Cybersecurity Maturity Model Certification (CMMC)
Safeguarding controlled government data from unauthorized disclosure and/or release is critical to our national security.
Are you behind in becoming compliant or have contracts on hold because you are afraid of the cost involved to become compliant and get ready for the CMMC Certification?
If you are already doing work for the DoD or its Primes, then you likely have been getting questionnaires about the status your NIST SP 800-171 compliance. You know you must become compliant, but you think compliance or CMMC certification may be too expensive or daunting.
ATS can help. We know time is critical, especially if you already have contracts in place or are bidding on new ones. Our cybersecurity experts can come onsite or work remotely to assess your business for compliance gaps, create a Plan of Action Matrix (POAM), and help you submit and raise your DoD Supplier Performance Risk System (SPRS) score. Don’t risk losing your government contracts because you are not compliant.
There is no single boxed solution for NIST SP 800-171 compliance and CMMC Certification. Every business has unique IT and Facility needs. ATS’ compliance analysis will examine your complete IT infrastructure and facilities. Our CMMC-AB certified Registered Practitioners (RP) will see exactly what a CMMC Third-Party Assessment Organization (C3PAO) performing a certification audit would see. This allows us to identify compliance gaps and assist you with becoming compliant quickly.
How can I afford the cost or keep costs down?
- Not everything in your business must meet be NIST SP 800-171 complaint. You can save time and money by isolating government data that must be protected in limited locations isolated from your non-government contracts.
- There are organizations out there that help businesses obtain grants and funding for cybersecurity. If you’re a manufacturer in the Rochester, NY or Finger lakes Region of New York State, our partner NextCorps might be able to get you access to funding opportunities that can take 10-60% off your costs.
- Being NIST SP 800-171 complaint gives your business an advantage over companies that have not achieved compliance yet. This can result in winning more government contracts and growing your business and increasing revenue.
- Losing a contract or not being able to bid on new contracts due to not being compliant can result in significant revenue loss. Cyber attacks can also cripple a business that is not protected.
Reach out for a Free Consultation CMMC Gap Analysis Services CMMC Consulting Services
The Cyber AB is the official accreditation body of the Cybersecurity Maturity Model Certification (CMMC) Ecosystem and the sole authorized non-governmental partner of the U.S. Department of Defense in implementing and overseeing the CMMC conformance regime.
Learn More
If You’re Waiting for CMMC to Start Compliance, You’re Already Behind!
Learn More at the PreVeil Blog
NIST SP 800-171
NIST SP 800-171 is a NIST Special Publication that provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI). Defense contractors must implement the recommended requirements contained in NIST SP 800-171 to demonstrate their provision of adequate security to protect the covered defense information included in their defense contracts, as required by DFARS clause 252.204-7012.
Read Traci Spencer's blog post at NIST.gov for more information.
Cybersecurity Maturity Model Certification (CMMC)
To safeguard sensitive national security information, the Department of Defense (DoD) launched CMMC 2.0, a comprehensive framework to protect the defense industrial base from increasingly frequent and complex cyber attacks.
Why CMMC?
The CMMC program includes cyber protection standards for companies in the defense industrial base (DIB). By incorporating cybersecurity standards into acquisition programs, CMMC provides the Department assurance that contractors and subcontractors are meeting DoD’s cybersecurity requirements.
Why the defense industrial base (DIB)?
The DIB is the target of increasingly frequent and complex cyber attacks by adversaries and non-state actors. Dynamically enhancing DIB cybersecurity to meet these evolving threats, and safeguarding the information that supports and enables our warfighters, is a top priority for the Department. CMMC is a key component of the Department’s expansive DIB cybersecurity effort.
Journey to CMMC 2.0
In September 2020, the DoD published an interim rule to the DFARS in the Federal Register (DFARS Case 2019-D041), which implemented the DoD’s initial vision for the CMMC program (“CMMC 1.0”) and outlined the basic features of the framework. The interim rule became effective on November 30, 2020, establishing a five-year phase-in period.
In March 2021, the Department initiated an internal review of CMMC’s implementation, informed by more than 850 public comments in response to the interim DFARS rule.
In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review.
When do we need to be certified by?
On December 26, 2023, the Department of Defense (DoD) published the long-awaited Proposed Final Rule for the Cybersecurity Maturity Model Certification (CMMC) program. The proposed CMMC rule is not expected to become final until late 2024 or early 2025, and CMMC requirements will start to appear in contracts by first quarter 2025, 60 days after the Interim Rule's publication.
The proposed CMMC rule has three levels:
- Level 1 covers contractors that work only with FCI. They would have to implement the 15 security controls outlined in FAR 52.204-21 and do an annual self-assessment, registering it in the Supplier Performance Risk System (SPRS).
- Level 2, which would be for the majority of DIB contractors, would be split. A small group of Level 2 contractors would do self-assessments like those required in Level 1, with that group defined per individual DoD contracts. The majority of companies handling CUI would be subject to third-party assessments every three years These would be done by a Certified Third-Party Assessment Organization (C3PAO) and submitted on companies’ behalf through the eMASS system, which would then get the information into SPRS. To achieve Level 2, contractors would have to implement the 110 security controls in the National Institute of Standards and Technology’s (NIST) SP 800-171 Revision 2.
- Level 3 would be for the biggest defense contractors and DoD assessors would do their certification assessment. Contractors at this level would have to implement all of the Level 2 requirements plus 24 selected controls from NIST SP 800-172.
Learn More Free Consultation
Useful Links
Did you know that ATS is a Registered Provider Organization (RPO) with the CMMC Accreditation Body (CMMC AB). RPO's provide consulting, recommendations, and implementations to their clients regarding the NIST 800 171 and CMMC standards. Through working with an RPO such as ATS, you will gain insight into the requirements of NIST 800-171 and CMMC from an organization trained in NIST 800-171 and CMMC methodology by the CMMC Accreditation Body (CMMC AB).
Learn More
ATS has several employees with Registered Practitioners (RP) certifications ready to provide targeted NIST 800-171 and CMMC readiness assessment preparation for clients. RP's and RPO's go through background checks and are bound by a professional code of conduct ensuring we follow all laws and requirements.
Learn More
A C3PAO is an organization that has successfully passed a rigorous series of requirements to become acknowledged by the CMMC Accreditation Body, on behalf of the DoD, as being objective and competent to perform certification assessments of OSCs. ATS has partnered with C3PAO, KLC Consulting, Inc. to help our RPO Readiness Assessment clients get their CMMC Level 2 Certification.
Visit KLC Consulting →
If you’re a Rochester or Finger Lakes manufacturer, printer, food and beverage, or production-related company, NextCorps can connect you to local and national resources to help you expand and thrive. They also bring an element to your business projects that others don’t: access to a host of funding opportunities that can take 10-60% off your costs—thanks to funding from the National Institute of Standards and Technology and the NYSTAR division of Empire State Development.
Visit NextCorps →
Reach out to us for a free consultation with a Cybersecurity expert.
Contact Us