PROTECT CONTROLLED UNCLASSIFIED INFORMATION WITHIN YOUR SUPPLY CHAIN WHILE ACHIEVING COMPLIANCE
The Cybersecurity Maturity Model Certification (CMMC) is the unified framework to be used by the Department of Defense (DoD) for acquisitions of both prime and subcontractors that provide goods and services to the DoD. In the past, both prime and subcontractors needed to attest to Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 compliance as part of the award process. CMMC contrasts DFARS 252.204-7012 by forcing the requirement before award, or ”pre-award.”
WHO NEEDS IT?
Any prime or subcontractor that provides goods or services to the DoD will need to comply with the CMMC for third-party assurance that they are able to protect controlled unclassified information (CUI). There are multiple levels of CMMC certification, and the DoD will inform organizations of the CMMC maturity level they need to achieve in order to be awarded contracts.
WHAT WE DO
Sikich works closely with manufacturers, suppliers, and other service providers to mature cybersecurity resilience in the US supply chain and Defense Industrial Base Sector to:
- Bring vision, planning, and support to the implementation of safeguards that achieve compliance with business objectives and obligations;
- Help clients apply their knowledge and resources to maintain information security awareness and operations; and
- Provide effective and efficient advisory services through evidence-based practices and highly skilled, dedicated, and competent consultants.
CMMC Stars Program
The STARS CMMC readiness program supports clients by simplifying Cybersecurity Maturity Model Certification (CMMC) certification and the implementation NIST SP 800-171 for protecting Controlled Unclassified Information (CUI), which ultimately protects the battlefield’s warfighter. As part of this program, Sikich assists with scoping the CMMC enclave, completing self-assessment scoring, identifying compliance gaps, completing the Plan of Action and Milestones (POAM) remediation planning, and documenting the System Security Plan (SSP). We also function as your outsourced cybersecurity and risk consulting partner, helping to guide efforts related to achieving and maintaining compliance.
Quick Path
Jump to learn more.
WHERE TO START
The STARS CMMC readiness program onboarding process scopes the organization’s current CMMC journey. STARS is a holistic approach to meeting CMMC and government contractual requirements. However, aligning the organization’s CMMC maturity with the appropriate STARS phase allows Sikich to integrate established processes and documentation into the program. The onboarding process and alignment saves money and time by streamlining what is required to achieve a secure and compliant environment.SCOPE
MAJOR MILESTONES
& DELIVERABLES
TRAIN
- Scope reduction advisory services
- Business objectives
- CUI classification
- Network diagrams
- Data flows
- Technologies
- People
- Shared responsibilities
Key Deliverables
- CMMC scoping document

- DFARS overview
- CMMC requirements
- CUI data classification and handling
- Documentation management
Key Deliverables
- CMMC training materials
SUPPORT
REMEDIATE
ASSESS
- CMMC control measure playbook
- Bi-weekly risk remediation advisory services
- Quarterly executive management updates
- Annual incident response training and testing
- Annual security awareness training
- Subcontractor assessments
Key Deliverables
- CMMC compliance playbook
- Quarterly compliance reports
- Training materials
- Optional support:
- Subcontractor compliance reports
- Gap remediation recommendations
- Plan of Action and Milestones
- System Security Plan
- NIST SP 800-171 information security policies
- Incident response plan
Key Deliverables
- Plan of Action and Milestones
- CMMC System Security Plan
- Optional support:
- NIST SP 800-171 information security policies
- Incident response plan
- NIST SP 800-171 controls review
- Interviews
- Documentation review
- Controls validation
- NIST SP 800-171 gaps identification
- DoD basic self-assessment score
Key Deliverables
- CMMC risk register
- Executive presentation
Additional CMMC Services
General information security
Incident response
- NIST SP 800-171 information security policy development
- Virtual Chief Information Security Officer (vCISO) consulting
- KnowBe4 security awareness training
- Information security consulting
- Breach verification and remediation
- Data recovery
- Electronic litigation
- Forensic investigations
- Incident response plan development
- Incident response retainers
RISK MANAGEMENT
SECURITY TESTING
- Business continuity planning
- Security and risk assessments with threat modeling
- Vendor management and security assessments
- Cloud security assessments and transition consulting
- Application and network penetration testing
- Network segmentation testing
- Wireless network reviews and testing
- Physical security testing
- External and internal vulnerability scanning
PROTECT CUI WITHIN YOUR BUSINESS AND YOUR SUPPLY CHAIN.
All it takes is your name and phone number or email address to learn more about our services and expertise. If you’d like, you’ll also be able to send additional details after you submit your information here.
WE’RE CERTIFIED IN THE FOLLOWING AREAS
PCI DSS
Organizations that store, process or transmit payment card data, such as merchants and service providers, need to comply with the Payment Card Industry Data Security Standard (PCI DSS) to protect cardholder data (CHD).
PCI PA-DSS
Payment application vendors need to validate against the requirements of the PCI Payment Application Data Security Standard (PA-DSS), which supports merchant compliance with the PCI DSS.
HIPAA/HITECH
Health care institutions are required by law to protect the privacy of protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA).PCI /P2PE
Payment application vendors and service providers can take advantage of the PCI point-to-point encryption (P2PE) framework to develop solutions that reduce merchant handling of payment card data.
GLBA
Financial institutions are required by law to comply with the Gramm-Leach-Bliley Act (GLBA) and maintain proper security controls to protect consumer financial privacy.