Cybersecurity Maturity Model Certification
Cybersecurity Maturity Model Certification
Are you, or will you be, bidding on a Department of Defense (DOD) contract?
Minimize risk and stand out from the competition by becoming an Early Adopter of the Cybersecurity Maturity Model Certification (CMMC).Get Started
CMMC 2.0 Requirements
The CMMC Model has been updated from 1.0 to 2.0, with major changes including the following:
- Maturity practices have been eliminated and the original five (5) CMMC Levels have been merged into three (3) remaining levels: Level 1, Level 2 and Level 3.
- Level 1 remains the same with 17 basic safeguarding requirements; however, third-party assessments are no longer required as company leaders can certify compliance on an annual basis.
- Level 2 has been updated and requires full compliance with NIST SP 800-171 but eliminates the bespoke CMMC maturity requirements. Some contractors will be able to self-certify, although this process is still under development.
- Practices in Level 4 and Level 5 have been eliminated or merged into Level 3. At this Level, full compliance with NIST SP 800-171 and compliance with a subset of control enhancements identified in NIST SP 800-172 is required.
- Contractors seeking certification at Level 3 first must be certified by third-party assessments at Level 2, followed by government assessment according to select NIST SP 800-172 requirements.
UPDATE: Perfect assessment scoring is no longer required. In addition, contractors are no longer required to have full certification in order to bid on a solicitation. The DOD is once again permitting the use of Plan of Action and Milestones (POA&M) for certain areas of non-compliance. You are permitted to provide a definitive timeline and action plan for remediation of these gaps in compliance. The DOD will reassess after a predetermined time to ensure remediation is occurring, or is complete, per the approved plan.
Certified CMMC Assessors: C3PAO
The Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) is a non-profit organization separate from the DOD that certifies CMMC Third-Party Assessor Organizations (C3PAOs). So, what exactly is a C3PAO? These are the organizations that conduct assessments in order to recommend that the CMMC-AB issue CMMC Level 2 certificates.
ABS QE is a C3PAO candidate. This designation enables us to assess DIB contractors, processes, procedures and practices for compliance to CMMC Level 2. In addition, we can provide our clients with licensed training guidance for self-assessments, as well as complimentary assessment services, including ISO 27000, ISO 9000 and ISO 20000 centered around cyber and information security assessments.
Why Focus on Cybersecurity Now?
The CMMC framework raises questions for many – starting with “why should I be concerned with CMMC?” Positioning your businesses’ operations to protect against unintentional or malicious data leaks through CMMC helps to safeguard both our nation’s data and your bottom line.
Accelerate Revenue and Market Growth
Assure Defense Customers' CUI/FCI is Protected
Avoid False Claims Act Liability
Drive Enterprise Value
Stand Out from Competition as an Early Adopter
Meet Requirements to win DOD Contracts
Best Practices: How to Implement CMMC
The DOD recently encouraged defense contractors, subcontractors and suppliers to take the following steps to prepare for the eventual rollout of CMMC:
- Implement the basic cybersecurity requirements in the Department of Defense Federal Acquisition Regulation (FAR) 52.204-21. DFAR cybersecurity controls are the foundation for CMMC Level 1 which is focused on protecting FCI and Covered Contractor Information Systems (CCIS).
- Develop levels of policies and procedures per Appendix E of NIST SP 800-171. ABS QE can assess gap and remediation audits as well as guide or conduct self-assessments.
- Implement the cybersecurity requirements in NIST SP 800-171 if you handle CUI. This will prepare your company for CMMC 2.0 Level 2 if it’s required. (If your company anticipates needing CMMC 2.0 Level 3 certification in the future, be sure to review NIST SP 800-172 to meet the necessary requirement enhancements.)
- Review and strengthen internal programs to ensure compliance with the US False Claims Act. This includes robust policies and practices to handle whistle-blower complaints that can become false claims suits. This is extremely important for companies that only require a self-assessment.
- Start now and turn CMMC into your competitive advantage. Whether you’re planning on taking steps toward becoming CMMC compliant or you simply want to boost your company’s cybersecurity, ABS QE can help.
Why ABS Quality Evaluations?
We're a global leader in Certified Performance.
In addition to being a C3PAO candidate, ABS QE is a Licensed Training Provider (LTP) for CMMC authorized by the CMMC-AB. As a world-leading certification body, our global network of auditors plays a crucial role in helping organizations gain the necessary certifications to achieve business excellence.
Our services include Consulting (ABS Group), Training, Self-Assessments, Gap Assessments, ISO/IEC 27001, ISO/IEC 20000-1, and ISO 9001 Certification.