CMMC
DOD CYBERSECURITY
Get ready for cmmc 2.0 now
DOD Contractors can get certified to CMMC 2.0 requirements from Simpatico Systems. Learn more about CMMC requirements, CMMC 2.0, and what you need to do to get your company aligned to the latest CMMC mandates.
CMMC 2.0
CYBERSECURITY EXPERTS
There is a lot to know about the latest CMMC guidelines. Contact Simpatico Systems today to let us take the stress out of becoming CMMC compliant. Our team of experts are here to help you with all of your CMMC compliance needs
LATEST CMMC GUIDELINES & CERTIFICATION INFORMATION
New CMMC 2.0
The changes to the CMMC Certification and what you need to know! Learn more about CMMC 2.0 today!
DFARS Interim Rule
Find answers to the existing DFARS requirements, the interim rule, and how it relates to CMMC
CMMC FAQ
Find answers to your CMMC questions and learn more about the Cybersecurity Maturity Model Certification.
Get your company prepared for the new CMMC requirements
The Simpatico Way
CMMC Registered Provider Organization
We Get Your Business Ready:
Simpatico Systems is proud to be a CMMC-AB Registered Provider Organization (RPO). Your organization can trust Simpatico Systems with all of your CMMC and DOD cybersecurity needs! You can find us on the CMMC-AB Marketplace provider’s list.
CMMC CYBERSECURITY SERVICES
Do You Need More?
Our expert team is ready to provide you with detailed
insights into cybersecurity solutions.
What is the CMMC?
Inside the Cybersecurity Maturity Model Certification (CMMC)
If your business depends on Department of Defense (DoD) contracts, then you are already aware of their Defense Acquisition Federal Regulation Supplement (DFARS) mandate published in 2015 requiring DoD contractors to adopt the cybersecurity standards outlined in NIST’s SP 800-171 cybersecurity framework. Because the failed, somewhat self regulated, honor system which was incentivized with a competitive advantage in winning contracts, the slow adoption rate and false claims of compliance, the Department of Defense released the Cybersecurity Maturity Model Certification (CMMC) model.
The CMMC model will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use it as a “go / no go decision.”
The intended destination for the CMMC model combines various cybersecurity control standards such as NIST SP 800-171 (Rev. 1 & Rev. B), NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.
What do we know about the CMMC?
The DOD is migrating to the new CMMC framework to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).
The CMMC will serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified Information (CUI) that resides on the Department’s industry partners’ (Contractors) networks.
What can DOD contractors expect as this is pushed out?
DoD contractors will have to become CMMC certified by passing an audit performed by a DoD accredited auditor. Contractors will have to meet the appropriate level of cybersecurity for their business. This will become the requirement for anyone who wants to hold contracts with the Department of Defense or work as a subcontractor on DoD related projects.
CMMC Levels
What level of CMMC is right for me and my business?
The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. Here’s what we currently know about the CMMC levels and their respective requirements:
What level of the CMMC will I need to get certified?
This will depend entirely upon what level of certification your contract requires and the sensitivity of the information you handle. The entire point of CMMC is to make it more feasible for small to mid-sized business to become compliant while ensuring that any sensitive information or CUI your organization handles remains safe.
This means that most companies will fall under Level 1 or Level 2 (which will map 64 controls from 800-171), while prime contractors can expect to become Level 3 certified (which will map all 110 controls from 800-171). Level 4 and 5 (which will map additional controls found in 800-171revB) are going to typically be required of the large primes like Lockheed Martin and Northrop Grumman.
When does CMMC go into effect?
How do I achieve CMMC compliance?
Defense contractors are not compliant with CMMC until they coordinate with an accredited and independent third party certification organization to perform a CMMC audit. It is in contractors best interest to partner with an agency like Simpatico Systems to help them prepare for a CMMC audit.
What should I do to prepare for an audit?
- For DoD contractors that have already implemented all NIST SP 800-171 controls, they should have no issues with passing a CMMC audit successfully up to CMMC Level 3.
- For DoD contractors who have not implemented the NIST SP 800-171 Rev1 or RevB controls, the following options are available to prepare for a CMMC audit.
Although the DoD contractor is ultimately responsible for ensuring their company meets the cybersecurity requirements, many DoD contractors that don’t have the resources or IT staff available to ensure compliance, they choose to outsource the task to a Managed Security Service Provider (MSSP) that understands the complexity around the CMMC.
If you would like to speak with someone about preparing for a CMMC audit, give us a call at (806) 224-0300 to schedule a free consultation.
What should I do right now?
Regardless if you choose to keep this in house or outsource, you will need to know how close or how far away from meeting any of the five levels of the CMMC your business is. The most effective way to accomplish this is to have a third-party perform a gap assessment to discover inadequate system setups and processes that may not meet all of the required controls.
Without a gap analysis, it’s impossible to know what changes an organization needs to make before it meets the required CMMC Level. The professionals at an MSSP use their findings to create remediation plans that will correct any problems and keep our clients in line with CMMC requirements. The gap analysis will either aid a DoD contractor in performing their own remediation plan, or they may opt to have a third-party, such as an MSSP, perform the remediation for them.
Simpatico Systems understands the urgency around obtaining compliance. Also the complexity around navigating NIST compliance and the Cybersecurity Maturity Model Certification (CMMC) to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) on DoD contractor systems and ensure a successful audit and certification.