How do I get Certified?
The Cyber-AB isa non-profit, independent organization. Their primary mission is to authorize and accredit the CMMC Third-Party Assessment Organizations (C3PAOs) that conduct CMMC assessments of companies within the Defense Industrial Base (DIB). The Cyber-AB provides the requisite information and updates on its website.
www.cyberab.org
The Cyber-AB has established the CMMC Marketplace including a list of authorized C3PAO’s and organizations in the CMMC Ecosystem. Cask is the 3rd Authorized C3PAO and has on staff Provisional Assessors, Provisional Instructors, and CCP’s (Certified CMMC Professionals). The voluntary assessment program will begin shortly and the DoD plans to offer incentives to organizations who become CMMC Certified during this timeframe. Reach out now and let’s get started!
https://caskgov.com/cybersecurity-maturity-model-certification/
Why Choose Cask for your CMMC Certification?
Cask was the third Authorized C3PAO – passing the DIBCAC High Assessment June 2021
Cask is made up of Security Control Assessors/Validators for the DoD and has years of experience in Cyber and Risk Assessment including full program management of these programs. Cask has assessed and obtained certification for over 90 systems including assessing and obtaining certification for the first USMC Cloud based solution and PaaS and SaaS solutions. Cask has also been performing CMMC Gap Analyses and Pre-Assessments since June 2021.
Cask SME’s (Coopers) work as a team conducting Assessments, Pre-Assessments, and Gap Analysis to evaluate a company’s implementation of cybersecurity requirements, adherence to the level of compliance with the requirements of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information, Cyber Incident Reporting, implementation of NIST SP 800-171r2 requirements, and DFARS Clause 252.204-7021 Cybersecurity Maturity Model Certification Requirements.
FAQs
FCI (Federal Contract Information) vs. CUI (Controlled Unclassified Information)
A. CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
A. If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1. Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.
A. Federal Contract Information (FCI) is data that is collected, created, transmitted, or received as a requirement of fulfilling the obligations of the contract – to develop or deliver a product or service.
A. Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. Examples of CUI could be DoD technical drawings and testing results.
The CUI Registry includes index groupings Critical Infrastructure, Defense, Export Control, Financial, Immigration, Intelligence, International Agreements, Law Enforcement, Legal, Natural and Cultural Resources, NATO, Nuclear, Privacy, Procurement and Acquisition, Proprietary Business Information, Provisional, Statistical, Tax.
CMMC (Cybersecurity Maturity Model Certification) Assessments
A. Once CMMC 2.0 is implemented, DoD will specify the required CMMC level in the solicitation and in any Requests for Information (RFIs), if utilized.
A. If contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply. In cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor.
A. DoD’s intent under CMMC 2.0 is that if a DIB company does not process, store, or transmit Controlled Unclassified Information (CUI) on its unclassified network, but does process, store, or handle Federal Contract Information (FCI), then it must perform a CMMC Level 1 self-assessment and submit the results with an annual affirmation by a senior company official into SPRS.
A. Once CMMC 2.0 is implemented, self-assessments will be required on an annual basis. Third-party and government-led assessments, associated with Level 2 and Level 3 programs, will be required on a triennial basis.
A. Once CMMC 2.0 is fully implemented, DoD will only accept CMMC assessments provided by an authorized C3PAO. C3PAOs shall use only certified CMMC assessors to conduct CMMC assessments.
A. The CMMC assessment costs will depend upon the CMMC level needed, the scope of what needs to be certified, and complexity of the organizations network for the certification boundary.
Methodology in Planning and Performance
A. Cask will provide a CMMC Level 2/NIST 800-171A assessment of your organization’s current implementation of the 110 practices. We will review and assess current implementations of the practices verifying compliance using the CMMC 2.0 assessment process which aligns with the NIST 800-171 assessment methodology.
Cybersecurity Standards (NIST SP 800-171 and NIST SP 800-172)
A. Under CMMC 2.0, the “Advanced” level (Level 2) will be equivalent to the NIST SP 800-171. The “Expert” level (Level 3), which is currently under development, will be based on a subset of NIST SP 800-172 requirements.
A. NIST 800-171 specifically focuses on the protection of Controlled Unclassified Information (CUI) and seeks to ensure that such sensitive government information located on contractors’ networks is both secure and protected.
NIST 800-172 provides 35 enhanced security requirements designed to safeguard CUI from cybercriminals whose intent is to infiltrate systems to steal national security-related data. It does not contain guidance to determine high value to critical organizational programs or assets.