The Department of Defense (DoD) released in January 2020 the Cybersecurity Maturity Model Certification (CMMC), adding a verification component for a contractor’s ability to protect Controlled Unclassified Information (CUI). The CMMC control framework builds off the existing DoD NIST 800-171 controls with added controls to address updated requirements. The certification will be required for all organizations in the supply chain performing work, or proposing on work, for the Department of Defense (DoD). Depending on the level of access to the Controlled Unclassified Information (CUI), each task order will define what level of certification is required (Level 1 to Level 5).
The first step in the process is to go through a CMMC Readiness Assessment to determine how your organization is meeting the requirements and what needs to be done before a certifier arrives to audit the environment. Following the readiness review, the organization can focus on remediation efforts, improving the environment, and making sure they are prepared for a certification audit. Prime contractors are already working through the process and are pressuring their subcontractors to take the necessary steps to meet or exceed requirements in preparation for the certification. Smaller subcontractors will be included in the process over the next 12 to 18-months. If your organization is in the supply chain for the DoD, it is time to prepare for CMMC.
How We Help
RubinBrown’s team of experienced professionals can help your organization by:
- Readiness Scoping
- Identifying and documenting the scope of the standards to your environment
- Augmenting your IT department with specialists who convert your knowledge of your environment into the requirements to meet the standards
- Readiness Assessment
- Working with your team to assess your readiness over a 3 to 4-week period addressing approximately 130 controls and planning the remediation effort
- Assisting with planning, tracking, and performing remediation, as needed, working directly with your team
- Certification Preparation & Support
- Prepare your team for the C3PAO (Third-Party Certifier) to audit your environment and interface with the certifier if any clarifications are needed during their audit
- Post-Certification Support & Consulting
- Review internal and external changes to your environment along with consulting on updated DoD requirements
- CMMC Managed Service
- Outsource the ongoing effort to stay complaint with CMMC policy and implementation changes
The deliverables from the effort include:
- Management Reporting
- Company-Level Risk Assessment Report for your headquarters and remote locations
- Gap Analysis and Recommendations for Technology, Human Capital and Policies
- CMMC Remediation Roadmap
- NIST SP 800-171 & CMMC Remediation Roadmap, including the following Government Requirements and Certification Guidelines:
- NIST 800-171 Reports (Existing Requirement)
- NIST 800-171 System Security Plan (SSP)
- NIST 800-171 Plan of Actions and Milestones (POA&M)
- NIST Cybersecurity Framework (CSF) for Critical Infrastructure (As Required)
- Cross-Over Audit for Additional Frameworks
- Reports will highlight controls that cross-over to additional frameworks beyond the DoD CMMC, NIST 800-171, NIST CSF including ISO, PCI-DSS among others
Drawing from our experience developing SSPs and POA&Ms, assisting our clients with compliance remediation plans, and years of experience in the industry, we help our clients through the preparation phase, so they are ready when it is time for the formal certification audit.
To schedule the scoping of your current environment in preparation for the readiness assessment, please complete the form below and a member of our team will contact you soon.