Cybersecurity Maturity Model Certification (CMMC)

Cybersecurity Maturity Model Certification (CMMC)

PROTECT CONTROLLED UNCLASSIFIED INFORMATION WITHIN YOUR SUPPLY CHAIN WHILE ACHIEVING COMPLIANCE

The Cybersecurity Maturity Model Certification (CMMC) is the unified framework to be used by the Department of Defense (DoD) for acquisitions of both prime and subcontractors that provide goods and services to the DoD. In the past, both prime and subcontractors needed to attest to Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 compliance1 as part of the award process. CMMC contrasts DFARS 252.204-7012 by forcing the requirement before award, or ”pre-award.”

WHO NEEDS IT?

Any prime or subcontractor that provides goods or services to the DoD will need to comply with the CMMC for third-party assurance that they are able to protect controlled unclassified information (CUI). There are multiple levels of CMMC certification, and the DoD will inform organizations of the CMMC maturity level they need to achieve in order to be awarded contracts.

The following is a breakdown of the number of practices and processes introduced at each CMMC maturity level based on version 1.02 of the CMMC framework:

WHAT WE DO

Sikich provides organizations with the following suite of services:

CMMC WORKSHOP

One of our CMMC experts conducts a one- to two-day workshop for organizations to discuss CMMC requirements, review the compliance process, and review current organization technical capabilities to meet CMMC requirements. These workshops can be conducted either on site or remotely, based upon the request of the client and current travel logistics.

GAP ANALYSIS

Sikich CMMC gap analysis engagements are designed to identify gaps within existing security programs and help prepare organizations for certification against CMMC. The deliverable will address an organization’s existing compliance posture in relation to CMMC, provide a detailed review of organizational policies and procedures, and offer a prioritized roadmap with actionable recommendations to meet CMMC compliance requirements.

REMEDIATION AND ADVISORY SERVICES

Following a gap analysis, Sikich assists organizations with remediation activities to prioritize addressing any gaps identified. These activities can include creating policies and procedures, developing a System Security Plan (SSP), and making security architecture recommendations.

CERTIFICATION AND ATTESTATION

Certification against the CMMC is expected to start in the fall of 2020. Once certified as a Certified Third-Party Assessor Organization (C3PAO) by the CMMC Accreditation Body, Sikich will be able to support organizations with certification and accreditation.

PROTECT CUI WITHIN YOUR BUSINESS AND YOUR SUPPLY CHAIN.

All it takes is your name and phone number or email address to learn more about our services and expertise. If you’d like, you’ll also be able to send additional details after you submit your information here. 

WE’RE CERTIFIED IN THE FOLLOWING AREAS

PCI DSS

Organizations that store, process or transmit payment card data, such as merchants and service providers, need to comply with the Payment Card Industry Data Security Standard (PCI DSS) to protect cardholder data (CHD).

PCI PA-DSS

Payment application vendors need to validate against the requirements of the PCI Payment Application Data Security Standard (PA-DSS), which supports merchant compliance with the PCI DSS.

HIPAA/HITECH

Health care institutions are required by law to protect the privacy of protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA).

PCI /P2PE

Payment application vendors and service providers can take advantage of the PCI point-to-point encryption (P2PE) framework to develop solutions that reduce merchant handling of payment card data.

GLBA

Financial institutions are required by law to comply with the Gramm-Leach-Bliley Act (GLBA) and maintain proper security controls to protect consumer financial privacy.

SSAE 16/(SAS 70)

Payment application vendors and service providers can take advantage of the PCI point-to-point encryption (P2PE) framework to develop solutions that reduce merchant handling of payment card data.

Do You Have Questions About Compliance?