Cybersecurity Maturity Model Certification (CMMC)

Cybersecurity Maturity Model Certification (CMMC)

DoD contract holders and subcontractors to DoD contracts that interact with Controlled Unclassified Information (CUI) will be required to comply with and assessed to the CMMC or "Cybersecurity Maturity Model Certification". Updated requirements known as CMMC 2.0 are undergoing review through government rulemaking. We do know it is on the way and the time to prepare is now.

Guernsey can perform an official CMMC Assessment

  • As an Authorized C3PAO we can enter into contracts to perform official assessments.
  • There may be incentives for early adoption.
  • Oklahoma Defense Industrial Base (DIB) companies now have a local resource.

Guernsey will prepare your company for CMMC by:

  • Assisting with the implementation of your CMMC program.
  • Aid in the development of a System Security Plan (SSP) and Plans of Action and Milestones (POA&Ms).
  • Designing control activities generated to create auditable artifacts.
  • Help implement controls or recommend best practices to pass CMMC.
  • Serve as part of the company's team and assist during the third-party assessment.

Guernsey is uniquely qualified to help with CMMC compliance:

  • Guernsey is one of the first companies in the country to pass a DoD assessment against CMMC 2.0 controls to become an authorized C3PAO.
  • Guernsey is a DoD contractor and subject to CMMC.
  • Guernsey does not sell managed services, compliance platforms, or software.
  • Guernsey's Subject Matter Experts (SMEs) are certified security and audit professionals.
  • Guernsey is centrally located in the United States.
  • Guernsey is in our 10th decade of business providing services to regulated industries and small to mid-sized organizations.
Cybersecurity Maturity Model Certification (CMMC)2

The CMMC Final Rule has been published, and it will be effective on 12/16/2024.

Guernsey is the only Oklahoma based company to have achieved the Certified Third-Party Assessment Organization (C3PAO) status, which authorizes the firm to provide CMMC assessments, or “audits,” for clients seeking certification to meet their contractual obligations.

To schedule your company's C3PAO assessment, contact Timothy Fawcett, CISSP, Vice President Director of Cybersecurity Consulting, at Timothy.fawcett@guernsey.us or (405) 416-8182.

What is CMMC?

To protect American ingenuity and national security information, the DoD developed CMMC 2.0 to dynamically enhance DIB cybersecurity to meet evolving threats and safeguard the information that supports and enables our warfighters.

CMMC 2.0 FAQS

The Office of the Under Secretary of Defense for Acquisition & Sustainment has provided answers to several common questions.

Governance Risk and Compliance (GRC)

Guernsey can help you meet regulatory and compliance obligations by implementing a Governance Risk and Control Program. Depending on regulatory or contractual requirements, organizations may be required to be compliant with different cybersecurity frameworks, pass a regulatory review or audit such as CMMC and SOC2.

The Guernsey / HoganTaylor Partnership

Guernsey, the only Oklahoma-based Certified Third-Party Assessment Organization (C3PAO), has partnered with HoganTaylor, one of the largest business advisory and public accounting firms in Oklahoma and Arkansas, to provide Cybersecurity Maturity Model Certification (CMMC) services.