Follow Us:

CMMC / DFARS

Home Cybersecurity Maturity Model Certification
cybersecurity-maturity-model-certification

Cybersecurity Maturity Model Certification

The Cybersecurity Maturity Model (CMMC) framework was originally developed by Carnegie Mellon University and The Johns Hopkins University Applied Physics Laboratory and funded by the Department of Defense (DoD). The CMMC consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks and other references as well as inputs from the Defense Industrial Base (DIB) and DoD stakeholders.

 

The CMMC is a formal requirement of Defense Federal Acquisition Regulation Supplement (DFARS) clause  252.204-7021 applying to those DoD contractors who process, store, or transmit Controlled Unclassified Information (CUI). The CMMC will apply to all DoD solicitations and contracts, including those for the acquisition of commercial items (except those exclusively COTS items) valued at greater than the micro purchase threshold, starting on or after October 1, 2025. Additionally, the rollout period for the CMMC is 7 years.

To guide the process of transitioning from DFARS 252.204-7012, the original requirement of satisfying NIST 800-171 controls through self-attestation, to CMMC, certification by an authorized independent assessor, the DFARS Interim Rule was created. The Interim Rule contains the following DFARS clauses:

 

252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements

 

252.204-7020, NIST SP 800-171 DoD Assessment Requirements

 

252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement

 

DoD contractors AND subcontractors MUST:

  1. Complete a NIST SP 800-171 Assessment
  2. Upload Assessment scoring and required documentation into the Supplier Performance Risk System (SPRS)
  3. Achieve the appropriate CMMC level certification as required by the contracting documents/solicitation

SCA is a CMMC-AB Registered Provider Organization (RPO) and offers the below services to help DoD contractors satisfy DFARS and CMMC requirements. View our CMMC Marketing Place listing here.

NIST 800-171 DoD Assessment

Following DFARS 252.204.7020 requirements, SCA will evaluate your organization against the 110 controls found in NIST 800-171. Our process includes a gap analysis of controls, scoring per the NIST 800-171 DoD assessment methodology and creating the Plan of Action and Milestones (POAM) required to address partially implemented or missing controls.

 

System Security Plan

Following our over 16 years of helping organization document information security policy, procedures and employee use guidelines, SCA offers a three tier System Security Plan program:

 

  1. Review of existing System Security Plan including recommendations for improvement,
  2. Revising existing or developing a new System Security Plan,
  3. Annual review and maintenance of the System Security Plan to account for changes in people, process and technology.

 

DFARS Interim Rule Assessment

Following the NIST 800-171 DoD Assessment methodology, SCA also includes the 20 additional practices required to meet CMMC Level 3 certification for a total of 130 controls/practices. The true value in this process is satisfying 252.204-7019 and 252.204-7020 while also positioning for CMMC Level 3 certification with one assessment effort!

 

CMMC Gap Analysis

Depending on your required CMMC Level, SCA offers a gap analysis for CMMC Levels 1 – 3 that will review the following:

 

CMMC Level 1: Basic cyber hygiene including 17 practices,

 

CMMC Level 2: Intermediate cyber hygiene adding 58 practices to Level 1 totaling 72 practices,

 

CMMC Level 3: Good cyber hygiene building on Levels 1 and 2 plus 58 more practices that encompass NIST 800-171 and 20 practices from NIST CSF, ISO/IEC 27001, CIC CSC and CERT RMM 1.2.