Call
Ask an Expert
Tel: +1-281-673-2800
Find an Office
Email
Email Us

CMMC Certification

CMMC


Cybersecurity Maturity Model Certification

Cybersecurity Maturity Model Certification

Are you, or will you be, bidding on a Department of Defense (DOD) contract?

Minimize risk and stand out from the competition by becoming an Early Adopter of the Cybersecurity Maturity Model Certification (CMMC).

Get Started

Protecting the United States from Cyber Threats

The threat of cyber attacks keeps consumers, CEOs and Boards of Directors awake at night. Furthermore, organizations that support government entities, like the Department of Defense (DOD), remain at high-risk as the valuable information they create, process or store can jeopardize the safety and security of the U.S. in the hands of foreign adversaries, hacktivists, organized crime and other threat actors. To mitigate these risks, the DOD is requiring all suppliers that implement cybersecurity measures to be in compliance with CMMC practices.

What is the Cybersecurity Maturity Model Certification (CMMC)? 

Developed by the DOD the Cybersecurity Maturity Model Certification (CMMC) is a process to ensure that all Defense Industrial Base (DIB) contractors meet cybersecurity requirements for handling Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). Formerly introduced in 2020, CMMC is still under development, with recent revisions to the program structure to improve and streamline implementation in order to meet department of defense requirements and standards.

CMMC 2.0 Requirements

The CMMC Model has been updated from 1.0 to 2.0, with major changes including the following:

  • Maturity practices have been eliminated and the original five (5) CMMC Levels have been merged into three (3) remaining levels: Level 1, Level 2 and Level 3.
  • Level 1 remains the same with 17 basic safeguarding requirements; however, third-party assessments are no longer required as company leaders can certify compliance on an annual basis.

CMMC Model

  • Level 2 has been updated and requires full compliance with NIST SP 800-171 but eliminates the bespoke CMMC maturity requirements. Some contractors will be able to self-certify, although this process is still under development.
  • Practices in Level 4 and Level 5 have been eliminated or merged into Level 3. At this Level, full compliance with NIST SP 800-171 and compliance with a subset of control enhancements identified in NIST SP 800-172 is required.
    • Contractors seeking certification at Level 3 first must be certified by third-party assessments at Level 2, followed by government assessment according to select NIST SP 800-172 requirements.

UPDATE: Perfect assessment scoring is no longer required. In addition, contractors are no longer required to have full certification in order to bid on a solicitation. The DOD is once again permitting the use of Plan of Action and Milestones (POA&M) for certain areas of non-compliance. You are permitted to provide a definitive timeline and action plan for remediation of these gaps in compliance. The DOD will reassess after a predetermined time to ensure remediation is occurring, or is complete, per the approved plan.

Certified CMMC Assessors: C3PAO

The Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) is a non-profit organization separate from the DOD that certifies CMMC Third-Party Assessor Organizations (C3PAOs). So, what exactly is a C3PAO? These are the organizations that conduct assessments in order to recommend that the CMMC-AB issue CMMC Level 2 certificates.

ABS QE is a C3PAO candidate. This designation enables us to assess DIB contractors, processes, procedures and practices for compliance to CMMC Level 2. In addition, we can provide our clients with licensed training guidance for self-assessments, as well as complimentary assessment services, including ISO 27000, ISO 9000 and ISO 20000 centered around cyber and information security assessments.

Why Focus on Cybersecurity Now?

The CMMC framework raises questions for many – starting with “why should I be concerned with CMMC?” Positioning your businesses’ operations to protect against unintentional or malicious data leaks through CMMC helps to safeguard both our nation’s data and your bottom line. 

Protective Design
Accelerate Revenue and Market Growth

Assure Defense Customers
Assure Defense Customers' CUI/FCI is Protected

Avoid False Claims Act
Avoid False Claims Act Liability

Drive Enterprise Value
Drive Enterprise Value

Stand Out from Competition
Stand Out from Competition as an Early Adopter

Win Contracts
Meet Requirements to win DOD Contracts

 

Best Practices: How to Implement CMMC

The DOD recently encouraged defense contractors, subcontractors and suppliers to take the following steps to prepare for the eventual rollout of CMMC: 

  1. Implement the basic cybersecurity requirements in the Department of Defense Federal Acquisition Regulation (FAR) 52.204-21. DFAR cybersecurity controls are the foundation for CMMC Level 1 which is focused on protecting FCI and Covered Contractor Information Systems (CCIS).
  2. Develop levels of policies and procedures per Appendix E of NIST SP 800-171. ABS QE can assess gap and remediation audits as well as guide or conduct self-assessments.
  3. Implement the cybersecurity requirements in NIST SP 800-171 if you handle CUI. This will prepare your company for CMMC 2.0 Level 2 if it’s required. (If your company anticipates needing CMMC 2.0 Level 3 certification in the future, be sure to review NIST SP 800-172 to meet the necessary requirement enhancements.)
  4. Review and strengthen internal programs to ensure compliance with the US False Claims Act. This includes robust policies and practices to handle whistle-blower complaints that can become false claims suits. This is extremely important for companies that only require a self-assessment.
  5. Start now and turn CMMC into your competitive advantage. Whether you’re planning on taking steps toward becoming CMMC compliant or you simply want to boost your company’s cybersecurity, ABS QE can help.

Why ABS Quality Evaluations?

We're a global leader in Certified Performance.

In addition to being a C3PAO candidate, ABS QE is a Licensed Training Provider (LTP) for CMMC authorized by the CMMC-AB. As a world-leading certification body, our global network of auditors plays a crucial role in helping organizations gain the necessary certifications to achieve business excellence.

Our services include Consulting (ABS Group), Training, Self-Assessments, Gap Assessments, ISO/IEC 27001, ISO/IEC 20000-1, and ISO 9001 Certification.

LTP Certification

CMMC 2.0 Requirements

The CMMC Model has been updated from 1.0 to 2.0, with major changes including the following:

  • Maturity practices have been eliminated and the original five (5) CMMC Levels have been merged into three (3) remaining levels: Level 1, Level 2 and Level 3.
  • Level 1 remains the same with 17 basic safeguarding requirements; however, third-party assessments are no longer required as company leaders can certify compliance on an annual basis.

CMMC Model

  • Level 2 has been updated and requires full compliance with NIST SP 800-171 but eliminates the bespoke CMMC maturity requirements. Some contractors will be able to self-certify, although this process is still under development.
  • Practices in Level 4 and Level 5 have been eliminated or merged into Level 3. At this Level, full compliance with NIST SP 800-171 and compliance with a subset of control enhancements identified in NIST SP 800-172 is required.
    • Contractors seeking certification at Level 3 first must be certified by third-party assessments at Level 2, followed by government assessment according to select NIST SP 800-172 requirements.

UPDATE: Perfect assessment scoring is no longer required. In addition, contractors are no longer required to have full certification in order to bid on a solicitation. The DOD is once again permitting the use of Plan of Action and Milestones (POA&M) for certain areas of non-compliance. You are permitted to provide a definitive timeline and action plan for remediation of these gaps in compliance. The DOD will reassess after a predetermined time to ensure remediation is occurring, or is complete, per the approved plan.

Back to top