Churchill and Harriman

 

info@chus.com|609-921-3551

 
 
 

Cybersecurity Maturity Model Certification (CMMC 2.0)

 
 

TRUST THE EXPERTS
CHOOSE CHURCHILL & HARRIMAN

26 years of validated remediation and pre-certification results within critical infrastructure

26 years of risk assessment and attestation results within critical infrastructure environments

26 years serving Small Business clients to Fortune 100 clients—across global industries

Cybersecurity Maturity Model Certification (CMMC 2.0) is a Department of Defense (DoD) program that serves as a frame-work to enforce Federal Acquisition Regulation (FAR) 52.204-21 requirements, NIST SP 800-171 and 172, and the anticipated Final CMMC Rule. In order to better ensure national security, there are three distinct Levels of CMMC 2.0 Certification:

Level 1 Foundational — Defense contractors must provide evidence of basic cyber hygiene to achieve CMMC Level 1 certification. CMMC Level 1 specifies the basic Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity clauses in most DoD contracts. This practice establishes a secu- rity foundation for the subsequent Levels of the CMMC model and must be completed by all certified organizations. Level 1, which includes 17 controls, is readily achievable for smaller organizations and includes a subset of universally accepted common security practices across government and industry. Organizations must demonstrate that they have implemented effective security controls and that they have the ability to pro- tect Federal Contract Information (FCI).

Level 2 Advanced — The processes for CMMC Level 2 are to establish a policy around each of the CMMC domains and to document that your practices implement the policy. CMMC Level 2 introduces 93 new practices aligned with NIST SP 800-171 to those 17 controls in CMMC Level 1. CMMC Level 2 requires triennial third-party assessments for critical national security when working with sensitive controlled information and an annual self-assessment when dealing with Controlled Unclassified Information (CUI). Plan of Action & Milestones (POA&M) for scheduled upgrades are now permitted.

Level 3 Expert — Certification automatically implies that the contractor meets all criteria set by the CMMC including all requirements at Levels 1 & 2. Organizations must have an advanced or progressive cybersecurity program in place and must demonstrate that they have implemented effective security controls and that they have the ability to protect Controlled Unclassified Information (CUI). This includes compliance with all security requirements of NIST SP 800-171, NIST SP 800-172, and DFARS Clause 252.204.7012. Effectively, Level 3 is demonstrated implementation of all Level 1 & 2 policies and procedures and requires continuous control monitoring. This also covers proactive measures to safeguard CUI from Advanced Persistent Threats (APTs) which are mostly nation state-sponsored threat actors who are highly dangerous to the nation’s security.

Contact us NOW to get started today.

Our results have been tested and implemented by federal government agencies, corporations of all sizes and across industries, and their suppliers — improving their security posture, and satisfying contractual requirements.

Connect with Us

Churchill & Harriman helps you achieve CMMC certification through the following processes:

Identification of the appropriate CMMC scope to help you understand the applicable control environment required.

Performance of a gap analysis against CMMC requirements and the existence and use of those controls. This will provide you evidence of how close, or how far away, your organization TRULY IS from meeting the requirements outlined in the appropriate CMMC Level. The gap analysis will expose issues such as:

  • How access to information systems is controlled.
  • How managers and information system administrators are trained.
  • How data are stored.
  • How security controls and measures are implemented and enforced.
  • Inadequate systems, processes, and policies.
  • How incident response plans are developed and implemented.
  • What maturity processes are required for each CMMC Level.

Without a proper gap analysis, it would be impossible to know what changes an organization might need to achieve the required CMMC Level.

The creation of a remediation plan, a Systems Security Plan (SSP), and a POA&M is based on the findings outlined in the Gap Assessment. The roadmap may involve small, quick fixes to a network and/or its processes, or it may involve the more extensive development of compliant networks and processes to meet applicable CMMC requirements.

Knowing what needs to be addressed will make it easier for DoD Contractors to make necessary changes to their systems to ensure compliance and their continued ability to be considered for government contracts.

CMMC Advisory Services

Churchill & Harriman provides comprehensive help in achieving compliance to CMMC 2.0 and being prepared for the CMMC Assessment (formal C3PAO Assessment). We provide a clear implementation track — from reviewing and updating policies, to editing and authoring practices/procedures and plans, and to recommending suitable controls and solutions.

Services include:

  • Advising your Board of Directors and your business and technical teams with strategic and comprehensive guidance and on all subjects leading to successful certification to CMMC.
  • Gap Assessments.
  • Determining if CMMC applies to your organization and, if so, to what Level of certification — all companies with DoD contracts will have to be CMMC certified, be it enterprise, business line, or enclave.
  • Identifying how your current compliance to NIST SP 800-171 and 172 or NIST SP 800-53 maps to the CMMC requirements.
  • Developing and executing a roadmap to successful certification to CMMC.
  • Development of any and all required security documentation.
  • Review of your remediation approach, pre-certification readiness, and your self-attestation.
  • Assistance with CMMC assessment coordination; if acceptable by your selected C3PAO Organization, C&H is prepared to stand by your company during your CMMC assessment to assist you through the actual on-site audit.

SCA / AUP Assessment

Churchill & Harriman is extending preferred SCA / AUP Assessment pricing to Aetna vendors. We welcome the opportunity to work with you in completing your SCA / AUP Assessment. For more information on SCA / AUP Assessments and third party risk management, please click here.

Testimonials

I also want to compliment you personally for the way you have conducted your business dealings with us. This letter is written to make certain you know how high a value we place on our relationship with you. I consider you a trusted business advisor who takes a deep and personal interest in our success, and I always appreciate your honesty and integrity. In every situation you deliver what you say you will, on schedule, and at the budget specified. Most of all, you have a great work ethic, and adhere to the old fashioned values of actually doing what you have committed to do. This type of relationship and this kind of service seem to be increasingly hard to find in this day and age. I am happy to endorse Churchill & Harriman to any organization interested in enjoying a close relationship with a risk mitigation consultancy that I consider an important part of my daily business. I can truly state, without hesitation, that Churchill & Harriman provides the highest degree of honesty, integrity and ethics, and has become a vital component to our success.
Director, Information SecurityFortune 50 Corporation and Health ISAC Board Member Organization
 
 

info@chus.com|609-921-3551

Copyright 2023|All Rights Reserved|Website by Asenka