Cybersecurity Maturity Model Certification (CMMC) is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB).

WHEN DID CMMC GO IN EFFECT?

The standard was released by the US Department of Defense (DoD) and became effective November 30, 2020.

START YOUR CMMC GAP ASSESSMENT & REMEDIATION JOURNEY TODAY!

Q: WHO DOES CMMC APPLY TO?

CMMC applies to DIB contractors who’s unclassified networks possess, store, or transmit CUI as well as DIB contractors who’s unclassified networks possess Federal Contract Information (FCI). Entities that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.

Q: WHAT ARE THE CMMC LEVELS?

There are 5 CMMC Levels; each with associated controls and processes. CMMC Level 5 Certification is the highest (demonstrating advanced cyber hygiene); while Level 1 indicates basic cyber hygiene. CMMC Level 3 is great benchmark to target as it indicates “good cyber hygiene” and demonstrates full compliance with NIST SP 800-171 r1 and the Federal Acquisition Regulation (FAR). The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs).

ControlCase helps companies understand and prepare for their CMMC C3PAO assessment.

BEGIN YOUR CMMC JOURNEY WITH A GAP ASSESSMENT NOW.

Name*
Business Email*
Company*
Phone*
Countries*
Phone
This field is for validation purposes and should be left unchanged.

Using in house technology and an iterative assessment approach, we will start with a gap assessment for CMMC Level 2 and provide you with an actionable roadmap to successfully build a CMMC program for your company.

The CMMC Gap Assessment Process:

1.Initial Consultation and Scope Review: Start with an initial consultation to define the scope of the assessment, including understanding the organization’s cybersecurity environment, identifying systems and processes under CMMC requirements, determining the specific CMMC level needed, and understanding the flow of Controlled Unclassified Information (CUI) within the organization.

2.Documentation Review: Evaluate current compliance with CMMC requirements by reviewing existing policies, procedures, and security documentation, including the System Security Plan (SSP) and other relevant documents.

3.Security Control Evaluation and Gap Identification: Assess the implementation of security controls and identify gaps within the CMMC objectives. Evaluate both technical and non-technical controls to pinpoint deficiencies and determine how they impact compliance with each objective of the required CMMC level.

4.Designing an Actionable Roadmap: Develop a comprehensive and actionable roadmap that outlines steps to address identified gaps. The roadmap should include specific tasks, timelines, resources needed, and responsible parties to ensure effective implementation of required security controls.

5.Support for SSP Creation and Compliance: Provide support in creating and refining a compliant System Security Plan (SSP). This includes guidance on documenting security controls, policies, and procedures to ensure the SSP meets CMMC requirements and effectively supports the certification process.

Contact us today to discuss your CMMC gap assessment and remediation support plan!

USA +1.703.483.6383

CANADA +1.416.900.1272

UK / EUROPE +44.734.120.5513

INDIA / GULF REGION +91.22.50323006

ASIA PACIFIC +66.21056164

FREQUENTLY ASKED QUESTIONS

WHAT IS CMMC?

Cybersecurity Maturity Model Certification (CMMC) is a unified standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). It aims to standardize and improve cybersecurity practices within the Defense Department and the DIB ecosystem. Contractors can expect to see specific CMMC level requirements in their contracts, indicating the level of cybersecurity maturity they must achieve to be eligible for contract awards. This ensures that contractors implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.

WHAT ARE THE CMMC LEVELS?

CMMC 2.0 has three levels:
- Level 1: Foundational - Basic safeguards for FCI. (17 controls)
- Level 2: Advanced - Aligned with NIST SP 800-171, required for CUI. (110 controls)
- Level 3: Expert - Aligned with NIST SP 800-172, for the most critical national security information.
The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs).

WHAT DOES CMMC DO?

CMMC aims to standardize and improve cybersecurity practices within the Defense Department and the Defense Industrial Base (DIB) ecosystem. It ensures that DIB companies implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.

WHO DOES CMMC APPLY TO?

CMMC applies to DIB contractors whose unclassified networks possess, store, or transmit CUI, as well as those whose networks possess Federal Contract Information (FCI). Entities that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.

WHO CAN PROVIDE CMMC ASSESSMENTS?

Authorized and accredited CMMC Third Party Assessment Organizations (C3PAOs) will conduct assessments and issue CMMC certificates to Defense Industrial Base (DIB) companies at the appropriate level. ControlCase will assist with getting you ready for the assessment – we provide gap assessment and remediation support. Additionally, ControlCase is a candidate C3PAO.

WHY IS A SOLID SYSTEM SECURITY PLAN (SSP) IMPORTANT?

A robust System Security Plan (SSP) is critical as it documents how an organization's systems and security controls comply with CMMC requirements. It provides a comprehensive overview of the system environment, security requirements, and the controls in place to meet those requirements, serving as a foundation for a successful CMMC assessment and ongoing cybersecurity posture.

WHY IS IT IMPORTANT TO WORK WITH COMPANIES THAT HAVE CCPS AND CCAS ON STAFF?

Certified CMMC Professionals (CCPs) and Certified CMMC Assessors (CCAs) possess specialized knowledge and expertise in the CMMC framework. Working with companies that have CCPs and CCAs on staff ensures that you receive accurate guidance and support throughout the CMMC certification process. These professionals are trained to identify gaps, develop effective remediation plans, and ensure compliance with CMMC requirements, thereby increasing the likelihood of a successful certification.