What is CMMC?
At the beginning of 2020, the Office of the Assistant Secretary of Defense for Acquisition within the Department of Defense (DoD) lead the effort to secure the DoD Supply chain and Defense Industrial Base through the introduction of “Cybersecurity Maturity Model Certification” or CMMC. It comes as no surprise that these areas contain extremely sensitive data. As a result, the CMMC will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The intent is to incorporate it into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award.
CMMC Levels in-depth
Level 1: Basic
- Consists of the 15 basic safeguarding requirements for FCI from FAR clause 52.204-21
- Requires that an organization performs the specified requirements
Level 2: Intermediate
- Consists of 65 security requirements from NIST SP 800-171 implemented via DFARS clause 252.204-7012, 7 CMMC practices, and 2 CMMC processes
- Requires that an organization performs and documents the practices and policies to meet the specified requirements and must demonstrate as such
- Intended as an optional intermediary step for contractors as part of their progression to Level 3
Level 3: Good
- Consists of all 110 security requirements from NIST SP 800-171, 20 CMMC practices, and 3 CMMC processes
- Minimal Level for CUI in the environment
- Requires that an organization establish, maintain, and resource a plan to manage and practice implementation
- Organizations must demonstrate that practices are followed, have been institutionalized, and are properly resourced
Level 4: Proactive
- Consists of all 110 security requirements from NIST SP 800-171, 46 CMMC practices, and 4 CMMC processes
- Requires an organization to review and measure practices for effectiveness, taking corrective action when necessary, and informing higher levels of management of status on a recurring basis
- Focuses on the protection of CUI from ATPs with enhanced detection and response capabilities
Level 5: Advanced/Progressive
- Consists of all 110 security requirements from NIST SP 800-171, 61 CMMC practices, and 5 CMMC processes.
- Requires an organization to standardize and optimize process implementation across the organization
- Focuses on the increased protection of CUI from APTs with increased depth and sophistication of cybersecurity capabilities.
The CMMC Process
In 2020, the US government began moving from a self-assessment cyber certification framework using NIST to a certified and third-party audited structure to ensure security hygiene in its contractors’ environments. The resulting framework, the CMMC, will be released in a crawl, walk, run methodology over the next five years. While most contracts that don’t have Controlled Unclassified Information (CUI) will only need a level 1 certification, this requirement will only increase on government contracts moving forward. It won’t be required when you submit a proposal, but it will be required at the time of award if applicable.
Your Path to CMMC
1. TechGuard’s CMMC Services
Through our CMMC preparation advisory services, we will help you ready your practices, processes, and documentation through a gap analysis, then help remediate and implement plans of actions to address these gaps found.
2. Readiness Review
After finalizing your internal gap analysis and preparation, we will review the documentation and evidence to ensure it demonstrates the adoption of CMMC standards through a Pre-Assessment Readiness Review.
3. Audit and Certification
At this point, you are ready to schedule your CMMC audit with a C3PAO.
Once certified, you should establish a plan for continuous improvement and optimization.
The TechGuard Way
TechGuard must comply with CMMC due to our own contractual obligations, but we are also committed to safeguarding our country’s sensitive data by helping companies build security into their systems and culture. Because of this, we have invested in becoming one of the first Cybersecurity companies in the states of Illinois and Missouri to be certified as a Registered Provider Organization (RPO) to help organizations with CMMC preparation and offer advisory services. We have multiple cybersecurity staff experts trained on the CMMC model who are Registered Practitioners (RPs) with the Accreditation Board.
As a Registered Provider Organization in the CMMC Ecosystem, we offer pre-assessment services including controls gap analysis with implementation guidance and readiness reviews to gauge your organization’s preparedness for a C3PAO assessment. However, RPO’s are not authorized to perform final Certified Assessments.
Our trained RPs will examine your current Cybersecurity practices, processes, and documentation to determine alignment with the CMMC mandatory controls for the applicable maturity level. In addition, this prioritized gap analysis will identify remediation recommendations for any missing or partially implemented controls to help prepare your organization for a successful certification assessment.
Pre-Assessment Readiness Review
TechGuard will review the objective evidence of the CMMC controls to determine if it sufficiently demonstrates organizational adoption. This is ideal for any organization that has internally conducted a gap analysis but needs further preparatory guidance or review prior to a certified assessment.
What our clients have to say…
"TechGuard's contributions help make the Office of Warfighter Integration and Chief Information Officer a top-notch organization and the pride of USAF Headquarters!"Michael W. Peterson,
"TechGuard... Unlike many other vendors we have dealt with over the years, truly listen to the client’s needs, and try to come up with a solution, not just a canned product or service that suits their own needs."President of a Managed Service Provider
"TechGuard upon evaluation was, in my opinion, the best solution out there and on top of that, the service from the representatives of TechGuard was unchallengeable. Chris/Joseph and any other staff we spoke to were professional from the outset."Digital Services Manager of a Local City Counsel
"The Vulnerability Assessment went well and was exactly what we were looking for. We appreciate the team's efforts and the detailed report afterward."County Government IT Official
"They came in on time and on budget. They even went above and beyond."Contract Manager for a local public transportation agency
"The TechGuard reporting is orders of magnitude better than any other pen-test firm I’ve seen!"Director of Strategic Services,
"TechGuard effectively helped us with our Internal and External Vulnerability Assessments. Not only did they make the testing process simple, but they provided us with an actionable and consumable report so that we knew exactly what to do next. I highly recommend TechGuard for your cybersecurity testing!"Manager,