top priority for the DoD
department of defense (DoD) cyber mandate for the defense industrial base (DIB)
The DIB is the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet US military requirements.
The DIB is the target of more frequent and complex cyberattacks. Therefore, the DoD mandated CMMC2.0 to protect American ingenuity and national security information. Safeguarding the information that supports and enables our warfighters is our patriotic duty and responsibility.
cybersecurity framework
DoD implementation of CMMC
CMMC is the DoD’s information security requirement for their DIB partners. It is about cybersecurity policies, procedures, and accountability.
It is a framework and assessment program to increase information security compliance with NIST 800-171 (National Institute of Standards and Technology) to protect our military's Supply Chain.
The CMMC program is designed to enforce the protection of sensitive controlled unclassified information (CUI) that the DoD shares with its contractors and subcontractors. It also
assures the DoD that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process sensitive unclassified information.
mandatory for all DoD contractors
and all subcontractors in the DoD supply chain
A DIB contractor/subcontractor whose unclassified networks process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)
will be required to be CMMC certified.
FCI is information not intended for public release and is generated for a contract to develop or deliver a product or service to the Federal Government.
CUI, although unclassified, is created or collected by the Government and therefore is sensitive and requires protection.
cmmc 2.0 program
three key features
(1) Three tiers: Level 1-3, type and sensitivity of the information
(2) Assessment: that verifies the organization has implemented mandatory cybersecurity controls
(3) Certification: is required for contract award
3-tiered model
level 1
FCI - Federal Contract Information - not critical to national security but must be secured
CMMC Level 1 is the lowest level of security controls required for a defense contractor.
Cybersecurity best practices are required to safeguard Federal Contract Information (FCI)
Annual cybersecurity assessments assure the DoD that sensitive information shared with the DIB is adequately protected.
The DoD requires DIB Contractors to perform a self-assessment for 17 Security Practices, then register their self-assessments and affirmations in the
Supplier Performance Risk System (SPRS) annually. It is highly recommended that you consult with an expert to ensure that you are in compliance. If your organization fails assessment,
and is eligible for a Plan of Action & Milestones (POA&M), you will need to hire a CMMC consultant to remediate.
Our goal is to establish an affordable CMMC program so that Level 1 Organizations Seeking Certification (OSCs) can self-assess each year afterward and not require our services further after the initial engagement.
CMMC certification can be difficult, but should not "break the bank" if you team with the right partner.
Learn how.
level 2
CUI - Controlled Unclassified Information - information critical to national security
For contractors handling information critical to national security, Controlled Unclassified Information (CUI), they will be required to be assessed by a third party for prioritized CUI, and in cases of nonprioritized,
they may self-assess. Prioritized refers to the DIB type of contract based on the DoD's urgency or need.
Level 2 has more security controls due to the advanced nature of sensitive information, CUI. Your organization will be assessed by 110 controls. Achieving Level 2 compliance is an extensive process.
It depends on the complexity of your environment and the sensitivity of your data. The length of a typical assessment prep is six months, but can be shortened if your organization is already compliant with NIST or ISO 9001, 27001 standards.
Discuss your current environment with our Certfied CMMC Professionals (CCPs) with 20 years of experience in information security, 20 years in regulatory compliance, and 30 years in information technology.
Contact us with your questions.
level 3
CUI - from Advanced Persistent Threats (APTs) - highest priority
The DoD intends for Level 3 cybersecurity requirements to be assessed by Defense Industrial Base Cyber Assessment Center (DIBCAC) every three years - currently under development.
assessment process
overview
The CMMC phases:
The CMMC Accreditation Body (Cyber AB) is the certifying body for accrediting Organization Seeking Certification (OSCs). The CMMC Assessors and Instructors Certification Organization (CAICO) will accredit CMMC Professionals.
To prevent conflict of interest, whoever prepares an OSC cannot also perform the audit.
Contractors/subcontractors seeking assessment are called an Organization Seeking Certification (OSC).
This is the process:
- Find a CMMC Certified Professional (CCP) on the Cyber AB Marketplace
- Prepare for certification - performed by a CCP
- Collection and examination of evidence: interviews, controls examined and tested, policies updated, dashboard provided for score and self-assessment
- Assessment is scheduled: by a C3PAO, performed by a CCA
- Assessment results; Pass, POA&M, or Fail
- If your organization does not pass the assessment, but has met 80% of the mandatory controls required, OSCs are eligible to remediate controls not met with a Plan of Action and Milestone (POA&M).
- You are given 180 days to remediate your gaps
- If you fail and are not POA&M eligible, then you will need to get in the queue again and start the preassessment/assessment process all over again.
- After review, the Assessment is submitted via the Supplier Performance Risk System (SPRS) report - required annually - into CMMC EMASS, which the DoD can access.
Our certified CMMC Professionals (link to marketplace) prepares your organization for the CMMC assessment which will make your actual certification with a C3PAO go much smoother so that there are no surprises or delays in your certification.
We can then refer you to a certified C3PAO or you can go to the marketplace.
To ensure that you are engaging with a Certified CMMC Professional go to the official Cyber AB Marketplace. The CMMC process is arduous and costly if not
planned properly from the beginning. Take the assessment very seriously, especially when performing a self-assessment. Unlike a resume which can be inflated and will not be checked, your self-assessment will be
fact-checked and the officer who signs off will be under oath and subject to the US False Claims Act, punishable by hefty fines, inprisonment, and loss of contract and future contracts.
In 2022 False Claim Settlements and Judgments exceeded $2 Billion and
during the same period, the government paid out over $488 million to the whistleblowers who exposed fraud and false claims..
Note: your IT department or third-party Managed Service Provider (MSP) may not be acceptable by the DoD to prepare your organization for CMMC unless you have an accredited CMMC Professional on staff.
Only those accredited professionals on the Cyber AB Marketplace are eligible to prepare and assess for certification, per the DoD.
Assessment is required every three years or annually, depending on your particular environment. This process is very documentation-heavy so we recommend having a CCP check your self-assessment or
perform a preassessment for you.
Ready to get started?
depends on many factors
strategic partnerships
reasonable and affordable
Without knowing the existing control environment, the type of contracts and types of FCI/CUI, and the Maturity Level, cost cannot be estimated on the fly.
Each company is unique, and therefore, each quote is customized for its particular environment.
Level 1 only requires 17 controls, Level 2 has 110 controls, and Level 3 builds on that. Cost depends on many factors such as the organization's size, asset inventory, complexity of the
infrastructure, tech stack, network complexity, sensitivity, and level of information security, etc.
We recommend not investing in expensive hardware that may be non-compliant within a few years.
Instead, we offer an inexpensive compliance dashboard that you can turn on and off when needed so that you are not committed to unnecessary subscription costs.
Our goal is to prepare your organization for a CMMC audit and do it in the most cost-effecient manner.
A consultation to discuss your organization's environment will be required to determine an estimate.
Our goal is transparency, collaboration, and affordability.
Let's get started.
key sites
learn more
DoD CMMC Documentation:
DoD CIO’s Cybersecurity Maturity Model Certification (CMMC)
Cyber Accreditation Body (Cyber-AB)
DFARS 252.204-7012 CybersecurityMaturity Model Certification Requirements
National Archives & Records Administration Controlled Unclassified Information (CUI)
NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171
NIST SP 800-172A Assessing Enhanced Security Requirements for Controlled Unclassified Information
32 CFR Part 2002 – Controlled Unclassified Information (CUI)
48 CFR § 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems
DFARS 252.204-7008 Compliance Safeguarding Covered Defense Information Controls
DFARS Clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting
© diverseworks 2022. All rights reserved.