Our Cyber Security CMMC® Services
About CMMC®
The following is quoted from an official website of the US Government, US Dept of Defense: https://dodcio.defense.gov/CMMC/about/
“Cybersecurity is a top priority for the Department of Defense.
The Defense Industrial Base (DIB) is the target of more frequent and complex cyberattacks. To protect American ingenuity and national security information, the DoD developed the Cybersecurity Maturity Model Certification (CMMC) 2.0 program to reinforce the importance of DIB cybersecurity for safeguarding the information that supports and enables our warfighters.
Overview of the CMMC Program
The Cybersecurity Maturity Model Certification (CMMC) program is aligned to DoD’s information security requirements for DIB partners. It is designed to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program provides the Department increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.
The CMMC 2.0 program has three key features:
- Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for requiring protection of information that is flowed down to subcontractors
- Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.
- Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.
The Evolution to CMMC 2.0
In September 2020, the DoD published an interim rule to the DFARS in the Federal Register (DFARS Case 2019-D041), which implemented the DoD’s initial vision for the CMMC program (“CMMC 1.0”) and outlined the basic features of the framework (tiered model, required assessments, and implementation through contracts). The interim rule became effective on November 30, 2020, establishing a five-year phase-in period.
In March 2021, the Department initiated an internal review of CMMC’s implementation, informed by more than 850 public comments in response to the interim DFARS rule. This comprehensive, programmatic assessment engaged cybersecurity and acquisition leaders within DoD to refine policy and program implementation.
In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:
- Safeguard sensitive information to enable and protect the warfighter
- Enforce DIB cybersecurity standards to meet evolving threats
- Ensure accountability while minimizing barriers to compliance with DoD requirements
- Perpetuate a collaborative culture of cybersecurity and cyber resilience
- Maintain public trust through high professional and ethical standards
“
Using CMMC with Other Methodologies
We do more than just CMMC. If your organization is looking to implement CMMC alongside another methodology or practice such as CMMI, ISO 27001, Agile, Scaled Agile Framework®, Lean, or Six Sigma, we can help you integrate CMMC with other methodologies within your organization. Learn more about our CMMC multimodel approach.
FAQ
Need to Comply to NIST 800-171?
Excellence in Measurement Technology will perform a full detailed assessment of how your organization implements the NIST 800-171 Cybersecurity controls. We can help prepare a System Security Plan (SSP) and Plan-of-Action & Milestones (PO&AM) providing documented evidence to the DoD or your Prime that you are on the way towards compliance.
The latest revision is Rev 5. One of the key differences between the fourth and fifth revisions is the wording of the controls. Revision 5 is more focused on outcomes, whereas the fourth revision focused on impact.
Also, NIST 800-171 relates to non-federal systems and organizations, while NIST 800-53 is for federal organizations
The steps called out in the Plan-of-Action & Milestone are addressed and depending on the current state of your IT systems, this can be as simple as implementing multi-factor authentication and security awareness training of all personnel or as complex as refreshing an entire aging infrastructure.
Contact us to discuss the needs of your organization.