Cybersecurity Maturity Model (CMMC) Advisory And Assessment
Get CMMC Compliant
Using automated systems, process, controls with prepared forms and templates we make this process clear, straightforward and accountable with results to meet your CMMC requirements.
What Are CMMC, RPO, And C3PAO?
Cybersecurity Maturity Model Certification (CMMC)
The Cybersecurity Maturity Model Certification, introduced by the Department of Defense (DoD) in 2019, requires suppliers and contractors to pass a third-party audit of their cybersecurity readiness or risk losing their ability to compete for and deliver on certain DOD contracts. When fully operational, the CMMC would be mandatory for all entities doing business with the DoD at any level, including flowdown provisions to lower tier contractors.
All contractors and suppliers, primes and subs are required to:
Establish protocols to protect Controlled Unclassified Information (CUI), Federal Contract Information (FCI), and other data, network, and systems of the Defense Industrial Base (DIB) sector.
Meet one of the CMMC trust levels and
Demonstrate that cybersecurity has been sufficiently implemented through the completion of independent validation activities.
In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:
Safeguard sensitive information to enable and protect the warfighter
Dynamically enhance DIB cybersecurity to meet evolving threats
Ensure accountability while minimizing barriers to compliance with DoD requirements
Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience
Maintain public trust through high professional and ethical standards
With its streamlined requirements, CMMC 2.0 aimed to cut red tape for small and medium sized businesses, set priorities for protecting DoD information, and reinforce cooperation between the DoD and industry in addressing evolving cyber threats.
CMMC 2.0 requires contractors to meet one of three compliance levels:
Advisory Services: CMMC-AB Registered Provider Organization
With Registered Practitioners on staff, Cyberleaf has the necessary certifications, resources, and cybersecurity expertise to enable you to successfully prepare for your CMMC Assessment. Our staff can guide your team through:
Understanding CMMC Requirements
Evaluating Current CMMC Readiness
Developing Compliance Plan
Implementing Changes to Procedures
Completing Pre-assessment Evaluation
CMMC Assessment: Certified 3rd Party Assessment Organization (C3PAO)
Waterleaf (Cyberleaf's parent company) has been cleared by the CMMC-AB as a candidate Certified 3rd Party Assessment Organization (C3PAO). Our staff are certified by the CMMC-AB as Provisional Assessors Level 1-3 and can complete assessments on behalf of the company.
Progressively More Difficult Compliance Obligations
There are three cumulative Certification levels to the CMMC 2.0:
- Level 1 – focuses on the protection of FCI and consists of only practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21, commonly referred to as the FAR Clause. (This level has 17 practices and requires annual self-certification.)
- Level 2 “Advanced” – focuses on the protection of CUI and encompasses the 110 security requirements specified in NIST SP 800-171 Rev 2. This level requires third party certification.
- Level 3 “Expert” – Level 3 will be based on a subset of NIST SP 800-172 requirements. Details will be released at a later date.
Cyberleaf is an expert in the requirements for CMMC compliance and can guide you on your journey. In addition, Cyberleaf's Cybersecurity-as-a-Service can be a key component in your compliance plan.