Something CMMC this way comes

CMMC is a methodology used to build and enhance a company’s cyber security program. It details five levels of increasingly structured and mature cyber security controls and processes.

Are you a prime or sub DoD contractor? Want to be able to bid on new contracts? If so, are you ready for the new Cybersecurity Maturity Model Certification (CMMC)?

CMMC was officially let loose on January 31st, 2020. And things will never be the same for defense contractors. Prior to the release of CMMC, contractors would promise to do their best to comply with the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 and National Institute of Standards and Technology (NIST) SP800-171 requirements to win contracts.  Until recently, the DoD would trust these contractors to do what they say the did. The DoD did little to ensure contractors were truly compliant.

Then along comes the CMMC.

CMMC is a methodology used to build and enhance a company’s cyber security program. It details five levels of increasingly structured and mature cyber security controls and processes. CMMC levels start with basic hygiene and build up to enterprise level processes and controls.  Level 1 has some low hanging fruit and maps to the FAR 52.204-21 (aka Basic 17) requirements. CMMC levels 2 and 3 map directly to the NIST SP800-171 requirements. Levels 4 and 5 are based on the NIST SP800-171B, which is still a draft as of the date this article was published, and several other practices to demonstrate an advanced cyber security program is established.

CMMC is different from DFARS and NIST SP800-171 by requiring every contractor to be audited and certified by a 3rd party auditor (3PAO).  In a nutshell, without a valid certification (Level 1-5) by a 3PAO, the contractor will be prohibited from bidding on the contract.

It is estimated that 200,000-300,000 organizations in the Defense Industrial Base (DIB) will be in scope for CMMC. The level that these organizations need to be certified will be determined by the contract on which they are bidding. Of course, all primes and subs will need to be certified at Level 1 to bid on any DoD contracts.  If a contractor processes or creates Controlled Unclassified Information (CUI) they will need, at a minimum, a Level 3 certification.

Something CMMC this way comes. If you are a DoD contractor, it’s time to start running down the road towards CMMC compliance.  It can take a small company 6 to 8 months to get policies written, roll out the necessary training, put controls in place and prepare for an audit.  Every day you wait could cost you a contract.

Need some help navigating the CMMC maze?  URS has the expertise to help!

610.755.0728 or 800.55.HELPS

Remember, a strong Cyber Security Program is much more than just a firewall and antivirus. To be prepared for today’s threats,  a layered defense (defense in depth), should be implemented by every company, regardless of size.

About Ultimate Risk Services

At URS, we have a layered solution for every need and any budget.

Highlights of our solution are:

• Helps you navigate the Cybersecurity maze.

• Budget friendly! Available as a low cost monthly subscription.

• Something for everyone! Subscription levels designed with small business in mind. Robust enough to scale to large enterprises.

• Does not require fulltime IT staff.

• Gives you peace of mind.

So how does it work?  What does the subscription give you?

Depending on your subscription level, your 5 Steps may include:

• An “Always On” Unified Security Management system that safeguards your network, systems, users, and data

• Security Policies and Plans created via an easy to use Online Wizard

• Customizable Online Training

• Automated Hardware and Software Inventory Tool

• Automated Vulnerability Assessments

• A Breach Coach for when the bad guys get in

• Much more

To take a deeper look into our five steps click here.

Want to speak with one of our experts?  Or are you ready to protect your assets now? Contact us at:

610.755.0728 or 800.55.HELPS