, we will complete the compliance assessment onsite or through remote access. Upon completion of the CMMC gap analysis, we will provide a detailed list of all the action items needed to achieve your desired level of compliance. Also, we will have an executive-level briefing addressing significant concerns.

CMMC Gap Analysis
Cybersecurity Maturity Model Certification (CMMC) Compliance Services

CMMC System Security Plan (Policies & Procedures) Engagement

CMMC Services

For organizations that have more robust IT knowledge, we will work alongside the organization’s stakeholders to manage the compliance documentation, policies, and procedures while they implement the CMMC practices (security controls).

The SSP Engagement includes writing and maintaining the CMMC SSP Plan based on the organization’s architecture to isolate CUI.   We will write policies for the protection of FCI and CUI across the organization. The SSP Engagement will include quarterly and annual updates.

Start your System Security Plan Engagement
Cybersecurity Maturity Model Certification (CMMC) Compliance Services

Assured Defense – Managed Security Support Plan

CMMC Services

For organizations in need of a more hands-on approach, we can manage and implement any part of your CMMC compliance transition. Our Assured Defense Plan is a menu style offering where you decide what services work best for your organization’s needs. The Assured Defense Plan provides solutions and drafts a POA&M to track the progress. Our team will create and maintain your SSP policies and procedures with monthly and quarterly updates to meet the NIST SP 800-171 and CMMC compliance requirements.  We will assist with determining your SPRS score. In addition, our continuous monitoring will include audit reviews, vulnerability management, anti-malware / firewall monitoring and management, and web filtering monitoring. As needed, we will implement and configure hardware and software to meet CMMC compliance.

 

Find out more about our Assured Defense Plan
Cybersecurity Maturity Model Certification (CMMC) Compliance Services

Build Your Path to CMMC Compliance Success

Not sure what CMMC will mean to your organization? Schedule a gap assessment to stay ahead of new requirements and learn more about how our team can help.

CMMC Resources

CMMC Certification – Tips for Preparation

This is a transcript of the CMMC Certification webinar broadcast on October 7, 2020. This transcript was generated primarily…

Read Post

What is CMMC?

What is CMMC (Cybersecurity Maturity Model Certification)? The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD)…

Read Post

5 Reasons every DoD Contractor Needs A CMMC Assessment

Every year, the Department of Defense spends over 8.5 billion dollars on cybersecurity funding. For many of us, DoD…

Read Post

4 Steps Your Organization Should Be Taking To Prepare for CMMC

The DoD officially released version 1.0 of its Cybersecurity Maturity Model Certification (CMMC) approach. Now, DoD contractors are running…

Read Post

Managing CMMC compliance with an MSSP

Key Article Takeaways The Cybersecurity Maturity Model Certification (CMMC) will become the new standard for verifying cybersecurity controls and…

Read Post

3 Ways Defense Contractors Can Improve Cybersecurity And Compliance

Key Article Takeaways Cybersecurity compliance is vital to successfully bidding on DoD contracts in 2020. CMMC level compliance must…

Read Post

CMMC and Protecting the DoD Supply Chain

In less than a year, CMMC requirements will begin appearing in DoD RFIs and RFPs. Combining large organizational impact…

Read Post

Managing CMMC for Defense Contractors

Hackers are targeting government organizations with increasing frequency, as shown by the U.S. Department of Defense (DoD) data breach…

Read Post

Build Your Path to CMMC Compliance Success

Not sure what CMMC will mean to your organization? Schedule a gap assessment to stay ahead of new requirements and learn more about how our team can help.

About CMMC CUI

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) newest verification system designed to ensure the protection of Controlled Unclassified Information (CUI) that resides on the Defense Industrial Base (DIBNet) systems and networks. As early as the end of 2020, some new DoD contracts will begin to specify CMMC maturity level requirements. Learn more.

Controlled Unclassified Information (CUI) is sensitive, but unclassified, information that the government requires its handlers to keep safe. The handlers of CUI include private defense contractors. CUI was born out of the fact that agencies and services have different ways of managing sensitive unclassified information.

Learn more about CUI in this CMMC Certification Tips Webinar or contact SecureStrux.

There are strict rules concerning dissemination of CUI. CUI requirements are currently outlined only by NIST-800-171. It is regulated by the Information Security Oversight Office (ISOO) that as part of the National Archives, was established in September 2016 with an executive order from President Barack Obama. Commonly, it’s contractually obligated through the DFARS Clause 252.204-7012. As of October 2020, Executive Order 13556 and 32 CFR, part 2002 designates the National Archives and Records Administration (NARA) as CUI Executive Agent for the CUI Registry. Their guidance is binding.

Learn more about CUI in this CMMC Certification Tips Webinar or contact SecureStrux.

CUI is information that requires safeguarding or dissemination controls that’s consistent with applicable laws, regulations, and government policies. There are two main types of CUI: Basic and Specified. Examples of Basic CUI include Controlled Technical Information (CTI) and International Traffic and Arms Regulations (ITAR).

There are currently 24 categories of CUI, 92 sub-categories, and 110 types, all of which is detailed in the CUI registry. If the government wants to protect data that does not fall into one of those categories or types, they can add another category, sub-category, and type to the CUI registry.

Some of the data that falls into CUI territory includes:

  • Government financial information
  • Research data
  • Critical infrastructure plans & policies
  • Procurement & government supply information
  • Export control and restriction information
  • …and much more; you can find a complete list on the CUI Registry.

CUI can be digital, physical documents, representations, images, and items (parts). For example, CUI can be either electronic information stored on a PC or it can be a printed document. It can be a part, like a circuit board, or it could be an image of that board. You need to have the proper marking and protections in place.

Learn more about CUI in this CMMC Certification Tips Webinar or contact SecureStrux.

CUI does not include information that is lawfully publicly available without restrictions or classified information.

Learn more about CUI in this CMMC Certification Tips Webinar or contact SecureStrux.

Build Your Path to CMMC Compliance Success

Not sure what CMMC will mean to your organization? Schedule a gap assessment to stay ahead of new requirements and learn more about how our team can help.