Cybersecurity Maturity Model Certification
The Cybersecurity Maturity Model (CMMC) framework was originally developed by Carnegie Mellon University and The Johns Hopkins University Applied Physics Laboratory and funded by the Department of Defense (DoD). The CMMC consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks and other references as well as inputs from the Defense Industrial Base (DIB) and DoD stakeholders.
The CMMC is a formal requirement of Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7021 applying to those DoD contractors who process, store, or transmit Controlled Unclassified Information (CUI). The CMMC will apply to all DoD solicitations and contracts, including those for the acquisition of commercial items (except those exclusively COTS items) valued at greater than the micro purchase threshold, starting on or after October 1, 2025. Additionally, the rollout period for the CMMC is 7 years.
To guide the process of transitioning from DFARS 252.204-7012, the original requirement of satisfying NIST 800-171 controls through self-attestation, to CMMC, certification by an authorized independent assessor, the DFARS Interim Rule was created. The Interim Rule contains the following DFARS clauses:
252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements
252.204-7020, NIST SP 800-171 DoD Assessment Requirements
252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement
DoD contractors AND subcontractors MUST:
- Complete a NIST SP 800-171 Assessment
- Upload Assessment scoring and required documentation into the Supplier Performance Risk System (SPRS)
- Achieve the appropriate CMMC level certification as required by the contracting documents/solicitation
NIST 800-171 DoD Assessment
Following DFARS 252.204.7020 requirements, SCA will evaluate your organization against the 110 controls found in NIST 800-171. Our process includes a gap analysis of controls, scoring per the NIST 800-171 DoD assessment methodology and creating the Plan of Action and Milestones (POAM) required to address partially implemented or missing controls.
System Security Plan
Following our over 16 years of helping organization document information security policy, procedures and employee use guidelines, SCA offers a three tier System Security Plan program:
- Review of existing System Security Plan including recommendations for improvement,
- Revising existing or developing a new System Security Plan,
- Annual review and maintenance of the System Security Plan to account for changes in people, process and technology.
DFARS Interim Rule Assessment
Following the NIST 800-171 DoD Assessment methodology, SCA also includes the 20 additional practices required to meet CMMC Level 3 certification for a total of 130 controls/practices. The true value in this process is satisfying 252.204-7019 and 252.204-7020 while also positioning for CMMC Level 3 certification with one assessment effort!
CMMC Gap Analysis
Depending on your required CMMC Level, SCA offers a gap analysis for CMMC Levels 1 – 3 that will review the following:
CMMC Level 1: Basic cyber hygiene including 17 practices,
CMMC Level 2: Intermediate cyber hygiene adding 58 practices to Level 1 totaling 72 practices,
CMMC Level 3: Good cyber hygiene building on Levels 1 and 2 plus 58 more practices that encompass NIST 800-171 and 20 practices from NIST CSF, ISO/IEC 27001, CIC CSC and CERT RMM 1.2.