TRUST THE EXPERTS
26 years of validated remediation and pre-certification results within critical infrastructure
26 years of risk assessment and attestation results within critical infrastructure environments
26 years serving Small Business clients to Fortune 100 clients—across global industries
Cybersecurity Maturity Model Certification (CMMC 2.0) is a Department of Defense (DoD) program that serves as a framework to enforce Federal Acquisition Regulation (FAR) 52.204-21 requirements, NIST SP 800-171 and 172, and the anticipated Final CMMC Rule. In order to better ensure national security, there are three distinct Levels of CMMC 2.0 Certification:
Level 1 Foundational — Defense contractors must provide evidence of basic cyber hygiene to achieve CMMC Level 1 certification. CMMC Level 1 specifies the basic Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity clauses in most DoD contracts. This practice establishes a security foundation for the subsequent Levels of the CMMC model and must be completed by all certified organizations. Level 1, which includes 17 controls, is readily achievable for smaller organizations and includes a subset of universally accepted common security practices across government and industry. Organizations must demonstrate that they have implemented effective security controls and that they have the ability to protect Federal Contract Information (FCI).
Level 2 Advanced — The processes for CMMC Level 2 are to establish a policy around each of the CMMC domains and to document that your practices implement the policy. CMMC Level 2 introduces 93 new practices aligned with NIST SP 800-171 to those 17 controls in CMMC Level 1. CMMC Level 2 requires triennial third-party assessments for critical national security when working with sensitive controlled information and an annual self-assessment when dealing with Controlled Unclassified Information (CUI). Plan of Action & Milestones (POA&M) for scheduled upgrades are now permitted.
Level 3 Expert — Certification automatically implies that the contractor meets all criteria set by the CMMC including all requirements at Levels 1 & 2. Organizations must have an advanced or progressive cybersecurity program in place and must demonstrate that they have implemented effective security controls and that they have the ability to protect Controlled Unclassified Information (CUI). This includes compliance with all security requirements of NIST SP 800-171, NIST SP 800-172, and DFARS Clause 252.204.7012. Effectively, Level 3 is demonstrated implementation of all Level 1 & 2 policies and procedures and requires continuous control monitoring. This also covers proactive measures to safeguard CUI from Advanced Persistent Threats (APTs) which are mostly nation state sponsored threat actors who are highly dangerous to the nation’s security.
Churchill & Harriman helps you achieve CMMC certification through the following processes:
Identification of the appropriate CMMC scope to help you understand the applicable control environment required.
Performance of a gap analysis against CMMC requirements and the existence and use of those controls. This will provide you evidence of how close, or how far away, your organization TRULY IS from meeting the requirements outlined in the appropriate CMMC Level. The gap analysis will expose issues such as:
- How access to information systems is controlled.
- How managers and information system administrators are trained.
- How data are stored.
- How security controls and measures are implemented and enforced.
- Inadequate systems, processes, and policies.
- How incident response plans are developed and implemented.
- What maturity processes are required for each CMMC Level.
Without a proper gap analysis, it would be impossible to know what changes an organization might need to achieve the required CMMC Level.
The creation of a remediation plan, a Systems Security Plan (SSP), and a POA&M is based on the findings outlined in the Gap Assessment. The roadmap may involve small, quick fixes to a network and/or its processes, or it may involve the more extensive development of compliant networks and processes to meet applicable CMMC requirements.
Knowing what needs to be addressed will make it easier for DoD Contractors to make necessary changes to their systems to ensure compliance and their continued ability to be considered for government contracts.
CMMC Advisory Services
Churchill & Harriman provides comprehensive help in achieving compliance to CMMC 2.0 and being prepared for the CMMC Assessment (formal C3PAO Assessment). We provide a clear implementation track — from reviewing and updating policies, to editing and authoring practices/procedures and plans, and to recommending suitable controls and solutions.
Services include:
- Advising your Board of Directors and your business and technical teams with strategic and comprehensive guidance and on all subjects leading to successful certification to CMMC.
- Gap Assessments.
- Determining if CMMC applies to your organization and, if so, to what Level of certification — all companies with DoD contracts will have to be CMMC certified, be it enterprise, business line, or enclave.
- Identifying how your current compliance to NIST SP 800-171 and 172 or NIST SP 800-53 maps to the CMMC requirements.
- Developing and executing a roadmap to successful certification to CMMC.
- Development of any and all required security documentation.
- Review of your remediation approach, pre-certification readiness, and your self-attestation.
- Assistance with CMMC assessment coordination; if acceptable by your selected C3PAO Organization, C&H is prepared to stand by your company during your CMMC assessment to assist you through the actual on-site audit.