CMMC 2.0 - CYBERSECURITY MATURITY
When subcontracting to the US DoD, requirements to be CMMC compliant and certified are to be expected. CMMC requires control, practices, and documentation supporting this.
Cybersecurity Maturity Model Certification (CMMC) is a framework residing within IT security. It was developed in cooperation with Carnegie-Mellon (University), Johns Hopkins (University), the Defense Industry Base (DIB), and the US Department of Defense (DoD). CMMC initially launched in a version 1.0, and has recently been replaced by, what is to be an expected final version (2.0)
A requirement in order to be eligible for future contracts, gain or extend existing contracts.
Companies seeking to be eligible for future DoD tenders will be met with a requirement of being CMMC compliant. This applies not only to Primes but also to all subcontractors down the supply chain (flow down). Existing subcontractors will be, if not already required to be compliant with NIST 800-171, the same requirements on contract extensions.
The three different CMMC levels
DOCUMENTS & LINKS
Within CMMC 2.0, three different compliance levels exist. Level 1, which is basic cyber-hygiene, level 2 which requires a formalized security setup, tied together with supporting security plans, and finally level 3, which requires an advanced infrastructure, along with 24/7 monitoring.
Cybersecurity score registration (SPRS)
The final step of the implementation of CMMC is calculating the score of the implemented security elements. This score is to be registered with the Supplier Performance Risk System (SPRS) and is a requirement. DoD has access to all companies registering their score and is expected to use this when evaluating tenders.
Contracts define the required level
DoD defines the required level on each specific tender in order to be eligible. Contracts where CUI (Controlled Unclassified Information) is being processed, will at minimum require a level 2, whereas contracts without CUI may only be required to be at level 1. It is worth noting that communicating FCI (Federal Contract Information), requires a level 1 certification. Companies only dealing with COTS (Commercial-Off-The-Shelf) are not expected to be CMMC compliant.
CMMC compliance is a time-consuming path
CMMC 2.0 is based on the NIST 800-171 framework, which originates from the protection of CUI (Controlled Unclassified Information). Companies already compliant with NIST 800-171 (DFARS 252.204-7012, 7019 & 7020) will be on fast-track with CMMC certification. With a full 110/110 implemented elements, the final path to CMMC certification is estimated to be 3-6 months. If no elements or experience with NIST 800-171 exist, and implementation will soon take up to a year, in order top be level 2 compliant.
Assistance with the proccess
We assist in the complete process of becoming CMMC 2.0 compliant. Starting from gap analysis, implementing procedures and controls, along with the implementation of technical backend systems. We have a long track record of engaging with compliance specialists, IT staff, and external service providers.
What we offer:
Implementation of CMMC 2.0 level 1, within the existing company infrastructure
A level 1 implementation opens up the possibility of communicating FCI (Federal Contract Information), which in practice makes it possible to bid on tenders and exchange contract information ahead of winning such one.
Implementation of CMMC level 2 (enclave)
We have developed a complete turnkey solution called EPP™ (Enclave Processing Platform) to process CUI in relation to DFARS 7012. An enclave system is a separate and isolated ecosystem, protected and compliant with CMMC level 2 to process the sensitive material.
Both implementations are end-to-end engagements. We will take you through the complete journey of reaching compliance with CMMC, and post-implementation assist you in staying compliant.
WHY CHOOSE US?
We are NIST800-171 and DFARS-7012 experts and can help you to become CMMC 2.0 compliant.