Cybersecurity Maturity Model Certification (CMMC)

Cybersecurity Maturity Model Certification (CMMC)

PROTECT CONTROLLED UNCLASSIFIED INFORMATION WITHIN YOUR SUPPLY CHAIN WHILE ACHIEVING COMPLIANCE

The Cybersecurity Maturity Model Certification (CMMC) is the unified framework to be used by the Department of Defense (DoD) for acquisitions of both prime and subcontractors that provide goods and services to the DoD. In the past, both prime and subcontractors needed to attest to Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 compliance as part of the award process. CMMC contrasts DFARS 252.204-7012 by forcing the requirement before award, or ”pre-award.”

WHO NEEDS IT?

Any prime or subcontractor that provides goods or services to the DoD will need to comply with the CMMC for third-party assurance that they are able to protect controlled unclassified information (CUI). There are multiple levels of CMMC certification, and the DoD will inform organizations of the CMMC maturity level they need to achieve in order to be awarded contracts.

WHAT WE DO

Sikich works closely with manufacturers, suppliers, and other service providers to mature cybersecurity resilience in the US supply chain and Defense Industrial Base Sector to:

  • Bring vision, planning, and support to the implementation of safeguards that achieve compliance with business objectives and obligations;
  • Help clients apply their knowledge and resources to maintain information security awareness and operations; and
  • Provide effective and efficient advisory services through evidence-based practices and highly skilled, dedicated, and competent consultants.

CMMC Stars Program

OThe STARS CMMC readiness program supports clients by simplifying Cybersecurity Maturity Model Certification (CMMC) certification and the implementation NIST SP 800-171 for protecting Controlled Unclassified Information (CUI), which ultimately protects the battlefield’s warfighter. As part of this program, Sikich assists with scoping the CMMC enclave, completing self-assessment scoring, identifying compliance gaps, completing the Plan of Action and Milestones (POAM) remediation planning, and documenting the System Security Plan (SSP). We also function as your outsourced cybersecurity and risk consulting partner, helping to guide efforts related to achieving and maintaining compliance.

 

WHERE TO START

The STARS CMMC readiness program onboarding process scopes the organization’s current CMMC journey. STARS is a holistic approach to meeting CMMC and government contractual requirements. However, aligning the organization’s CMMC maturity with the appropriate STARS phase allows Sikich to integrate established processes and documentation into the program. The onboarding process and alignment saves money and time by streamlining what is required to achieve a secure and compliant environment.

SCOPE

DEFINE CUI SCOPE

MAJOR MILESTONES
& DELIVERABLES

TRAIN

PROVIDE TRAINING MATERIALS
  • Scope reduction advisory services
  • Business objectives
  • CUI classification
  • Network diagrams
  • Data flows
  • Technologies
  • People
  • Shared responsibilities

Key Deliverables

  • CMMC scoping document
  • DFARS overview
  • CMMC requirements
  • CUI data classification and handling
  • Documentation management

Key Deliverables

  • CMMC training materials

SUPPORT

IMPLEMENT CONTINUOUS COMPLIANCE

REMEDIATE

DESIGN STRATEGIC ROADMAP

ASSESS

PERFORM DOD BASIC SELF-ASSESSMENT
  • CMMC control measure playbook
  • Bi-weekly risk remediation advisory services
  • Quarterly executive management updates
  • Annual incident response training and testing
  • Annual security awareness training
  • Subcontractor assessments

Key Deliverables

  • CMMC compliance playbook
  • Quarterly compliance reports
  • Training materials
  • Optional support:
    • Subcontractor compliance reports
  • Gap remediation recommendations
  • Plan of Action and Milestones
  • System Security Plan
  • NIST SP 800-171 information security policies
  • Incident response plan

Key Deliverables

  • Plan of Action and Milestones
  • CMMC System Security Plan
  • Optional support:
    • NIST SP 800-171 information security policies
    • Incident response plan
  • NIST SP 800-171 controls review
    • Interviews
    • Documentation review
    • Controls validation
  • NIST SP 800-171 gaps identification
  • DoD basic self-assessment score

Key Deliverables

  • CMMC risk register
  • Executive presentation

STARS ONBOARDING
ALIGNING STARS TO MEET YOUR ORGANIZATION’S NEEDS

General information security

Incident response

  • NIST SP 800-171 information security policy development
  • Virtual Chief Information Security Officer (vCISO) consulting
  • KnowBe4 security awareness training
  • Information security consulting
  • Breach verification and remediation
  • Data recovery
  • Electronic litigation
  • Forensic investigations
  • Incident response plan development
  • Incident response retainers

RISK MANAGEMENT

SECURITY TESTING

  • Business continuity planning
  • Security and risk assessments with threat modeling
  • Vendor management and security assessments
  • Cloud security assessments and transition consulting
  • Application and network penetration testing
  • Network segmentation testing
  • Wireless network reviews and testing
  • Physical security testing
  • External and internal vulnerability scanning

PROTECT CUI WITHIN YOUR BUSINESS AND YOUR SUPPLY CHAIN.

All it takes is your name and phone number or email address to learn more about our services and expertise. If you’d like, you’ll also be able to send additional details after you submit your information here. 

WE’RE CERTIFIED IN THE FOLLOWING AREAS

PCI DSS

Organizations that store, process or transmit payment card data, such as merchants and service providers, need to comply with the Payment Card Industry Data Security Standard (PCI DSS) to protect cardholder data (CHD).

PCI PA-DSS

Payment application vendors need to validate against the requirements of the PCI Payment Application Data Security Standard (PA-DSS), which supports merchant compliance with the PCI DSS.

HIPAA/HITECH

Health care institutions are required by law to protect the privacy of protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA).

PCI /P2PE

Payment application vendors and service providers can take advantage of the PCI point-to-point encryption (P2PE) framework to develop solutions that reduce merchant handling of payment card data.

GLBA

Financial institutions are required by law to comply with the Gramm-Leach-Bliley Act (GLBA) and maintain proper security controls to protect consumer financial privacy.

SSAE 16/(SAS 70)

Payment application vendors and service providers can take advantage of the PCI point-to-point encryption (P2PE) framework to develop solutions that reduce merchant handling of payment card data.

Do You Have Questions About Compliance?