CMMC Compliance – The Cybersecurity Maturity Model Standard
We have years of experience helping Federal contractors throughout all industries obtain their compliance with the cybersecurity controls, such as those specified in the Cybersecurity Model Maturity Certification (CMMC) standard. As a DoD contractor, we have the experience to prepare your organization for the accreditation (audit), perform the accreditation, or advise on how to reduce the impact of the requirements.
What is the Cybersecurity Maturity Model Certification (CMMC)?
CMMC is a new requirement the DOD created to implement a multi-level approach for contractor compliance in cybersecurity. It stems from the NIST SP 800-171 (“NIST-171”) standard, but instead uses five different levels of maturity metrics. DOD contractors have been required to meet NIST-171 since Jan 1, 2018, but many chose to implement only a few controls via the allowed use, and sometimes abuse, of a Plan of Action & Milestones (POA&M) which allows organizations to state they are ‘working on it’ and will close their gaps ‘in the future.’
The CMMC standard starts with a similar set of security controls, as defined in this CMMC standard document. However, due to the low rate of 100% NIST-171 controls implementations, the CMMC standard REQUIRES contractors to pass a third party audit from a C3PAO (CMMC Third Party Assessor Organization) prior to receiving new contract awards with the CMMC requirement. Initial RFPs with this requirement will be released in October 2020.
Additionally, CMMC does add a few controls beyond the NIST-171 standard, and most of those are based on existing NIST 800-53 controls. Only a few CMMC Level 4 & 5 controls fall outside of NIST 800-53.
Why should my Organization care about the CMMC?
CMMC is a mandatory requirement. You will not be awarded a DOD contract with this requirement without obtaining the correct accreditation level. It is anticipated that by 2026, ALL DOD Contracts will require a contractor to pass and obtain accreditation via a CMMC Level 1-5 assessment, depending on the contract requirement. Again, without this accreditation, contractors will NOT be allowed to be awarded or maintain their contracts.
What are the challenges of obtaining CMMC accreditation?
- CMMC Level 1: 17 Controls
- CMMC Level 2: 72 Controls (includes Level 1 controls)
- CMMC Level 3: 130 Controls (includes Level 2 controls)
- CMMC Level 4: 156 Controls (includes Level 3 controls)
- CMMC Level 5: 171 Controls (includes Level 4 controls)
How can Sentar Help?
Our Governance, Regulation, and Compliance experts have helped dozens and dozens of federal contractors meet their compliance requirements. Every Sentar GRC client that has been assessed for their compliance has passed without exception. If you want to be certain your organization is compliant, contact us today. In most cases, we can analyze and provide a complete understanding of your compliance maturity posture, as well as support your remediation efforts along the way.
Currently, the best a contractor can do to prepare for an upcoming CMMC audit is two-fold:
- Implement AND document 100% of the NIST-171 controls. We can quickly and cost-efficiently perform this service for you, including all documentation during our NIST-171 Compliance Solution.
- Have us conduct a CMMC Pre-Assessment Gap Assessment Solution and purchase our CMMC Documentation set, which includes free customization support for six months.
The cost of your CMMC assessment will be reduced with proper, easy-to-review documentation. During any audit, time = costs.
CMMC Overview and Assessment Solutions
CMMC Gap Assessment Solution
Sentar is actively performing CMMC Pre-audit Gap Assessments. . Our team can conduct a CMMC Gap Assessment now to help your organization understand what effort remains in implementing the new or modified Cybersecurity controls as required in Levels 1 – 5 to prepare for implementation prior to your official accreditation audit.
CMMC Consulting Solutions
Our cybersecurity consultants can help you determine the best solutions for the least impact to your processes, personnel, and budgets that you can use to address your CMMC gaps. Additionally, we can help perform the implementation of those solutions, modifications to existing security infrastructure, and more. If you need help meeting CMMC compliance requirements, contact us by clicking here.
CMMC Documentation Sets
As in any audit, if it isn’t documented, it doesn’t exist. The same is true about the CMMC. Sentar’s CMMC Documentation sets far exceed mere templates. Experienced Sentar subject matter experts have developed completely defined documentation with appropriate settings for small, medium, and complex environments that is easily further customized for free. When you purchase our documentation set, your IT staff can quickly get to work implementing and modifying settings to match the documentation. Or, if they would prefer a slightly different configuration or setting, they can send our team the desired change and we’ll confirm if that change meets the requirements. Your organization has six months of free customization support, which ensures you end up with customized processes and procedures that fit your organization without the tens of thousands of dollars required by other organizations to custom them.
CMMC Assessment Solution
Please be aware that no organization has been awarded the C3PAO accreditation status at this time. It is expected that organizations, including Sentar, should be able to start performing assessment soon.