The US Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC) to respond to the increasing presence of cyber threats and intrusions aimed at the defense industrial base and its supply chains of more than 300,000 defense contractors. This new risk-management framework is designed to assess and enhance the cybersecurity posture of all contractors and subcontractors doing business with the DoD. CMMC certification initially will be a requirement to participate in some DoD requests for information (RFIs) and requests for proposal (RFPs) and eventually will expand to cover all DoD procurement.
While the CMMC requirements build on the NIST 800-171 revision 1 security requirements and other cybersecurity standards and frameworks, there are key differences:
- CMMC does not allow self-attestations.
- CMMC requires a certified third-party assessment organization (C3PAO) to audit and certify an organization’s processes and practices as meeting the requirements for a certain maturity level (Levels 1 to 5).
- To achieve a certain maturity level, all security requirements or “practices” and processes associated with that level must be implemented at the time of audit. These requirements are cumulative.
- Plans of action and milestones (POA&Ms) will no longer be acceptable. At time of certification, you must have fully implemented all requirements.
Regardless of the size of the business, DoD contractors that do not comply with these requirements put their business at risk. Not meeting these requirements is not an option if you want to continue to do business with the DoD. Existing and future contracts are on the line if you are not in compliance.
How BRG Can Help
BRG’s Government Contracts and Cybersecurity practices are an integrated team of professionals experienced in cybersecurity, incident response, government contracting, and technology risk. We help companies align and comply with the CMMC.
In its efforts to help contractors meet the new compliance obligations, the CMMC has authorized certain organizations to provide CMMC consulting and support. These registered provider organizations (RPOs) must be staffed by registered CMMC practitioners who are trained in CMMC methodologies and trusted by the CMMC to provide assessment preparation and other services.
BRG has been approved by the CMMC Accreditation Body as an RPO and has several Registered Practitioners on its CMMC team.
CMMC Readiness Assessment
Taking advantage of our extensive understanding of cybersecurity, NIST SP 800-171, and the CMMC requirements, our team works with DoD contractors to ensure compliance with the CMMC requirements. Our team assesses existing processes and controls against the CMMC frameworks to identify gaps between your controls and the CMMC model, and provides recommendations for remediating those control gaps. We will work with DoD contractors to resolve security requirements that may have been part of a POA&M.
CMMC Remediation Planning and Implementation and POA&M Management
Whether you have performed a self-assessment or undergone a readiness assessment or an official audit from a C3PAO, our experts can work with your team to build a remediation plan and close your existing gaps.
CMMC Business Impact Analysis
CMMC will have impacts on project-specific IT systems, your supply chain, and your bid and proposal strategies. Leveraging BRG’s expertise and years of experience supporting contractors, our team can work with you to develop strategy to respond to issues such as risk assessment of your partners. This will help to ensure that partners are prepared for the CMMC so you can successfully bid, estimate cost implications, and respond to RFP and RFI CMMC requirements.
Mapping Controlled Unclassified Information
The ways in which companies store data are becoming more and more complicated. End-to-end identification of where controlled unclassified information (CUI) can reside or be transmitted from can be a formidable task. BRG can assist DoD contractors with identifying and inventorying CUI and create a data map for your CMMC compliance program.
System Security Plans Development and Documentation Support
Development of a system security plan (SSP) that is updated periodically to reflect changes in an organization’s environment is essential for government contractors and subcontractors. BRG can assist DoD contractors in the development and documentation of an SSP. Our team can perform a review and provide feedback and guidance for updating an existing plan. We can help formalize your processes and controls and can assist with the development and implementation of policies and procedures that align with the CMMC framework.
Supply Chain Risk Management
Contractors must address CMMC requirements for their own organizations and also consider the indirect risk of disruption due to noncompliance of subcontractors within the supply chain. Subcontractors play a critical role in the supply chain, and companies need to assess and respond to the risk of subcontractors not being able to comply with their respective CMMC requirements on a contract. If a vital subcontractor cannot meet the defined CMMC requirements, that subcontractor will not be able to work as a subcontractor for the respective contract, which could cause serious supply chain disruptions for the prime contractor.
We leverage BRG’s breadth of experience in government contracting and the firm’s technical resources to clients identify, map, and profile their supply chains. This provides transparency and valuable information to flag potential cybersecurity weaknesses with subcontractors and to mitigate supply chain disruption.