Cybersecurity Maturity Model (CMMC) Advisory And Assessment

Get CMMC Compliant

Using automated systems, process, controls with prepared forms and templates we make this process clear, straightforward and accountable with results to meet your CMMC compliance requirements.

Now as a candidate Certified Third Party Assessment Organization (C3PAO), Cyberleaf's Provisional Assessors will be able to complete your CMMC assessment.
Two professionals look at a laptop together with computing machines in the background

What Are CMMC, RPO, And C3PAO?

Cybersecurity Maturity Model Certification (CMMC) Compliance

The Cybersecurity Maturity Model Certification, introduced by the Department of Defense (DoD) in 2019, requires suppliers and contractors to pass a third-party audit of their cybersecurity readiness or risk losing their ability to compete for and deliver on certain DOD contracts. When fully operational, the CMMC would be mandatory for all entities doing business with the DoD at any level, including flowdown provisions to lower tier contractors.

 All contractors and suppliers, primes and subs are required to:

  • Establish protocols to protect Controlled Unclassified Information (CUI), Federal Contract Information (FCI), and other data, network, and systems of the Defense Industrial Base (DIB) sector. 

  • Meet one of the CMMC trust levels and 

  • Demonstrate that cybersecurity has been sufficiently implemented through the completion of independent validation activities. 

In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:

  • Safeguard sensitive information to enable and protect the warfighter

  • Dynamically enhance DIB cybersecurity to meet evolving threats

  • Ensure accountability while minimizing barriers to compliance with DoD requirements

  • Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience

  • Maintain public trust through high professional and ethical standards

With its streamlined requirements, CMMC 2.0 aimed to cut red tape for small and medium sized businesses, set priorities for protecting DoD information, and reinforce cooperation between the DoD and industry in addressing evolving cyber threats.

CMMC 2.0 requires contractors to meet one of three compliance levels:

Chart illustrating CMMC compliance levels for CMMC 2.0

Advisory Services: CMMC-AB Registered Provider Organization

With Registered Practitioners on staff, Cyberleaf has the necessary certifications, resources, and cybersecurity expertise to enable you to successfully prepare for your CMMC Compliance Assessment. Our staff can guide your team through:

Understanding CMMC Requirements
Evaluating Current CMMC Readiness
Developing Compliance Plan
Implementing Changes to Procedures
Completing Pre-assessment Evaluation
Depending on the level of CMMC Compliance sought, your organization will need to comply with up to 110 or more practices across NIST SP 800-171 r2 & Rev b, (FAR) 48 CFR 52.204-21 and other practices. We can help!

CMMC Compliance Assessment: Certified 3rd Party Assessment Organization (C3PAO)

Waterleaf (Cyberleaf's parent company) has been cleared by the CMMC-AB as a candidate Certified 3rd Party Assessment Organization (C3PAO). Our staff are certified by the CMMC-AB as Provisional Assessors Level 1-3 and can complete assessments on behalf of the company.

Progressively More Difficult Compliance Obligations

There are three cumulative Certification levels to the CMMC 2.0:

  • Level 1 – focuses on the protection of FCI and consists of only practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21, commonly referred to as the FAR Clause.  (This level has 17 practices and requires annual self-certification.)
  • Level 2 “Advanced” – focuses on the protection of CUI and encompasses the 110 security requirements specified in NIST SP 800-171 Rev 2. This level requires third party certification.
  • Level 3 “Expert” – Level 3 will be based on a subset of NIST SP 800-172 requirements. Details will be released at a later date.

Learn More

Cyberleaf is an expert in the requirements for CMMC compliance and can guide you on your journey. In addition, Cyberleaf's Cybersecurity-as-a-Service can be a key component in your compliance plan.