CMMC Compliance – The Cybersecurity Maturity Model Standard

Submenu

For more information, please contact:

Chandler Hall
chandler.hall@sentar.com
(256) 836-7853

We have years of experience helping Federal contractors throughout all industries obtain their compliance with the cybersecurity controls, such as those specified in the Cybersecurity Model Maturity Certification (CMMC) standard. As a DoD contractor, we have the experience to prepare your organization for the accreditation (audit), perform the accreditation, or advise on how to reduce the impact of the requirements.

What is the Cybersecurity Maturity Model Certification (CMMC)?

CMMC is a new requirement the DOD created to implement a multi-level approach for contractor compliance in cybersecurity. It stems from the NIST SP 800-171 (“NIST-171”) standard, but instead uses five different levels of maturity metrics. DOD contractors have been required to meet NIST-171 since Jan 1, 2018, but many chose to implement only a few controls via the allowed use, and sometimes abuse, of a Plan of Action & Milestones (POA&M) which allows organizations to state they are ‘working on it’ and will close their gaps ‘in the future.’

The CMMC standard starts with a similar set of security controls, as defined in this CMMC V1.0 standard document. However, due to the low rate of 100% NIST-171 controls implementations, the CMMC standard REQUIRES contractors to pass a third party audit from a C3PAO (CMMC Third Party Assessor Organization) prior to receiving new contract awards with the CMMC requirement. Initial RFPs with this requirement will be released in October 2020.

Additionally, CMMC does add a few controls beyond the NIST-171 standard, and most of those are based on existing NIST 800-53 controls. Only a few CMMC Level 4 & 5 controls fall outside of NIST 800-53.

Why should my Organization care about the CMMC?

CMMC is a mandatory requirement. You will not be awarded a DOD contract with this requirement without obtaining the correct accreditation level. It is anticipated that by 2026, ALL DOD Contracts will require a contractor to pass and obtain accreditation via a CMMC Level 1-5 audit, depending on the contract requirement. Again, without this accreditation, contractors will NOT be allowed to be awarded or maintain their contracts.

What are the challenges of obtaining CMMC accreditation?

The challenge for most organizations required to comply with these requirements is mostly the risk associated with incorrectly interpreting or implementing controls, which cause the contractor to fail their audit. There is an increasingly difficult level of controls and processes in each higher tier of the CMMC:
  • CMMC Level 1: 17 Controls
  • CMMC Level 2: 72 Controls (includes Level 1 controls)
  • CMMC Level 3: 130 Controls (includes Level 2 controls)
  • CMMC Level 4: 156 Controls (includes Level 3 controls)
  • CMMC Level 5: 171 Controls (includes Level 4 controls)

How can Sentar Help?

Our Governance, Regulation, and Compliance experts have helped dozens and dozens of federal contractors meet their compliance requirements. Every Sentar GRC client that has been audited for their compliance has passed without exception. If you want to be certain your organization is compliant, contact us today. In most cases, we can analyze and provide a complete understanding of your compliance maturity posture, as well as support your remediation efforts along the way.

Currently, the best a contractor can do to prepare for an upcoming CMMC audit is two-fold:

  1. Implement AND document 100% of the NIST-171 controls. We can quickly and cost-efficiently perform this service for you, including all documentation during our NIST-171 Compliance Solution.
  2. Have us conduct a CMMC Pre-Audit Gap Assessment Solution and purchase their CMMC Documentation set, which includes free customization support for six months.

The cost of your CMMC audit will be reduced with proper, easy-to-review documentation. During any audit, time = costs.

CMMC Overview and Assessment Solutions

CMMC Gap Assessment Solution
Sentar is actively performing CMMC Pre-audit Gap Assessments. . Our team can conduct a CMMC Gap Assessment now to help your organization understand what effort remains in implementing the new or modified Cybersecurity controls as required in Levels 1 – 5 to prepare for implementation prior to your official accreditation audit.

One additional benefit is included in our CMMC Gap Assessment: Placement into our Client Audit Priority Queue. Every client that purchases our CMMC Gap Assessment is placed in our Audit Priority Queue at the time of PO or quote signature receipt by Sentar. This queue ensures your audit will occur in the time you need it. We do, however, reserve the right to make adjustments within the queue, based on clients that have a pending award with a CMMC requirement over clients that do not.

Click here to have someone contact you to discuss our CMMC Gap Assessment Service and CMMC Audit Client Priority Queue.

CMMC Consulting Solutions
Our cybersecurity consultants can help you determine the best solutions for the least impact to your processes, personnel, and budgets that you can use to address your CMMC gaps. Additionally, we can help perform the implementation of those solutions, modifications to existing security infrastructure, and more. If you need help meeting CMMC compliance requirements, contact us by clicking here.

CMMC Documentation Set
As in any audit, if it isn’t documented, it doesn’t exist. The same is true about the CMMC. Sentar’s CMMC Documentation set far exceeds mere templates. Experienced Sentar subject matter experts have developed completely defined documentation with appropriate settings for small, medium, and complex environments that is easily further customized for free. When you purchase our documentation set, your IT staff can quickly get to work implementing and modifying settings to match the documentation. Or, if they would prefer a slightly different configuration or setting, they can send our team the desired change and we’ll confirm if that change meets the requirements. Your organization has six months of free customization support, which ensures you end up with customized processes and procedures that fit your organization without the tens of thousands of dollars required by other organizations to custom them.

Click here to request a quote for our CMMC Complete Documentation Set.

CMMC Audit Solution

NOTE: NOT AVAILABLE UNTIL SUMMER 2020.

Please be aware that no organization has been awarded the C3PAO accreditation status at this time. It is expected that organizations, including Sentar, should be able to start performing CMMC Level 3 audits during the summer of 2020, and Level 4-5 audits a few months after that.

If you want to ensure we can audit you as soon as we obtain our accreditation, you can purchase our CMMC Gap Assessment service, which automatically places you into our CMMC Audit Client Priority Queue as discussed in our CMMC Gap Assessment Service.

Click here to request a call discussing current status, schedules and the CMMC Audit Client Priority Queue for your CMMC Audit.

For more information, please contact:

Chandler Hall
chandler.hall@sentar.com
(256) 836-7853

We’re Hiring

Join the fastest-growing team in cyber