What is CMMC?

Starting in fall of 2020 DoD Requests for Information (RFI) and Requests for Proposal (RFP) will include requirements for suppliers to be CMMC certified in order to qualify for the contract. Although the CMMC assessment ecosystem is still under development, it is time to prepare for CMMC certification so that your organization can continue to qualify for and win DoD contracts.

CMMC assessments must be conducted by Certified Third-Party Assessment Organizations (C3PAO) that have partnered with the CMMC Accreditation Body (CMMC-AB) to provide assessment services.

Where to start?

A CMMC gap assessment provides a review of your organization’s current state of compliance with the CMMC Standard. SBS’ expertise and experience as an information security auditing and consultancy company to analyze your existing administrative, technical, and physical security controls for alignment with the CMMC controls. The goal of the gap assessment is to determine how you are addressing each CMMC requirement for your required level and establish a remediation plan for becoming compliant.

SBS’ gap assessment includes:

A review of existing information security policies and procedures
Interviews and discussions with relevant personnel
An analysis of processes and technologies for CMMC compliance
• A detailed gap assessment report, detailing findings and remediation
    recommendations

What does it take to achieve CMMC?

Practices found in CMMC Levels 1-3 most closely align to the 110 controls found in NIST 800-171 for handling Controlled Unclassified Information, but 20 practices and 52 maturity processes go beyond NIST. Here are the most significant areas of CMMC to consider if you are already meeting DFARS 7012 and NIST 800-171.

  • Logging, monitoring, incident response, and reporting capabilities with a SIEM or similar technical solution – Domain Reference: Incident Response (IR)       and
       Audit and Accountability (AU)
  • The ability to backup and restore data through tested, comprehensive, and resilient in backup efforts
  • Logically and technically separate management of unsupported products with network restrictions and regular risk assessments to identify 
       vulnerabilities – Domain Reference: Risk Management (RM)
  • DNS filtering, spam protection, and email sandboxing to protect against malicious traffic – Domain Reference: System and Communication Protection
       (SC) and System and Information Integrity (SI)

To pass a Level 3 audit, companies will be assessed on their ability to meet and demonstrate all practices (130 broken down below) to address Levels 1, 2, and 3. This will include technical architecture and solutions, along with written policies.

Ready to get started?

Contact SBS’ team of cybersecurity experts.