What is the CMMC?
CMMC stands for Cybersecurity Maturity Model Certification and is the latest security framework mandated by the Department of Defense [DoD] for any contractor that sells into the DoD. Due to unacceptable risks to CONTROLLED UNCLASSIFIED INFORMATION [CUI] and Federal Contract Information [FCI] stored on contractor systems, the DoD has now introduced CMMC to ensure that appropriate levels of cybersecurity protections and processes are in place. It specifies a range of security maturity levels that must be met and will be used by the DoD as a qualification criterion for RFPs and vendor selection.
On November 4, 2021, the Department of Defense announced several changes to the Cybersecurity Maturity Model Certification (“CMMC”) program to streamline the model, reduce assessment costs, and provide for more flexible implementation. The primary goals of this include:
Safeguard sensitive information to enable and protect the warfighter
Dynamically enhance DIB cybersecurity to meet evolving threats
Ensure accountability while minimizing barriers to compliance with DoD requirements
Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience
Maintain public trust through high professional and ethical standards
What is CMMC 2.0
& how is it different?
What ARE THE NEW LEVELS FOR CMMC?
CMMC 2.0 streamlined the number of maturity levels from five to three, removed CMMC-unique practices, as well as all maturity processes from the CMMC model. Each of the three new maturity levels is aligned with existing standards:
CMMC 2.0 Level 1 is aligned with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
CMMC 2.0 Level 2 is aligned with NIST SP 800-171 [requires compliance with DFARS 52.204-21]
CMMC 2.0 Level 3 is aligned with NIST SP 800-172 [requires compliance with DFARS 52.204-21
& NIST SP 800-171]
Graphic Source: https://www.acq.osd.mil/cmmc/
Ready to take on CMMC?
Choose from some of our compliance capabilities below to learn more about how we can help you!
“I am ready for the CMMC assessment and need to get in contact with a Provisional Assessor!”
Our Provisional Assessor will be among the first to be able to conduct CMMC Level 1-3 Assessments. Reef Systems is a CMMC-AB Cleared Candidate C3PAO, awaiting authorization to perform assessments.
“We are ready for our leadership to understand the new CMMC model
and changes so they can lead our organization into the future”
Reef Systems will help your company’s leadership to understand that CMMC compliance is about technology, and also about the processes. This assures the whole organization embraces the protection of information. Your organization may have to adapt and change to uphold these standards. Leadership’s support and under-standing of this process leads to a critical view of the organization as you are addressing all areas that need improvement to support the CMMC requirements.
“We understand that we need to follow CMMC Compliance for future contracts, but we don’t know where to start”
Reef Systems can help companies from the ground up following an assessment of risks that need to be addressed or improved prior to the assessment. This will involve focusing on the CMMC compliance requirements and comparing them to what is currently in place, and what needs to be fixed to meet the standards. We will give you areas of improvement and map out what your company needs to fix to pass the CMMC assessment.
“We have done a gap analysis and see what we need to fix, but don’t know how to map out a solution to fix this”
Reef Systems has received direct training from the CMMC-AB, and we know exactly what the assessor will be looking at for your company to pass the assessment. Through our remediation services, we will look at your company’s current gap assessment and help resolve any final issues that would keep you from receiving the certification. This includes sitting down with you to help answer any questions or help with any specific issues in the different controls.
TEAM AWARENESS TRAINING
“I have made all technical changes but need my employees to be on the same page about cyber hygiene”
This service is specifically related to preparing your entire organization for CMMC. To ensure the continuous monitoring of the CMMC throughout the entire organization, Reef Systems offers team awareness training to help educate employees on cyber hygiene and on CUI. Substantial training is required from a security perspective to make sure your whole organization understands and is trained on the behavioral changes that need to take place.
“I am ready for the audit and have remediated all the issues, come audit me”
If you think you are ready to obtain the CMMC, Reef Systems offers pre-assessment help to double check that you have all the information and evidence needed to pass. This is to ensure that you are ready for an assessment and have everything you need prior to paying for the CMMC.
NIST SP 800-171
Reef Systems offers an Environmental Readiness Check that will help your organization uncover systems and processes that may not meet the standards outlined in NIST SP 800-171, such as:
How is data stored and access to information controlled?
Are incident response plans in place, current, and effective?
Are IT staff and other personnel adequately trained?
How are security protocols implemented and maintained?
Reef Systems also offers a NIST SP 800-171 Gap Assessment which will pinpoint risk areas for contractors and facilitate the creation and execution of the Gap Remediation Plan. Without a Gap Assessment in hand, contractors may find it impossible to identify risks, prioritize activities, and determine costs for any remedial steps required pursuing the CMMC certification.
Reef Systems also offers NIST SP 800-171 Gap Remediation as a prioritized, actionable plan to address any security needs uncovered in the Gap Assessment and bring the contractor into NIST SP 800-171 compliance. This includes creating a Plan of Action & Milestones (POA&M) that will need to be uploaded into the Supplier Performance Risk System (SPRS) and will document:
Addressing necessary activities to resolve security issues
Allocating required resources to mitigate any problems and close security gaps.
A timeline with project completion dates and milestones to track progress for anything that is not completed.
Insights into security vulnerabilities
Team Reef Systems
Reef Systems has partners with different vendors to provide solutions to help our clients achieve compliance.