Contractors and subcontractors with the Department of Defense (DoD) are required to meet certain compliance requirements and achieve their Cybersecurity Maturity Model Certification (CMMC) to bid on or be awarded contracts.
Hartman’s C-level business and technology leaders will conduct an independent assessment of an organization’s readiness for the certification and determine appropriate next steps. Then, Hartman works directly with leadership to develop a plan to close gaps and work toward certification at the most appropriate level. Hartman is not a C3PAO or certified assessor.
Our advisors will help you understand where and how to prioritize your cybersecurity efforts, make recommendations, and serve as a partner on your journey to compliance. C3PAO certified companies can’t play this role and we can’t play their role, but we CAN be a trusted independent resource to guide them to successful and appropriate certification outcomes.
Protecting National Security
The CMMC is a unified cybersecurity standard focused on protecting Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). There are five tiered certification levels, starting with Level 1 that indicates a company follows “basic cyber hygiene” practices and advancing to Level 5 that proves a company’s proficiency in detecting and responding to threats.
Unlike past regulations focused on cybersecurity, including the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, contractors will need an independent third party assessor to confirm their compliance.
Helping You Achieve Compliance with the Cybersecurity Maturity Model Certification (CMMC)
To protect national security, the Cybersecurity Maturity Model Certification (CMMC) expands on NIST 171 by adding additional requirements and requiring all Department of Defense (DoD) contractors and subcontractors to comply with certain standards.
Essentially, to win contracts and do business with the DoD, an organization needs to prove that their cybersecurity maturity is at the appropriate level.
CMMC Frequently Asked Questions
Here are answers to some of the most frequently asked questions around the CMMC:
What companies need to obtain the certification?
Any business that contracts or subcontracts with the DoD will need to obtain a CMMC to bid for and win future contracts.
How does CMMC differ from previous regulations, like NIST’s SP 800-171?
The CMMC model expands on NIST 171 by adding additional requirements. However, CMMC does not allow for companies to conduct self-assessments. Organizations must now prove their cyber capabilities to certified assessors to be granted CMMC certification. Additionally, the CMMC model has five levels of practices and processes.
What are the differences between the certification levels? Will my organization be penalized for being awarded a low level?
- Level 1 — Basic Cyber Hygiene
- Level 2 — Intermediate Cyber Hygiene
- Level 3 — Good Cyber Hygiene
- Level 4 — Proactive
- Level 5 — Advanced/Progressive
Not all contracts will require the highest levels of certification. The goal is for certification to be cost-effective and affordable for small businesses to implement at lower levels. Once achieved, certification is valid for three years.
Will this expand beyond the DoD?
There are no current plans for certification outside of the DoD, however it’s always possible that other agencies will embrace certification as it is based upon NIST standards and provides a methodology for compliance.
Will our level be made public?
No. The only thing that will be public is that your organization has achieved the certification. The level and specific findings are not made available to the public.
How much does certification cost?
The cost of certification is not intended to be prohibitive and will vary based on a number of factors. The goal is for certification to be an allowable, reimbursable cost.
Where can I learn more?
The Office of the Under Secretary of Defense for Acquisition & Sustainment has more information and FAQs on their website: https://www.acq.osd.mil/cmmc/faq.html
Schedule a CMMC Pre-Assessment Review
CMMC is not optional for contractors who want to continue working with the DoD. Not sure where to get started? Contact Hartman today to learn more about our independent CMMC readiness assessment and what actions leaders need to take to remain competitive and win future contracts.