Contractors and subcontractors with the Department of Defense (DoD) will soon be required to meet certain cybersecurity standards to comply with the Cybersecurity Maturity Model Certification (CMMC) 2.0 program to bid on or be awarded contracts.
Hartman’s C-level business and technology leaders will conduct an independent assessment of an organization’s readiness for the program and determine appropriate next steps. Then, Hartman works directly with leadership to develop a plan to close gaps and work toward meeting the cybersecurity standard at the appropriate level. Hartman is not a C3PAO or certified assessor.
Our advisors will help you understand where and how to prioritize your cybersecurity efforts, make recommendations, and serve as a partner on your journey to compliance. C3PAO certified companies can’t play this role and we can’t play their role, but we CAN be a trusted independent resource to guide them to successful and appropriate outcomes.
Protecting National Security
The CMMC is a unified cybersecurity standard focused on protecting Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). There are three tiered compliance levels, starting with Level 1 that indicates a company follows “basic cyber hygiene” practices and advancing to Level 3 that proves a company’s proficiency in detecting and responding to threats.
Unlike past regulations focused on cybersecurity, including the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, contractors will either perform a self-assessment or contract with an independent third party assessor to confirm their compliance.
Helping You Achieve Compliance with the Cybersecurity Maturity Model Certification (CMMC) 2.0
To protect national security, the Cybersecurity Maturity Model Certification (CMMC) 2.0 expands on NIST SP 800-171 by adding additional requirements and requiring all Department of Defense (DoD) contractors and subcontractors to comply with certain standards.
Essentially, to win contracts and do business with the DoD, an organization needs to prove that their cybersecurity maturity is at the appropriate level.
CMMC 2.0 Frequently Asked Questions
Here are answers to some of the most frequently asked questions around the CMMC 2.0:
What companies need to be compliant?
Any business that contracts or subcontracts with the DoD will need to comply with CMMC 2.0 to bid for and win future contracts.
How does CMMC 2.0 differ from previous regulations, like NIST’s SP 800-171?
The CMMC 2.0 model expands on NIST SP 171 by adding additional requirements. CMMC does allow for level 1 and 2 companies to conduct self-assessments. Organizations requiring level 3 (and some level 2) must prove their cyber capabilities to certified assessors to be granted CMMC 2.0 certification. Additionally, the CMMC 2.0 model has three levels of practices and processes.
What are the differences between the levels?
- Level 1 — 17 Requirements with Self-Assessment
- Level 2 — Alignment with 110 requirements NIST 800-171
- Level 3 — Requirements based on NIST SP-800-171 and 172
Not all contracts will require the highest levels of compliance. The goal is for compliance to be cost-effective and affordable for small businesses to implement at lower levels.
Will this expand beyond the DoD?
There are no current plans for certification outside of the DoD, however it’s always possible that other agencies will embrace certification as it is based upon NIST standards and provides a methodology for compliance.
Will our level be made public?
No. The only thing that will be public is that your organization has achieved the certification. The level and specific findings are not made available to the public.
How much does certification cost?
The cost of third-party assessment is not intended to be prohibitive and will vary based on a number of factors. The goal is for compliance to be an allowable, reimbursable cost.
Where can I learn more?
The Office of the Under Secretary of Defense for Acquisition & Sustainment has more information and FAQs on their website: https://www.acq.osd.mil/cmmc/faq.html
Schedule a CMMC 2.0 Pre-Assessment Review
When implemented, CMMC 2.0 will not be optional for contractors who want to continue working with the DoD. Not sure where to get started? Contact Hartman today to learn more about our independent CMMC 2.0 readiness assessment and what actions leaders need to take to remain competitive and win future contracts.