Guernsey Earns Cyber CMMC Assessment Authorization
By: Timothy Fawcett
Date: 3/8/2022
Guernsey is now the first and only company in Oklahoma, and only one of eight in the nation, authorized to conduct Cybersecurity Maturity Model Certification (CMMC) Assessments of companies around the nation, as an anticipated requirement of the Department of Defense (DoD).
The venerable certification comes after Guernsey's cybersecurity practice completed the DCMA DIBCAC's CMMC 2.0 Level 2 Assessment, achieving the status as an authorized CMMC Third-Party Assessor Organization (C3PAO). C3PAOs are organizations authorized by the CMMC Accreditation Body to conduct CMMC assessments on Organizations Seeking Certification (OSC).
"Guernsey first started participating in the CMMC ecosystem in March 2020 and began the application process back in October 2020," Guernsey Director of Cybersecurity Consulting Timothy Fawcett, CISSP, CISA, CSSA said. "After a lengthy process, we have earned Oklahoma's first and the nation's eighth CMMC Assessment Authorization helping Oklahoma standout as a friendly place for the DoD to do business."
CMMC is a program created by the DoD to enhance cybersecurity standards for companies within the Defense Industrial Base (DIB). The program is in response to increasingly frequent and severe cyberattacks against the DIB and aids in the protection of intellectual property, trade secrets, and other sensitive information.
The program has three tenets of implementation:
- Tiered Model: The CMMC requires progressively advanced safeguards commensurate with the value and criticality of the protected information in question.
- Assessment Requirement: Assessments by DoD and industry partners (i.e., private entities) ensure CMMC compliance.
- Implementation through Contracts: The CMMC will derive its enforceability through contracts awarded to DoD contractors by the Department.
"Cybersecurity is more critical now than ever, and these CMMC assessments will help companies performing and seeking DoD contracts get ahead of federal requirements," Fawcett continued. "As a DoD contractor that's passed a CMMC Level 2 Assessment required to become a C3PAO, we know how to get through the assessment and will be a beneficial asset to other companies that need to implement CMMC or desire the peace of mind that comes from a CMMC-grade cybersecurity training and review."
In November 2021, the DoD announced an upgrade to the CMMC program, CMMC 2.0. While the DoD is not yet allowing assessments to take place, it is indicated that authorized C3PAOs will be able to start performing voluntary assessments prior to the requirement taking place.
Key features of the upgrade include:
- Three levels of progressively advanced cybersecurity practices.
- Uses National Institute of Standards and Technology (NIST) standards.
- Allows limited use of Plans of Action & Milestone (POA&Ms).
- Allows Level 1 contractors to self-assess.
- Allows a subset of Level 2 contractors to self-assess.
What Guernsey can do for your business:
- Guernsey is uniquely qualified to provide consulting and recommendations to clients implementing CMMC processes.
- Guernsey will assist with the implementation and operation of CMMC processes.
- Guernsey will help get your business prepared for a CMMC assessment.
- Guernsey guides development of compliance documents requested by a prime contractor (enabling confident status reporting).
- Guernsey is authorized to conduct Certified CMMC assessments, once permitted by the DoD.
- Guernsey offers guidance and tools on the website that can help prepare for current and future DoD requirements for cybersecurity. Click here to access the CMMC 2.0 Readiness Tool.
"Guernsey has been instrumental in helping our utility complete CMMC," Nueces Electric Cooperative IT Director Sergey Seryogin said. "Their expert knowledge of the industry empowered our organization to be proactive and diligent, which in turn made people from the Pentagon very happy."
For businesses interested in getting ahead of the DoD cybersecurity requirements, contact Timothy Fawcett at Timothy.fawcett@guernsey.us or (405) 416-8182.
The CMMC Final Rule has been published, and it will be effective on 12/16/2024.
Guernsey is the only Oklahoma based company to have achieved the Certified Third-Party Assessment Organization (C3PAO) status, which authorizes the firm to provide CMMC assessments, or “audits,” for clients seeking certification to meet their contractual obligations.
To schedule your company's C3PAO assessment, contact Timothy Fawcett, CISSP, Vice President Director of Cybersecurity Consulting, at Timothy.fawcett@guernsey.us or (405) 416-8182.