How do I get Certified?
The Cyber-AB is a non-profit, independent organization. Their primary mission is to authorize and accredit the CMMC Third-Party Assessment Organizations (C3PAOs) that conduct CMMC assessments of companies within the Defense Industrial Base (DIB). The Cyber-AB provides the requisite information and updates on its website.
The Cyber-AB has established the CMMC Marketplace including a list of authorized C3PAO’s and organizations in the CMMC Ecosystem. Cask is the 3rd Authorized C3PAO and has on staff Provisional Assessors, Provisional Instructors, and CCP’s (Certified CMMC Professionals). The voluntary assessment program has begun and the DoD plans to offer incentives to organizations who become CMMC Certified during this timeframe. Reach out now and let’s get started!
Why Choose Cask for your CMMC Certification?
Cask was the third Authorized C3PAO – passing the DIBCAC High Assessment June 2021
Cask is made up of Security Control Assessors/Validators for the DoD and has years of experience in Cyber and Risk Assessment including full program management of these programs. Cask has assessed and obtained certification for over 90 systems including assessing and obtaining certification for the first USMC Cloud based solution and PaaS and SaaS solutions. Cask has also been performing CMMC Gap Analyses and Pre-Assessments since June 2021.
Cask SME’s (Coopers) work as a team conducting Assessments, Pre-Assessments, and Gap Analysis to evaluate a company’s implementation of cybersecurity requirements, adherence to the level of compliance with the requirements of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information, Cyber Incident Reporting, implementation of NIST SP 800-171r2 requirements, and DFARS Clause 252.204-7021 Cybersecurity Maturity Model Certification Requirements.
Subscribe to our CMMC Newsletter
FCI (Federal Contract Information) vs. CUI (Controlled Unclassified Information)
A. CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
A. If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1. Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.
A. Federal Contract Information (FCI) is data that is collected, created, transmitted, or received as a requirement of fulfilling the obligations of the contract – to develop or deliver a product or service.
A. Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. Examples of CUI could be DoD technical drawings and testing results.
The CUI Registry includes index groupings Critical Infrastructure, Defense, Export Control, Financial, Immigration, Intelligence, International Agreements, Law Enforcement, Legal, Natural and Cultural Resources, NATO, Nuclear, Privacy, Procurement and Acquisition, Proprietary Business Information, Provisional, Statistical, Tax.
CMMC (Cybersecurity Maturity Model Certification) Assessments
A. Once CMMC 2.0 is implemented, DoD will specify the required CMMC level in the solicitation and in any Requests for Information (RFIs), if utilized.
A. If contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply. In cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor.
A. DoD’s intent under CMMC 2.0 is that if a DIB company does not process, store, or transmit Controlled Unclassified Information (CUI) on its unclassified network, but does process, store, or handle Federal Contract Information (FCI), then it must perform a CMMC Level 1 self-assessment and submit the results with an annual affirmation by a senior company official into SPRS.
A. Once CMMC 2.0 is implemented, self-assessments will be required on an annual basis. Third-party and government-led assessments, associated with Level 2 and Level 3 programs, will be required on a triennial basis.
A. Once CMMC 2.0 is fully implemented, DoD will only accept CMMC assessments provided by an authorized C3PAO. C3PAOs shall use only certified CMMC assessors to conduct CMMC assessments.
A. The CMMC assessment costs will depend upon the CMMC level needed, the scope of what needs to be certified, and complexity of the organizations network for the certification boundary.
Methodology in Planning and Performance
A. Cask will provide a CMMC Level 2/NIST 800-171A assessment of your organization’s current implementation of the 110 practices. We will review and assess current implementations of the practices verifying compliance using the CMMC 2.0 assessment process which aligns with the NIST 800-171 assessment methodology.
Cybersecurity Standards (NIST SP 800-171 and NIST SP 800-172)
A. Under CMMC 2.0, the “Advanced” level (Level 2) will be equivalent to the NIST SP 800-171. The “Expert” level (Level 3), which is currently under development, will be based on a subset of NIST SP 800-172 requirements.
A. NIST 800-171 specifically focuses on the protection of Controlled Unclassified Information (CUI) and seeks to ensure that such sensitive government information located on contractors’ networks is both secure and protected.
NIST 800-172 provides 35 enhanced security requirements designed to safeguard CUI from cybercriminals whose intent is to infiltrate systems to steal national security-related data. It does not contain guidance to determine high value to critical organizational programs or assets.
Joint Surveillance Voluntary (JSV) Assessment Program
A: The Joint Surveillance Voluntary Assessment Program is a joint assessment performed as a team. The team consists of an Authorized C3PAO, such as Cask Government Services, and the Defense Contract Management Agency, Defense Industrial Base Cybersecurity Assessment Center (DCMA, DIBCAC) team.
A: Any business or organization that chooses to have a Joint Surveillance Voluntary Assessment should reach out to an Authorized C3PAO and have that C3PAO add you to their JSV list. The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) reviews the C3PAOs list and then contacts the OSC to schedule the assessment.
Joint Surveillance Voluntary Assessments
A: A Joint Surveillance Voluntary Assessment is a NIST 800-171 High Assessment of an organization’s implementation of the 110 NIST controls/practices.
A: The best way to prepare for a NIST 800-171 High Assessment is to perform a self-assessment of your organization’s adherence to the 110 NIST controls/practices, ensuring there are two forms of evidence supporting each practice and each objective, or have an outside organization, such as an Authorized C3PAO, conduct a Pre-Assessment or Gap Analysis.
A: An Authorized C3PAO, such as Cask Government Services, will conduct your organizations Joint Surveillance Voluntary Assessment with the Defense Contract Management Agency, Defense Industrial Base Cybersecurity Assessment Center (DCMA, DIBCAC), overseeing the activities and verifying the C3PAOs assessment.
A: The C3PAO will assign a Lead Assessor to build the team. One to two Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) Assessors will be added to the team to oversee the assessment of the implementation of the 110 NIST controls/practices. The team will verify adherence to the level of compliance within the DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, implementation of NIST 800-171 requirements.
A: Organizations queuing up for the opportunity to be assessed understand the competitive advantage of positioning themselves with the opportunity to bid on government contracts that contain DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, and in achieving CMMC Level 2 certification. They’re staying ahead of the curve by demonstrating to primes that they will be in compliance when CMMC is implemented via the Interim Rule expected in March 2023.
A: Joint Surveillance Voluntary Assessments are slated to convert to CMMC Level 2 Certifications upon the completion of CMMC rulemaking.
A: Cask Government Services, as the 3rd Authorized C3PAO, is working with the Defense Contract Management Agency, Defense Industrial Base Cybersecurity Assessment Center (DCMA, DIBCAC) team in scheduling and conducting these assessments. Step one is to reach out to Cask, fill out and return a Client Engagement Form, review the assessment proposal, complete a Master Service Agreement, and Statement of Work so that Cask can work with the Cyber-AB and DIBCAC in getting your organizations assessment scheduled.
A: A Joint Surveillance Voluntary Assessment costs the same amount as a quoted CMMC Level 2 Formal Assessment and is directly related to the Scope and Boundary which needs to be assessed.
A: The Scope = Systems, components, networks, buildings, or people which process, store, or transmit Controlled Unclassified Information (CUI).
A: Once your organization has met the Joint Surveillance Voluntary Assessment requirements, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will submit your score to the Supplier Performance Risk System (SPRS) and your organization will be required to self-attest annually and upload your scores to SPRS via the Procurement Integrated Enterprise Environment (PIEE).