Becoming compliant with the Cybersecurity Maturity Model Certification (CMMC) and passing the assessment is essential for many DoD contractors.
DoD contract holders and subcontractors to DoD contracts that interact with Controlled Unclassified Information (CUI) will be required to comply with and assessed to the CMMC or "Cybersecurity Maturity Model Certification". Updated requirements known as CMMC 2.0 are undergoing review through government rulemaking. We do know it is on the way and the time to prepare is now.
Guernsey can perform an official CMMC Assessment
- As an Authorized C3PAO we can enter into contracts to perform official assessments
- There may be incentives for early adoption
- Oklahoma Defense Industrial Base (DIB) companies now have a local resource
Guernsey will prepare your company for CMMC by:
- Assisting with the implementation of your CMMC program
- Aid in the development of a System Security Plan (SSP) and Plans of Action and Milestones (POA&Ms)
- Designing control activities generated to create auditable artifacts
- Help implement controls or recommend best practices to pass CMMC
- Serve as part of the company's team and assist during the third-party assessment
Guernsey is uniquely qualified to help with CMMC compliance:
- Guernsey is one of the first companies in the country to pass a CMMC 2.0 assessment and become an authorized C3PAO
- Guernsey is a DoD contractor and subject to CMMC
- Guernsey does not sell managed services, compliance platforms, or software
- Guernsey's Subject Matter Experts (SMEs) are certified, auditors and security professionals
- Guernsey is centrally located in the United States
- Guernsey is in our 10th decade of business providing services to regulated industries and small to mid-sized organizations
Early Adoption of CMMC
There are options and possible incentives for early adoption
For DIB companies that want to have a certification assessment prior to it being required will be able to do so in the coming months. Guernsey is authorized to perform this assessment. Companies that want to have the distinction of becoming CMMC certified early should contact us to schedule an assessment.
CMMC 2.0 Readiness Tool
Guernsey has created this CMMC Preparation Tool
Guernsey has created this CMMC Preparation Tool to help you measure your current ability to comply with CMMC. With the results, you will be able to identify your organization's current level of NIST800-171 and CMMC maturity and identify improvement opportunities. Use this tool to document the required NIST800-171 assessment.
To schedule time to discuss how Guernsey can help your company with CMMC compliance:
call us at 405.416.8182
or schedule a meeting: Book a Meeting
What is CMMC?
To protect American ingenuity and national security information, the DoD developed CMMC 2.0
The Defense Industrial Base (DIB) is the target of increasingly frequent and complex cyberattacks. To protect American ingenuity and national security information, the DoD developed CMMC 2.0 to dynamically enhance DIB cybersecurity to meet evolving threats and safeguard the information that supports and enables our warfighters.
OVERVIEW OF THE CMMC PROGRAM
The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the DIB. It is designed to protect sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides the Department with increased assurance that contractors and subcontractors are meeting these requirements.
The framework has three key features:
- Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.
- Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.
- Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.
OVERVIEW OF ASSESSMENTS
CMMC 2.0 implements tiered assessment requirements based on the sensitivity of the information shared with a contractor. Upon implementation of CMMC 2.0:
- Contractors who do not handle information deemed critical to national security (Level 1 and a subset of Level 2) will be required to perform annual self-assessments against clearly articulated cybersecurity standards.
- Contractors managing information critical to national security (a subset of Level 2) will be required to undergo third-party assessments.
- The highest priority, most critical defense programs (Level 3) will require government-led assessments.
The Department views Level 1 (“Foundational”) as an opportunity to engage its contractors in developing and strengthening their approach to cybersecurity. Because Level 1 does not involve sensitive national security information, DoD intends for this Level to allow companies to assess their own cybersecurity and begin adopting practices that will thwart cyber-attacks.
Likewise, a subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments.
Contractors will be required to conduct self-assessment on an annual basis, accompanied by an annual affirmation from a senior company official that the company is meeting requirements. The Department intends to require companies to register self-assessments and affirmations in the Supplier Performance Risk System (SPRS). An unofficial CMMC assessment with the purpose of providing company officials comfort in their attestation.
Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC assessment for a subset of acquisitions requiring Level 2 (“Advanced”) cybersecurity standards that involve information critical to national security.
The CMMC-AB will accredit CMMC Third Party Assessment Organizations (C3PAOs) and the CMMC Assessors and Instructors Certification Organization (CAICO). The DIB company will be fully responsible for obtaining the needed assessment and certification, including coordinating and planning the CMMC assessment. After the completion of the CMMC assessment, the C3PAO will provide an assessment report to the DoD.
As part of the CMMC 2.0 implementation, the DoD will approve all CMMC-AB conflict of interest related policies that apply to the CMMC ecosystem. Additionally, the CMMC-AB must achieve compliance with the ISO/IEC 17011 standard prior to accrediting C3PAOs and a CAICO. Separately, C3PAOs will be required to comply with ISO/IEC 17020 and the CAICO will be required to comply with ISO/IEC 17024 requirements.
