Cybersecurity Maturity Model Certification (CMMC) 2.0
Readiness Assessment Services
24By7Security offers Cybersecurity Maturity Model Certification (CMMC) 2.0 readiness services for defense contractors.
We are a Registered Provider Organization for CMMC!
24By7Security is named as a Registered Provider Organization (RPO) by the CMMC Accreditation Body (CMMC-AB). We are trained and qualified to assist DoD suppliers with getting ready for certification on the CMMC 2.0 model. We have multiple employees trained on CMMC and approved as Registered Practitioners (RP).
Last year, the Department of Defense required that all defense contractors and suppliers doing business with the DoD comply with CMMC standards. In response to increased and constantly evolving cyber threats, the Department of Defense has established this new security measure to protect Controlled Unclassified Information (CUI), Federal Contract Information (FCI), and other national security-related sensitive data on systems and networks owned by defense contractors. In late 2020, the DoD identified CMMC pilots, also called CMMC pathfinders, within different departments of the DoD.
Our Services for CMMC Readiness
In order to remain qualified as a DoD contract bidder, we can assist you with the following pre-certification efforts:
- Gap assessment between your current state and CMMC requirements
- Development of Plan of Action and Milestones (POAM) and Corrective Action Plan (CAP) to address any gaps
- Assistance with implementing changes needed, and tracking milestones against the POAM and CAP.
- Policy and procedure preparation
- Vulnerability Assessments, Penetration Testing, and other services as may be required
Get a head start and prepare for CMMC 2.0 compliance with 24By7Security
The 24By7Security team is experienced in preparing organizations for cybersecurity audits, regulatory compliance, and certification readiness. Certification readiness and preparation are the most arduous part of the certification process. We can guide your organization through this process in the most efficient and cost-effective manner.
Schedule a Call
Your Path to CMMC 2.0
Starting in November 2020 a number of select DoD RFPs will include a requirement that all bidding contractors must meet a minimum of Level 1 CMMC certification to qualify. These certification requirements will continue to be phased in over the next several years until it is a prerequisite to bid on any contract with DoD. The best way to comply with these requirements is to follow the path to CMMC as outlined in this diagram.
1. Gap Assessment - We can help you identify the gap between your current state and the CMMC level you wish to meet.
2. Remediation - We can help you with preparing your Plan of Action and Milestones (POAM) and Corrective Action Plan (CAP) and in tracking your remediation activities and milestones. Remember that in order to achieve CMMC certification, all open items must be remediated.
3. Audit and Certification - This is when it's time to hire a C3PAO (Certified Third Party Assessment Organization) or conduct a self-assessment. Third-party assessments may be conducted by C3PAOs or government officials.
4. Optimization - Once certified, you should plan to be on a path of continuous improvement and optimization of your operations.
What are the 3 Levels of CMMC?
In time, all defense contractors will be required to achieve a minimum Level 1 certification.
The CMMC 2.0 model now streamlines the levels from five to three. With the newly stated levels of maturity, the levels now begin with Level 1 (“Foundational”) and culminate with Level 3 (“Expert”). Levels 2 and 4 have been dropped and developed as transitional levels with added information that they were never intended to be assessed requirements.
Now, the three established progressively sophisticated levels are dependant on the type of information.
According to Version 2 of CMMC, here’s what is required at each of the three levels:
- Level 1 - Foundational: Maturity Level 1 remained unchanged. It still has 17 practice requirements that align with the 15 cybersecurity practices in FAR 52.204-21. Will require DIB company self-assessments and is for companies with FCI only; information requires protections but is not critical to national security.
- Level 2 - Advanced: The previous Maturity Level 3 has been replaced by the new Maturity Level 2. However, without the delta 20 practices, this level would be incompatible with NIST SP 800-171's 110 practices. May require third-party or self-assessments depending on the type of information. Targeted for companies with CUI.
- Level 3 - Expert: Based on a subset of NIST 800-172, it is still in development. It replaces Maturity Levels 4 and 5 that were previously available. Will be assessed by government officials. Mainly for the highest priority programs with CUI.