What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) program is intended to increase cybersecurity standards for contractors in the Defense Industrial Base (DIB) looking to do business with the government. The program allows greater protections for sensitive and unclassified information distributed between the Department of Defense (DoD) and its contractors and subcontractors. The intent is to incorporate it into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award.
Tiered Framework: Companies that handle national security information will be required to comply with cybersecurity standards of different levels. The type of information a contractor handles will determine the advancement level required.
Assessment Requirements: Organizations will be required to undergo certain assessments depending on their level requirements. This allows the DoD to ensure cybersecurity standards are being adequately met.
Implementation through Contracts: Once fully implemented, CMMC will require that contractors handling certain sensitive unclassified information meet a specific level as a condition of contract award.
Request a Quote
In 2020, the US government began moving from a self-assessment cyber certification framework using NIST to a certified and third-party audited structure to ensure security hygiene in its contractors’ environments. On November 4th, 2021, the DoD announced that the CMMC program is being revised to streamline compliance for contractors in the Defense Industrial Base (DIB) looking to do business with the government.
CMMC Levels in-depth
Level 1: Foundational
- 17 Practices
- Annual self-assessment
Level 2: Advanced
- 110 practices aligned with NIST SP 800-171
- Triannual third-party assessments for critical national security information
- Annual self-assessment for select programs
Level 3: Expert
- 110+ practices based on NIST SP 800-172
- Triannual government-led assessments
Image from the Office of the Under Secretary of Defense Website
What has Changed?
The new version – dubbed CMMC 2.0 – will streamline and refine the model by putting an emphasis on flexibility, collaboration, accountability, and high ethical standards. CMMC 2.0 will reduce the model from five tiers to just three, focusing on only the most critical requirements.
“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base,” said Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”
Your Path to CMMC
1. TechGuard’s CMMC Services
Through our CMMC preparation advisory services, we will help you ready your practices, processes, and documentation through a gap analysis, then help remediate and implement plans of actions to address these gaps found.
2. Readiness Review
After finalizing your internal gap analysis and preparation, we will review the documentation and evidence to ensure it demonstrates the adoption of CMMC standards through a Pre-Assessment Readiness Review.
3. Audit and Certification
At this point, you are ready to schedule your CMMC audit with a C3PAO.
Once certified, you should establish a plan for continuous improvement and optimization.
The TechGuard Way
TechGuard must comply with CMMC due to our own contractual obligations, but we are also committed to safeguarding our country’s sensitive data by helping companies build security into their systems and culture. Because of this, we have invested in becoming one of the first Cybersecurity companies in the states of Illinois and Missouri to be certified as a Registered Provider Organization (RPO) to help organizations with CMMC preparation and offer advisory services. We have multiple cybersecurity staff experts trained on the CMMC model who are Registered Practitioners (RPs) with the Accreditation Board.
As a Registered Provider Organization in the CMMC Ecosystem, we offer pre-assessment services including controls gap analysis with implementation guidance and readiness reviews to gauge your organization’s preparedness for a C3PAO assessment. However, RPO’s are not authorized to perform final Certified Assessments.
Our trained RPs will examine your current Cybersecurity practices, processes, and documentation to determine alignment with the CMMC mandatory controls for the applicable maturity level. In addition, this prioritized gap analysis will identify remediation recommendations for any missing or partially implemented controls to help prepare your organization for a successful certification assessment.
Pre-Assessment Readiness Review
TechGuard will review the objective evidence of the CMMC controls to determine if it sufficiently demonstrates organizational adoption. This is ideal for any organization that has internally conducted a gap analysis but needs further preparatory guidance or review prior to a certified assessment.
What our clients have to say…
"TechGuard's contributions help make the Office of Warfighter Integration and Chief Information Officer a top-notch organization and the pride of USAF Headquarters!"Michael W. Peterson,
"TechGuard... Unlike many other vendors we have dealt with over the years, truly listen to the client’s needs, and try to come up with a solution, not just a canned product or service that suits their own needs."President of a Managed Service Provider
"TechGuard upon evaluation was, in my opinion, the best solution out there and on top of that, the service from the representatives of TechGuard was unchallengeable. Chris/Joseph and any other staff we spoke to were professional from the outset."Digital Services Manager of a Local City Counsel
"The Vulnerability Assessment went well and was exactly what we were looking for. We appreciate the team's efforts and the detailed report afterward."County Government IT Official
"They came in on time and on budget. They even went above and beyond."Contract Manager for a local public transportation agency
"The TechGuard reporting is orders of magnitude better than any other pen-test firm I’ve seen!"Director of Strategic Services,
"TechGuard effectively helped us with our Internal and External Vulnerability Assessments. Not only did they make the testing process simple, but they provided us with an actionable and consumable report so that we knew exactly what to do next. I highly recommend TechGuard for your cybersecurity testing!"Manager,