Risk and Compliance Service
Your Trusted Cybersecurity Partner
A Complete Portfolio of Compliance Solutions Tailored for Your Business.
Businesses turn to us for our ability to guide them in determining requirements, assessing cyber risk and compliance, and developing and deploying efficient cost-effective solutions. While most providers have a “check the box” mentality, our cyber risk and compliance experts take the time to understand, develop, and deliver solutions tailored for your business.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the DIB. It is designed to protect sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides the Department increased assurance that contractors and subcontractors are meeting these requirements.
In September 2020, the DoD published an interim rule to the DFARS in the Federal Register (DFARS Case 2019-D041), which implemented the DoD’s initial vision for the CMMC program (“CMMC 1.0”) and outlined the basic features of the framework (tiered model, required assessments, and implementation through contracts). The interim rule became effective on November 30, 2020, establishing a five-year-phase-in period.
In March 2021, the Department initiated an internal review of CMMC’s implementation, informed by more than 850 public comments in response to the interim DFARS rule. This comprehensive, programmatic assessment engaged cybersecurity and acquisition leaders within DoD to refine policy and program implementation.
In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:
- Safeguard sensitive information to enable and protect the warfighter
- Dynamically enhance DIB cybersecurity to meet evolving threats
- Ensure accountability while minimizing barriers to compliance with DoD requirements
- Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience
- Maintain public trust through high professional and ethical standards
What does CMMC mean?
If you hope to do business as a DoD contractor or subcontractor, there will be a requirement for CMMC on affected contracts in the solicitation and in any Requests for Information (RFIs) before the contract is awarded. This is for the protection of Federal Contract Information (FCI). If your company expects to work with Controlled Unclassified Information (CUI), your company must be CMMC Level 2 certified or higher before the contract is awarded. This framework maps to NIST SP 800-171. CMMC Level 3, or “Expert” level is currently under development and will be based on a subset of NIST SP 800-172.
How do you become compliant?
It starts with a look at the type of work you do, the future work you expect to be involved in, and in-depth look at the state of your information system environment. Every company is unique, and every company’s needs are unique. There is no one-size-fits-all approach. It doesn’t matter if your company size is one person or 100,000 people strong. It doesn’t matter if you are working out of your home or working across multiple states. We have the depth and breadth of experience to address your needs. As former DoD employees and former DoD contractors, we have a unique insight into the governance, risk, and compliance requirements and process needed for CMMC.
