Becoming compliant with the Cybersecurity Maturity Model Certification (CMMC) and passing the audit is essential for DoD contractors.
All DoD contract holders and subcontractors to DoD contracts will be required to comply with and be audited to the CMMC or "Cybersecurity Maturity Model Certification." Many of the details related to CMMC have yet to be determined, but the time to prepare is now.
Guernsey can help you prepare for CMMC by helping you by:
- Performing a pre-assessment for CMMC.
- Helping you develop an SSP and POA&M.
- Design control activities that that are designed to create auditable artifacts.
- Help implement controls or recommend best practices to pass CMMC.
Guernsey is uniquely qualified to help with CMMC compliance:
- Guernsey is a DoD contractor and subject to CMMC.
- Guernsey does not sell managed services, compliance platforms, or software.
- We are certified auditors and security professionals.
- We are centrally located.
- We have been in business for over 92 years providing services to regulated industries and small to mid-sized organizations.
If you are not sure where to start, complete the free Self-Assessment Gap report below.
CMMC Gap Analysis Self-Assessment
Guernsey has created this CMMC Gap Analysis Self-Assessment tool to help you measure your current ability to comply with CMMC. With the results, you will be able to identify your organization's current level of CMMC maturity and identify improvement opportunities. Guernsey will also use this as part of a larger study of overall CMMC readiness.
Click Here to take you to the self-assessment: CMMC Self-Assessment
We will provide you a gap report upon request that will give you and your management a roadmap for compliance.
You can always contact us for help with the assessment:
call us at 405.416.8182
or schedule a meeting: Book a Meeting
What is CMMC?
Version 1.0 of the CMMC has been published and can be found at https://www.acq.osd.mil/cmmc/index.html
The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognizes that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain.
OUSD(A&S) is working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry to develop the Cybersecurity Maturity Model Certification (CMMC).
- The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
- The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
- The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
The intent is for certified independent 3rd party organizations to conduct audits and inform risk.
Important CMMC FAQ
The Office of the Under Secretary of Defense for Acquisition & Sustainment has provided answers to several common questions. You can find these FAQs at https://www.acq.osd.mil/cmmc/faq.html. The following are important answers
What is CMMC?
CMMC stands for "Cybersecurity Maturity Model Certification". The CMMC will encompass multiple maturity levels that ranges from "Basic Cybersecurity Hygiene" to "Advanced". The intent is to identify the required CMMC level in RFP sections L and M and use as a "go / no go decision."
What is the relationship between NIST SP 800-171 rev.1 and CMMC?
The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company's institutionalization of cybersecurity practices and processes.
How will my organization become certified?
Your organization will coordinate directly with an accredited and independent third party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company's specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.
How much will CMMC certification cost? Will the cost be based on the level we requested or the size of the organization?
The certification cost has not yet been determined. The cost, and associated assessment, will likely scale with the level requested.
Who will perform the assessments?
An independent 3rd party assessment organization will normally perform the assessment. Some of the higher level assessments may be performed by organic DoD assessors within the Services, the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).
Are the results of my assessment public? Does the DoD see my results?
Your certification level will be made public, however details regarding specific findings will not be publicly accessible. The DoD will see your certification level.
How often does my organization need to be reassessed?
The duration of a certification is still under consideration.
My organization does not handle Controlled Unclassified Information (CUI). Do I have to be certified anyway?
Yes. All companies conducting business with the DoD must be certified. The level of certification required will depend upon the amount of CUI a company handles or processes.
I am a subcontractor on a DoD contract. Does my organization need to be certified?
Yes, all companies doing business with the Department of Defense will need to obtain CMMC.
You need a team of good guys who are trained to think like the bad guys. That’s where our cybersecurity professionals come in.
Timothy Fawcett, CISSP, CISA, CSSA
Director of Cyber Security Consulting
Tim Fawcett is the Director of Cyber Security Consulting with Guernsey. He has extensive experience in performing risk assessments for IT environments and communicating best practices related to a range of systems and technologies. Tim started his career in information assurance and auditing in 2001. In his career, he has performed IT audits, risk assessments, and cyber threat and vulnerability analyses. Specific project topics include the areas of NERC-CIP compliance, PCI Data Security Standard compliance, ERP system security, application, and operating system security configurations, business continuity planning and disaster recovery, physical security, telecommunications, and security architecture and design.
Cyber Security Consultant
Isaac is an experienced pentester with experience from dozens of penetration tests. Working with companies of all fields and all sizes, he can communicate effectively and promptly with all parties involved. Other than pen testing, he has experience in physical security assessments and forensic work.
GSA Schedule 70
Engage Guernsey through Schedule 70.
Organizations that are eligible to purchase through GSA schedules can engage Guernsey through Schedule 70 - Contractor Awarded Unique Entity ID (DUNS): 062275144