Cybersecurity Maturity Model Certification (CMMC)
Cyber-attacks from foreign governments and organized crime groups are at the forefront of US national security concerns. Over $600 billion annually is exfiltrated from the Defense Industrial Base supply chain. The U.S. Department of Defense (DoD) is implementing the CMMC regulations in 2020 for all suppliers.
Get Ready for CMMC 2.0
The future of your business depends on how you prepare for cybersecurity maturity model certification (CMMC). CMMC will require independent audits and certification as a “pre-qualification” requirement prior to contract award. If suppliers are unable or unwilling to make the required changes, they may lose all existing DOD contract rebids and future contracts. CORTAC provides end-to-end CMMC guidance and services and leverages cybersecurity and information assurance as a competitive advantage while reducing the compliance and contracting risks of meeting ITAR, EAR, DFARS, & CMMC requirements.
By The Numbers
Global Defense Supply Chain
DOD IP on Non-DOD Supplier Networks
Suppliers that could pass certification today
Required to achieve CMMC certification
Cybersecurity Maturity Model Certification (CMMC) Framework
The cybersecurity maturity model certification framework is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). CMMC is a critical element of the Department of Defense’s overall Information Protection strategy.
The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level.
CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.
Our CMMC Approach
We bring a unique blend of experience with a team that is well versed in both supporting companies primarily optimized around commercial contracts, and companies organized to mainly support DoD programs. You receive a right-sized, end-to-end solution suited to your unique company requirements. Our business model is not built on selling you downstream licenses and services, but on helping you establish the most cost effective and risk balanced implementation to meet your business needs.
Understand Your Risks and Obligations
- Identify baseline security & compliance gaps and IT vulnerabilities
- Receive gap recommendations
- Generate executive level solution roadmap
Plan And Implement “Right-Sized” Solutions
- Define “right-sized” architecture solution, implementation plan, costs, and timeline
- Implement technical solutions and configurations
- Migrate FCI/CUI information and develop documentation (Policy, Procedure, SSP, and POA&M)
Maintain Ongoing Compliance
- Maintain compliant operations
- Documentation maintenance
- Support change management and provide reporting and audit support
- Facilitate incident response
Registered Practitioner Organization
The Cybersecurity Maturity Model Certification Registered Practitioner Organization authorized badge helps you know you are working with an approved company. CORTAC Group has completed training, a rigorous background check, and practices the highest ethical standards as required by the CMMC Accreditation Board Code of Professional Conduct. As a CMMC RPO company we have the ability and desire to serve the U.S. Department of Defense Industrial Base as a CMMC advisor.
When you work with CORTAC Group you can have the confidence we know and understand the Department of Defense supply chain. Your company will reduce risk, gain a competitive advantage, and win more business as we help you navigate the complexities and regulations for this federal government program.
The world of CMMC can be complex, which is why we’re here to help. Say goodbye to hours of research – our resources below are designed to keep you up to date on all things CMMC.
CMMC Supplier Resource Center
Watch the recent webinar recordings and learn how (DIB) suppliers can benefit from implementing an end-to-end, right-sized CMMC solution.
CMMC Implementation References
Overview: The NIST SP 800-171 standard required by CMMC 2.0 includes an obligation to avoid split tunnel Virtual Private Networks (VPNs). This prohibition has caused confusion for organizations pursuing such VPNs based on recommendations from their technology vendors. This paper intends to address the confusion by explanining the nuances behind the controls and the technology from the perspectives of the security community.
DFARS and NIST Quick Reference Links
- DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting
- Cybersecurity Maturity Model Certification Assessment Guide – Level 3
- NIST MEP Cybersecurity Self-Assessment Handbook
- NIST 800-171 Rev 2. Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations
- SP 800-171A Assessing Security Requirements for Controlled Unclassified Information
- SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations
SPRS Quick Reference Links
Frequently Asked Questions
What is Cybersecurity Maturity Model Certification (CMMC)?
CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). CMMC is a critical element of DoD’s overall Information Protection strategy. The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.
Why was CMMC created?
The cybersecurity maturity model certification (CMMC) was created to provide a baseline cybersecurty framework and maturity model based on data governance and driven by organizationally defined documentation, protections, and process institutionalization. DoD is migrating to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB) sector. The CMMC is intended to serve as a verification mechanism to ensure that DIB companies implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.
When is the Interim Defense Federal Acquisition Regulation Supplement (DFARS) rule implementing CMMC (DFARS case 2019-D041) effective?
The interim rule became effective on November 30, 2020. The public review and comment period for DFARS Case 2019-D041 ended on November 30, 2020. Due to its designation as a major rule change, the interim rule must also complete a Congressional Review.
Will other Federal (non-DoD) contracts use CMMC?
The initial implementation of the cybersecurity maturity model certification (CMMC) will only be within the DoD and will be implemented through DFARS clause 252.204-7021. Additional Federal agencies and international organizations are considering CMMC.
What is the relationship between National Institute of Standards Technology (NIST) Special Publication (SP) 800-171 and CMMC?
CMMC Level 3 includes the 110 security requirements specified in NIST SP 800-171. The CMMC Model also incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM).
How will CMMC be different from NIST SP 800-171?
Unlike NIST SP 800-171, the CMMC model possesses five levels. The model is cumulative whereby each level consists of practices and processes as well as those specified in the lower levels. The CMMC Model includes additional cybersecurity practices in addition to the security requirements specified in NIST SP 800-171. In addition to assessing a company’s implementation of cybersecurity practices, the CMMC will also assess the company’s maturity processes.
Questions adapted courtesy of official CMMC government site – The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S))