Schneider Downs, an Authorized C3PAO, can help your organization prepare for Cybersecurity Maturity Model Certification (CMMC) by performing an assessment using the official DoD assessment guides and will be capable of performing real assessments after becoming an accredited C3PAO.
To enhance the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the supply chain, the U.S. Department of Defense (DoD) has worked with DoD stakeholders, university-affiliated research centers, federally funded centers and industry at large to develop version 2.0 of the CMMC, a process that measures the ability of organizations within the defense industrial base (DIB) sector to protect FCI and CUI.
CMMC 2.0 will add a certification element to verify implementation of cybersecurity requirements and DoD contractors storing CUI will need to be certified by a CMMC Third Party Assessment Organization (C3PAO).
CMMC is designed to provide the DoD assurance that a DIB contractor can adequately protect CUI at a level commensurate with the risk and account for flow down to subcontractors in a multitier supply chain. CMMC requirements will begin being phased into RFIs and RFPs in early 2025 and will eventually be mandatory for all.
Ready to Get Started? Contact our team and let us know how we can help.
Download our comprehensive CMMC Guide for a detailed overview of CMMC, including a deep dive into the certificate framework, certification process, potential costs and best practices for preparing your organization.
The CMMC model framework categorizes cybersecurity best practices at the highest level by domains.
Each domain is further segmented by a set of capabilities and achievements to ensure that cybersecurity objectives are met within each domain. Companies will further validate compliance with the required capabilities by demonstrating adherence to practices and processes that have been mapped across three maturity levels (explained below). Within this context, practices will measure the technical activities required to achieve compliance with a given capability requirement, while processes will measure the maturity of a organizations cybersecurity processes.
The CMMC model has three defined levels, each with a set of supporting practices and processes, from Level 1 that addresses basic cyber hygiene to advanced and expert Levels 2 and 3. To meet a specific CMMC level, an organization must meet the practices and processes within that level and below. Levels are described as follows:
The CMMC 2.0 model is cumulative and consists of 6 Level 1 domains and 8 additional domains for Level 2. Level 1domains originated from Federal Acquisition Regulation (FAR) 52.204.-21 and Level 2 originated from NIST SP 800-171. The domains are as follows:
Level 1:
Level 2 (Also contains all Level 1 Practices):
The final CMMC rule was published and put into effect on December 16, 2024.
For contracts that require CMMC, you may be disqualified from participating if your organization is not certified. Given that, we expect future RFIs and RFPs will allow prime contractors subcontractors to work the cost of compliance into their bids.
Schneider Downs is currently one of the first 55 Authorized Certified Third-Party Assessor Organization (C3PAO) by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Schneider Downs is authorized to provide certification assessments for the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program.
Schneider Downs is one of the first 55 authorize C3PAOs in the nation. We can help your organization become CMMC certified by conducting an official CMMC assessment against your organization. Schneider Downs has several CMMC Certified Professionals (CCP) and CMMC Certified Assessors (CCA) who are trained in using the CMMC Assessment Process (CAP). Schneider Downs is also able to help with a readiness consulting engagements to identify gaps within your controls and help remediate those gaps prior to your CMMC assessment. Organizations Seeking Certification (OSCs) should note that a single firm cannot perform both consulting and assessment service for a single client per the CyberAB standards.
Schneider Downs’ team of experienced risk advisory professionals focuses on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
To learn more, visit our dedicated IT Risk Advisory page.
Email us: [email protected]
Schneider Downs is a Top 60 independent Certified Public Accounting (CPA) firm providing accounting, tax, audit and consulting services to public and private companies, not-for-profit organizations and global companies. We also offer risk advisory, transaction advisory, digital consulting, wealth management, retirement plan solutions and investment banking services. Schneider Downs serves individuals and companies in Pennsylvania (PA), Ohio (OH), West Virginia (WV), New York (NY), Maryland (MD), metropolitan Washington (DC) and additional states in the United States with offices in Pittsburgh, PA, Columbus, OH, and McLean, VA.
© 2024 Schneider Downs & Co., Inc. Maryland license number 35239.
Every moment counts. For urgent requests, contact the Schneider Downs digital forensics and incident response team at 1-800-993-8937. For all other requests, please complete the form below.
