DOES YOUR COMPANY NEED CMMC 2.0?

Cybersecurity Maturity Model Certification

CMMC (Cybersecurity Maturity Model Certification) is a new cybersecurity framework developed by the Department of Defense (DoD) to ensure the security of sensitive data shared with contractors and suppliers. The CMMC certification process assesses a company's cybersecurity practices against a set of defined standards, ranging from basic cyber hygiene to advanced and progressive cybersecurity practices. The CMMC framework includes 17 domains, covering areas such as access control, incident response, and security assessment and authorization.

Who needs CMMC Certification?

If your company is a part of the Department of Defense’s supply chain (or plans to be in the foreseeable future) as either a contractor or subcontractor then you will need CMMC certification. The type of CUI data determines the required level and whether the company will handle CUI or FCI.

Federal Contract Information (FCI)

Information provided by the government through a contract that is not intended for public release but necessary to complete the product or service

Controlled Unclassified Information (CUI)

Information, including laws, that needs safeguarding or is not intended for public release, but does not include classified information

Levels of Compliance

The tiered model requires companies entrusted with national security information to implement cybersecurity standards at progressively higher levels, based on the type of information and its sensitivity. This model also establishes the processes for disseminating this information to subcontractors.

Level 1 (Foundational)

Annual self assessment

Level 2 (Advanced)

Triannual third-party assessments for critical national security information;
Annual self assessment for select programs

Level 3 (Expert)

Triannual government-led assessments, it follows the additional requirements from NIST-800-172 standards

Annual self assessment

Triannual third-party assessments for critical national security information;
Annual self assessment for select programs

Triannual government-led assessments, it follows the additional requirements from NIST-800-172 standards

FREQUENTLY ASKED QUESTIONS

How will my organization become certified?

Your organization will coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule your CMMC assessment. You can't be self-certificated. Your company will specify the level of the certification requested based on your company's specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the proper maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.

Will there be self-certification?

No. The CMMC program will require an annual self-assessment and an annual affirmation by a senior company official.

What if my organization cannot afford to be certified?

The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC, you may be disqualified from participating if your organization is not certified.

Do companies not handling CUI need to be certified? How to know the certification level required?

Yes. All companies conducting business with the DoD must be certified. The level of certification required will depend upon the amount of CUI a company handles or processes. The government will determine the appropriate tier (i.e., not everything requires the highest level) for the contracts they administer. The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP), making cybersecurity an "allowable cost" in DoD contracts.

SkyriverIT specialists are solving a problem.

Thank you!

Your submission has been received!

Oops! Something went wrong while submitting the form.