The Department intends for Level 3 (“Expert”) cybersecurity requirements to be assessed by government officials. Assessment requirements are currently under development.
Important CMMC FAQ
Important FAQs regarding CMMC 2.0
The Office of the Under Secretary of Defense for Acquisition & Sustainment has provided answers to several common questions. You can find these FAQs at https://www.acq.osd.mil/cmmc/i... The following are important answers
Q. Now that CMMC 2.0 is published, will companies be required to comply with CMMC 1.0?
A. The interim DFARS rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). The Department does not intend to approve the inclusion of a CMMC requirement in any contract prior to completion of the CMMC 2.0 rulemaking process.
Once CMMC 2.0 is codified through rulemaking, the Department will require companies to adhere to the revised CMMC framework according to requirements set forth in the regulation.
Q. When will CMMC 2.0 be required for DoD contracts?
A. The publication of materials relating to CMMC 2.0 reflects the Department’s strategic intent with respect to the CMMC program; however, CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. The rulemaking process and timelines can take 9-24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.
Q. How will my organization know what CMMC level is required for a contract?
A. Once CMMC 2.0 is implemented, DoD will specify the required CMMC level
Q. How frequently will assessments be required?
A. Once CMMC 2.0 is implemented, self-assessments, associated with Level 1 and a subset of Level 2 programs, will be required on an annual basis. Third-party and government-led assessments, associated with some Level 2 and all Level 3 programs, will be required on a triennial basis.
Q. Who will perform third-party CMMC assessments?
A. Once CMMC 2.0 is fully implemented, DoD will only accept CMMC assessments provided by an authorized and accredited C3PAO or certified CMMC Assessor, and C3PAOs shall use only certified CMMC assessors for the conduct of CMMC assessments.
Q. Will my organization need to be certified if it does not handle CUI?
A. DoD’s intent under CMMC 2.0 is that if a DIB company does not process, store, or transmit Controlled Unclassified Information (CUI) on its unclassified network, but does process, store or handle Federal Contract Information (FCI), then it must perform a CMMC Level 1 self-assessment and submit the results with an annual affirmation by a senior company official into SPRS.
Q. Will the results of my assessment be public? Will the DoD see my results?
A. Once CMMC 2.0 is fully implemented, the DoD will have access to information and data relating to a company’s assessment, including the assessment results and final report. The DoD will store all self-assessment results on SPRS. CMMC certificates and the associated third-party assessment data will be stored in the CMMC Enterprise Mission Assurance Support Services (eMASS) database. CMMC eMASS will automatically post a copy of a company’s CMMC certificate to the Supplier Performance Risk System (SPRS). The detailed results of a CMMC assessment will not be made public.
If a company voluntarily chooses to obtain a CMMC assessment and certification from a third-party assessment organization in the absence of a contractual requirement, the company must provide written consent to allow DoD access to or use of those assessment results. If a company consents to DoD access and use of data relating to the assessment, then DoD intends to store that information on eMASS.
Q. What is the difference between a CMMC self-assessment and a basic assessment required as part of the DoD Assessment Methodology?
A. A CMMC self-assessment will apply to those companies that are only required to protect the information systems on which FCI is processed, stored or transmitted; and a subset of companies that are required to protect CUI. The CMMC self-assessment should be completed using the CMMC Assessment Guide codified in 32 CFR for the appropriate CMMC level. A CMMC self-attestation is a representation that the offeror meets the requirements of the CMMC level required by the solicitation. The CMMC program will require an annual self-assessment and an annual affirmation by a senior company official.
A “Basic Assessment”, as defined in DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, means a contractor’s self-assessment of the contractor’s implementation of NIST SP 800-171 that —
1. Is based on the Contractor’s review of their system security plan(s) associated with covered contractor information system(s);
2. Is conducted in accordance with the NIST SP 800-171 DoD Assessment Methodology; and
3. Results in a confidence level of “Low” in the resulting score, because it is a self-generated score.
You need a team of good guys who are trained to think like the bad guys. That’s where our cybersecurity professionals come in.
Timothy Fawcett, CISSP, CISA
Director of Cyber Security Consulting
Tim Fawcett is the Director of Cyber Security Consulting with Guernsey. He has extensive experience in performing risk assessments for IT environments and communicating best practices related to a range of systems and technologies. Tim started his career in information assurance and auditing in 2001. In his career, he has performed IT audits, risk assessments, and cyber threat and vulnerability analyses. Specific project topics include the areas of NERC-CIP compliance, PCI Data Security Standard compliance, ERP system security, application, and operating system security configurations, business continuity planning and disaster recovery, physical security, telecommunications, and security architecture and design.
GSA Schedule 70
Engage Guernsey through Schedule 70.
Organizations that are eligible to purchase through GSA schedules can engage Guernsey through Schedule 70 - Contractor Awarded Unique Entity ID (DUNS): 062275144