Cybersecurity Maturity Model Certification (CMMC)
The Cybersecurity Maturity Model Certification is a consolidated standard for Department of Defense (DoD) contractors that collect, process, or store controlled unclassified information (CUI). The compliance standard is an evolution of the DFARS 252.204.7012 and NIST 800-171 standards and is meant to protect the nation’s most sensitive data.
Designed to enhance the cybersecurity posture of the Defense Industrial Base (DIB), the framework combines several cybersecurity standards and best practices with controls mapped across several maturity levels.
Once CMMC 2.0 is codified through rulemaking, the DoD will require companies to adhere to the revised CMMC framework.
Our CMMC Services
As an independent audit firm, 360 Advanced can conduct a third-party assessment of your controls, helping you obtain your DoD cybersecurity certification. We offer:
If you are new to federal cybersecurity and compliance requirements, we can help you determine which practices are in scope for your desired level of certification.
From there, we can conduct a gap analysis that evaluates your controls through the lens of the CMMC framework. Our auditors help you identify areas of non-compliance, then create a prioritized action plan for remediation.
Self-assessments will be required on an annual basis. When CMMC certification is required, C3PAO assessment (Level 2) or Government assessment (Level 3), will be required every three years.
Who Is Required to Have a CMMC?
CMMC is mandatory for all organizations that do business with the United States Department of Defense, including non-federal contractors and sub-contractors.
Can I Self-Certify?
Certifications must be provided by an independent CMMC auditor, also known as a C3PAO or CMMC assessor. Companies associated with the new Level 1 and some Level 2 acquisition programs are allowed to perform self-assessments.
The CMMC comprises three levels, each one covering a progressively higher number of practices and processes.
Organizations are encouraged to choose the maturity level that best supports their business goals, as well as their data processing activities.
15 requirements and is an annual self-assessment and annual affirmation
100 requirements aligned with NIST SP 800-171 and is a triennial third-party assessment and annual affirmation and a triennial self-assessment and annual affirmation for select programs
110+ requirements based on NIST SP 800-171 and 800-172 and is a triennial government-led assessment and annual affirmation
The Relationship between NIST and CMMC
CMMC requirements will result in a contractor self-assessment, or a third-party assessment, to determine whether the applicable NIST standard has been met. The Defense Federal Acquisition Regulation Supplement (DFARS) clause states the basic safeguarding requirements for Level 1 compliance. Under CMMC 2.0, a level 2 assessment will be conducted against the NIST SP 800-171 standard. A Level 3 assessment will be based on a subset of NIST SP 800-172 requirements.
With 2.0 Published, Do Companies Still Need to Comply with 1.0?
The interim DFARS rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment.
Once CMMC 2.0 is codified through rulemaking, the DoD will require companies to adhere to the revised framework according to requirements set forth in regulation.
CMMC 2.0 will not be a contractual requirement until the DoD completes rulemaking to implement the program. The rulemaking process and timelines can take up to 24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.
New to the Cybersecurity Maturity Model?
Learn more about the framework, requirements, and the certification process:
Learn More About CMMC Certification
Whether you’re a current federal contractor or looking to bid on your first DoD contract, 360 Advanced can help you navigate the world of cybersecurity and compliance. Our team has experience with a variety of federal frameworks – from NIST and DFARS to FISMA and FedRAMP – and can help you meet your organization’s unique requirements. For more information about CMMC certification, contact us today.