Reduced Cyber Risk and Improved National Security
Government Recognition and Eligibility for Contracts
Competitive Advantage and Operational Efficiency
Increased Trust and Reputation
Cybersecurity Maturity Model Certification (CMMC)
Meet compliance with the Department of Defense Cybersecurity Maturity Model Certification (CMMC) in order to be eligible to bid on government contracts. Safeguard sensitive data, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), and manage access to critical information.
0
Performed Requirements
Level 1 - Organizations demonstrate basic cyber hygiene practices, such as ensuring employees change passwords regularly to protect Federal Contract Information (FCI).
0
Managed Requirements
Level 2 - Organizations have an institutionalized management plan to implement good cyber hygiene practices to safeguard Controlled Unclassified Information (CUI).
0
Optimized Requirements
Level 3 - Organizations have standardized and optimized processes in place that detect and respond to changing tactics, techniques and procedures (TTPs) of advanced persistent threats (APTs).
Cost-Effective CMMC Certification Support
CMMC compliance is not just a requirement but a gateway to Department of Defense (DoD) contracts. Safeguarding sensitive information, it bolsters national security by fending off cyber threats. For small businesses, CMMC offers a cost-effective solution to fortify cybersecurity measures, reducing risks and standing out in the competitive market.
By simplifying cybersecurity standards, CMMC ensures a secure DoD supply chain, enhancing your organization's credibility. Its continuous monitoring aids in vulnerability identification, ultimately minimizing cyber incidents. Recognized as a mark of excellence by the US government, CMMC certification is an invaluable asset for organizations partnering with the DoD.
CMMC Level 2 Certification Workflow
Before starting Phase 1 of a CMMC Level 2 certification assessment, certain administrative, framing, and contractual tasks must be completed. These initial activities involve crucial interactions between the C3PAO and the OSC and play a significant role in ensuring a successful and transparent assessment. The steps begin once the C3PAO receives a request from the OSC and are outlined below in Steps 1 - 4.
-
1
Confirm the Entity/Entities to be Assessed
The C3PAO is responsible for verifying the specific legal entity undergoing assessment and obtaining the necessary information, such as CAGE codes, for the CMMC Level 2 certification assessment. Additionally, the C3PAO should inquire about the OSC's assessment unique identifier (UID) and the presence of External Service Providers (ESPs) within the assessment scope.
-
2
Frame the Assessment
The C3PAO collaborates with the OSC POC to define the scope and logistics of the assessment, covering schedule, organization size, information system details, personnel, contractual obligations, and the intended CMMC Assessment Scope. Key aspects to be agreed upon for the CMMC Level 2 certification assessment include personnel availability, evidence accessibility, relevant OSC documentation such as the System Security Plan (SSP), and an estimation of the assessment's duration and schedule. Considerations for framing the assessment also involve deciding assessment locations and whether security requirements can be evaluated virtually or in-person on OSC premises.
-
3
Identify and Manage Initial Conflicts of Interest (COI)
C3PAOs are responsible for ensuring impartiality and identifying conflicts of interest for CMMC Level 2 certification assessments. They must comply with ISO/IEC 17020:2012 impartiality requirements and the COI provisions in the CMMC Code of Professional Conduct (CoPC). The C3PAO must propose a Lead CCA to the OSC for approval and address any conflicts of interest. If conflicts arise, a mitigation plan must be developed and documented. If conflicts cannot be resolved, the assessment should not proceed.
-
4
Execute Contractual Agreement
The C3PAO shall execute a written contractual agreement for the CMMC Level 2 certification assessment with the OSC. Neither The Cyber AB nor DoD are parties to the CMMC Level 2 certification assessment contract between the C3PAO and the OSC.
The format and structure of the contract is at the discretion and mutual agreement of the C3PAO and OSC. A mutual non-disclosure agreement (NDA) between the parties shall be incorporated into the contractual agreement or negotiated and executed in a separate document (e.g., stand-alone NDA, master services agreement, etc.).
-
5
Phase 1 - Conduct the Pre-Assessment
During Phase 1, the C3PAO will assess whether the OSC has sufficiently prepared for the evaluation of its implementation of CMMC Level 2 security requirements. Upon completing Phase 1, the C3PAO will submit the Pre-Assessment Information Form to the CMMC instantiation of eMASS.
-
6
Phase 2 - Assessment Conformity
Phase 2 aims to evaluate the compliance of the OSC with CMMC Level 2 security requirements in terms of depth and coverage, to determine if it aligns with the assessment objectives of NIST SP 800-171A. The C3PAO will carry out the CMMC Level 2 certification assessment following 32 CFR § 170.17, NIST SP 800-171A, the ``CAP`` document, and ISO/IEC 17020:2012 for conformity assessment.
-
7
Phase 3 - Report Assessment Results
Phase 3 aims to finalize, review, document, and present the assessment findings for the CMMC Level 2 certification evaluation. At this stage, the Assessment Team will have finished all evaluation tasks related to the OSC's security requirements and evidence examination.
-
8
Phase 4 - Issue Certificate and Close POA&Ms
The final phase of the CMMC Level 2 certification assessment centers on the C3PAO issuing a CMMC Level 2 Certificate of CMMC Status to the OSC, as well as closing out any Plan of Action and Milestones (POA&Ms) that might exist. The completion of Phase 4 brings the CMMC Level 2 certification assessment to its formal conclusion.