Cybersecurity Maturity Model Certification (CMMC)
Due to Cybersecurity risks threatening the Defense Industrial Base (DIB) supply chain and U.S. National security the development of DFARS Clause 252.204-7012; Safeguarding Covered Defense Information and Cyber Incident Reporting was established. The CMMC assessment framework enforces DFARS 252.204-7012 to avoid or significantly reduce cyber breaches as well as increase security accountability. CMMC provides the DIB with assurance that CUI and FCI, shared with the DIB is secure. A CMMC Assessment is used to certify the cyber readiness of contractors doing business with the Department of Defense (DoD) and must be conducted by an Authorized CMMC C3PAO in order to meet the DoDs requirements.
CMMC Assessment Levels
CMMC Level 1 Assessment
A Basic Cyber Hygiene (17 Practices) Assessment that applies to contractors who process, store, or transmit Federal Contract Information (FCI). An annual self-assessment is required at this level and a subset of these Practices are included in a CMMC Level 2 Assessment.
CMMC Level 2 Assessment
An Intermediate Cyber Hygiene (110 Practices) Assessment that applies to contractors who process, store, or transmit FCI, and Controlled Unclassified Information (CUI). Most DIB Contractors and Higher Educational Institutions will need to comply with CMMC Level 2 and although annually self-attest, most organizations must have a CMMC L2 Assessment conducted every three years by an Authorized C3PAO.
Joint Surveillance Voluntary Assessment (JSVA)
A NIST 800-171 High/CMMC Level 2 Assessment conducted by a C3PAO and the DCMA DIBCAC. The assessment evaluates the Organization Seeking Certification (OSC) NIST 800-171 practices, and successful organizations receive a DIBCAC High Certificate that is expected to convert to a CMMC Level 2 Certification upon CMMC Final Rule making.
CMMC Level 3 Assessment
Yet to be defined and based off NIST 800-171 and NIST 800-172. It is expected that only few DIB Contractors will need this type of assessment.
CMMC and the Joint Surveillance Voluntary Assessment (JSVA) Program
CMMC Framework
The CMMC framework is used to certify the cyber readiness of contractors doing business with the Department of Defense (DoD). Although some can self-attest most organizations conducting business with the DoD must have a CMMC L2 Assessment conducted every three years by a C3PAO in order to meet the DoDs Cybersecurity requirements and to be able to bid on DoD Contracts with security requirements.
JSVA Program
Until final rulemaking, NIST 800-171/CMMC Level 2 Assessments are being conducted under the Joint Surveillance Voluntary Assessment Program (JSVP). A JSV Assessment is a NIST 800-171 High/CMMC Level 2 Assessment conducted in conjunction with the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and a C3PAO.
Why Choose Cask
Cask is the 3rd Authorized C3PAO – Passing the DIBCAC High Assessment in June of 2021 with a perfect SPRS Score of 110
Cask’s Personal Support
Cask’s number one priority is our clients. Working closely with you and your teams, Cask comes to understand your security posture, culture, and business processes.
Cask Certified CMMC Assessors and CMMC Certified Professionals work as a team conducting Assessments, Pre-Assessments, and Gap Analysis to evaluate a company’s implementation of the cybersecurity requirements, adherence to the level of compliance with the requirements of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information, Cyber Incident Reporting, implementation of NIST SP 800-171r2 requirements, and DFARS Clause 252.204-7021 Cybersecurity Maturity Model Certification Requirements.
Through communication, collaboration, and teamwork, we aim to ensure a successful and efficient assessment. process.
Cask Expertise
Cask as the 3rd Authorized C3PAO has the experience and expertise to help you achieve Cybersecurity Maturity Model Certification (CMMC).
Achieving a SPRS Score of 110 on our DIBCAC High Assessment, with no POA&Ms, as well as successfully conducting Joint Surveillance Voluntary (JSV) Assessments for Tier 1 Defense Contractors, and numerous CMMC Pre-Assessments, Gap Analyses, and CMMC Consulting efforts, Cask is an expert in helping contractors engaged with the Department of Defense (DoD) become CMMC prepared and in conducting CMMC Assessments.
Cask understands the CMMC 2.0 Model, assessment process, and what it takes to be compliant to the CMMC/NIST 800-171 Security Control requirements.
Cask Experience
Cask has been providing Cyber assessments to the DoD for over 19 years with over 90 assessments completed leveraging the CNSSI 1253 and NIST SP 800- 53 controls, verifying the implementation of applicable Security Technical Implementation Guides (STIGs), on-site inspections, vulnerability scans, and Security Content Automation Protocol (SCAP) Scans to ensure the security of our military systems upon deployment or in garrison.
Our staff consists of multiple CMMC Certified Assessors, CMMC Certified Professionals, Security Control Assessors, Validators for the DoD, and has experience in Cyber and Risk Assessment. Cask has assessed and obtained certification for over 90 systems including assessing and obtaining certification for the first USMC Cloud based solution and PaaS and SaaS solutions. Cask has been performing NIST 800-171 Gap Analyses and Pre-Assessments since June 2021.
If your organization doesn’t feel ready for a JSV/CMMC L2 Assessment, Cask, with our Certified CMMC Assessors and Cybersecurity and IT Experts, will help you, your team, and organization prepare.
For Casks CMMC Consulting Services and more details regarding a CMMC Pre-Assessment, Gap Analysis, and CMMC Readiness, CLICK HERE.
Contact Cask and start your CMMC Assessment Process NOW!
Validate that your organization is doing its duty in protecting the nations supply chain so that you can bid on MORE DoD Contract Opportunities!
STAY IN THE KNOW
FAQs
FCI (Federal Contract Information) vs. CUI (Controlled Unclassified Information)
A. CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
A. If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1. Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.
A. Federal Contract Information (FCI) is data that is collected, created, transmitted, or received as a requirement of fulfilling the obligations of the contract – to develop or deliver a product or service.
A. Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. Examples of CUI could be DoD technical drawings and testing results.
The CUI Registry includes index groupings Critical Infrastructure, Defense, Export Control, Financial, Immigration, Intelligence, International Agreements, Law Enforcement, Legal, Natural and Cultural Resources, NATO, Nuclear, Privacy, Procurement and Acquisition, Proprietary Business Information, Provisional, Statistical, Tax.
CMMC (Cybersecurity Maturity Model Certification) Assessments
A. Once CMMC 2.0 is implemented, DoD will specify the required CMMC level in the solicitation and in any Requests for Information (RFIs), if utilized.
A. If contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply. In cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor.
A. DoD’s intent under CMMC 2.0 is that if a DIB company does not process, store, or transmit Controlled Unclassified Information (CUI) on its unclassified network, but does process, store, or handle Federal Contract Information (FCI), then it must perform a CMMC Level 1 self-assessment and submit the results with an annual affirmation by a senior company official into SPRS.
A. Once CMMC 2.0 is implemented, self-assessments will be required on an annual basis. Third-party and government-led assessments, associated with Level 2 and Level 3 programs, will be required on a triennial basis.
A. Once CMMC 2.0 is fully implemented, DoD will only accept CMMC assessments provided by an authorized C3PAO. C3PAOs shall use only certified CMMC assessors to conduct CMMC assessments.
A. The CMMC assessment costs will depend upon the CMMC level needed, the scope of what needs to be certified, and complexity of the organizations network for the certification boundary.
Methodology in Planning and Performance
A. Cask will provide a CMMC Level 2/NIST 800-171A assessment of your organization’s current implementation of the 110 practices. We will review and assess current implementations of the practices verifying compliance using the CMMC 2.0 assessment process which aligns with the NIST 800-171 assessment methodology.
Cybersecurity Standards (NIST SP 800-171 and NIST SP 800-172)
A. Under CMMC 2.0, the “Advanced” level (Level 2) will be equivalent to the NIST SP 800-171. The “Expert” level (Level 3), which is currently under development, will be based on a subset of NIST SP 800-172 requirements.
A. NIST 800-171 specifically focuses on the protection of Controlled Unclassified Information (CUI) and seeks to ensure that such sensitive government information located on contractors’ networks is both secure and protected.
NIST 800-172 provides 35 enhanced security requirements designed to safeguard CUI from cybercriminals whose intent is to infiltrate systems to steal national security-related data. It does not contain guidance to determine high value to critical organizational programs or assets.
Joint Surveillance Voluntary (JSV) Assessment Program
A: The Joint Surveillance Voluntary Assessment Program is a joint assessment performed as a team. The team consists of an Authorized C3PAO, such as Cask Government Services, and the Defense Contract Management Agency, Defense Industrial Base Cybersecurity Assessment Center (DCMA, DIBCAC) team.
A: Any business or organization that chooses to have a Joint Surveillance Voluntary Assessment should reach out to an Authorized C3PAO and have that C3PAO add you to their JSV list. The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) reviews the C3PAOs list and then contacts the OSC to schedule the assessment.
Joint Surveillance Voluntary Assessments
A: A Joint Surveillance Voluntary Assessment is a NIST 800-171 High Assessment of an organization’s implementation of the 110 NIST controls/practices.
A: The best way to prepare for a NIST 800-171 High Assessment is to perform a self-assessment of your organization’s adherence to the 110 NIST controls/practices, ensuring there are two forms of evidence supporting each practice and each objective, or have an outside organization, such as an Authorized C3PAO, conduct a Pre-Assessment or Gap Analysis.
A: An Authorized C3PAO, such as Cask Government Services, will conduct your organizations Joint Surveillance Voluntary Assessment with the Defense Contract Management Agency, Defense Industrial Base Cybersecurity Assessment Center (DCMA, DIBCAC), overseeing the activities and verifying the C3PAOs assessment.
A: The C3PAO will assign a Lead Assessor to build the team. One to two Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) Assessors will be added to the team to oversee the assessment of the implementation of the 110 NIST controls/practices. The team will verify adherence to the level of compliance within the DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, implementation of NIST 800-171 requirements.
A: Organizations queuing up for the opportunity to be assessed understand the competitive advantage of positioning themselves with the opportunity to bid on government contracts that contain DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, and in achieving CMMC Level 2 certification. They’re staying ahead of the curve by demonstrating to primes that they will be in compliance when CMMC is implemented via the Interim Rule expected in March 2023.
A: Joint Surveillance Voluntary Assessments are expected to convert to CMMC Level 2 Certifications upon the completion of final CMMC rulemaking.
A: Cask Government Services submits organizations and their POC names to the Defense Contract Management Agency, Defense Industrial Base Cybersecurity Assessment Center (DCMA, DIBCAC) once they have completed a CMMC Assessment Readiness Review (CA-RR) and confirmed ready to be scheduled for an assessment. The DCMA, DIBCAC will contact the Organizations POC once selected. Please fill out and return a Cask Client Engagement Form so that we can help you get started!
A: A Joint Surveillance Voluntary Assessment costs the same amount as a quoted CMMC Level 2 Formal Assessment and is directly related to the Scope and Boundary which needs to be assessed.
A: The Scope = Systems, components, networks, buildings, or people which process, store, or transmit Controlled Unclassified Information (CUI).
A: Once your organization has met the Joint Surveillance Voluntary Assessment requirements, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will submit your score to the Supplier Performance Risk System (SPRS) and your organization will be required to self-attest annually and upload your scores to SPRS via the Procurement Integrated Enterprise Environment (PIEE).