Secure Your Business and Defense Contracts
Get backup from our team of security and compliance experts to prepare your organization for meeting CMMC standards.
Cybersecurity Maturity Model Certification
What is the CMMC?
Prepare your security program to meet future DoD requirements
The CMMC (Cybersecurity Maturity Model Certification) outlines the information security requirements the DoD enforces on its DIB partners.
It is the defined set of requirements for any DoD contractor that receives, stores, processes, or transfers any type of CUI (Controlled Unclassified Information). The CMMC is made up of 3 different tiers according to the level of information that is used to fulfill the contract. Depending on the CMMC level that is required in the contract, third-party assessments may be required.
How does FRSecure approach CMMC?
It is vital for any DIB partner to know exactly where they stand on the CMMC information security requirements. Reporting false or inaccurate information in the SPRS system or while bidding can severely hinder an organization’s ability to bid on federal jobs in the future.
FRSecure uses the latest information available from the DoD and the CMMC-AB, along with several CMMC RPs (Registered Practitioners) to help its clients make sure they are ready for a CMMC assessment. We help with scoping, develop roadmaps, and walk you through each control that is required to be compliant, all while ensuring your information security program is as robust as possible in the process.
Level 1 focuses on the protection of FCI and consists of only practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21, commonly referred to as the FAR Clause.
Level 1 is equivalent to all of the safeguarding requirements from FAR Clause 52.204-21.
Self-assessment will be allowed at this level.
Level 2 focuses on the protection of CUI and encompasses the 110 security requirements specified in NIST SP 800-171 Rev 2.
Self Assessment may be allowed at this level as well.
Level 3 will be based on a subset of NIST SP 800-172 requirements. Details will be released at a later date.
The CMMC was created by the US Department of Defense as a way to have more control over their vendor and contractor security.
If you’re a part of the DIB supply chain or if you’re a service provider for the DoD, this will need to be something you comply with. Every contract the DoD enters will eventually have CMMC requirements. It’s anticipated that 350,000 vendors down the supply chain of the DoD will be impacted by this.
Your CMMC requirements will depend on the type of contract you’re trying to participate in. With three levels of increasing security controls, it’s likely that the impact of the contract on the defense industry will decide which of the levels you’ll need to comply with.
The CMMC model consists of 17 domains in level one, 110 practices in level two, and 110+ in level three stemming from areas in Federal Information Processing Standards (FIPS) Publication 200, Federal Acquisition Regulation (FAR) 52.204-21., and NIST SP 800-171. CMMC also includes asset management, recovery, and situational awareness.
Specific controls are assessed based on the CMMC level that the contract requires.
The best way to ensure compliance with the CMMC model is to establish a POA&M and SSP and then determine any gaps in your existing information security program.
Based on the POA&M and SSP, an organization can establish its SPRS score and determine whether it satisfies the proposal requirements.