Schneider Downs is an authorized C3PAO qualified to assess and certify CMMC certification for organizations conducting business with the Department of Defense’s (DoD) program.
To enhance the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the supply chain, the U.S. Department of Defense (DoD) has worked with DoD stakeholders, university-affiliated research centers, federally funded centers and industry at large to develop version 2.0 of the CMMC, a process that measures the ability of organizations within the defense industrial base (DIB) sector to protect FCI and CUI.
CMMC 2.0 will add a certification element to verify implementation of cybersecurity requirements and DoD contractors storing CUI will need to be certified by a CMMC Third Party Assessment Organization (C3PAO).
CMMC is designed to provide the DoD assurance that a DIB contractor can adequately protect CUI at a level commensurate with the risk and account for flow down to subcontractors in a multitier supply chain. CMMC requirements will begin being phased into RFIs and RFPs in early 2025 and will eventually be mandatory for all.
Ready to Get Started? Contact our team and let us know how we can help.
Download our comprehensive CMMC Guide for a detailed overview of CMMC, including a deep dive into the certificate framework, certification process, potential costs and best practices for preparing your organization.
To help you navigate these requirements and prepare your organization for compliance, we have compiled answers to the most frequently asked questions about the CMMC framework, its impact on your business, and how Schneider Downs, as an authorized C3PAO, can guide your path to certification. For the full list of frequently asked questions, download our CMMC FAQ Guide.
As of January 31, 2025, the Department of Defense (DoD) has finalized the implementation framework for the Cybersecurity Maturity Model Certification (CMMC) 2.0 program. The final rule was published on October 15, 2024, and took effect on December 16, 2024. Contracts will start to include the DFARS clause requirement, meaning all DoD contractors will be required to comply with CMMC.
Any system, network, or infrastructure that stores, processes, or transmits FCI or CUI is considered in scope for CMMC 2.0. This includes:
Organizations need to define and document the boundary of their CMMC in-scope environment to ensure compliance within their System Security Plan (SSP).
For defense contractors, the consequences could be severe. If you decide to not comply or are unable to comply with the CMMC requirements, you will no longer be able to bid on any DoD contracts that include the DFARS clause.
Each DoD Request for Proposal (RFP), Request for Quote (RFQ), or Request for Information (RFI) will specify the required CMMC level for that contract.
Contracts that require CMMC compliance will reference specific Defense Federal Acquisition Regulation Supplement (DFARS) clauses, such as:
If DFARS 252.204-7021 is included, the contract will specify the required CMMC level.
There is also the way to determine by the type of information that you will be handling with this contract:
The CMMC framework is closely aligned with NIST standards, as compliance with CMMC requirements necessitates adherence to NIST guidelines. DoD contractors must either perform a self-assessment or undergo a third-party evaluation to verify compliance with the relevant NIST standards outlined in DFARS clause 252.204-7012. Under CMMC 2.0, Level 2 assessments are based on the security controls in NIST SP 800-171, while Level 3 assessments incorporate both NIST SP 800-171 and a subset of advanced protections from NIST SP 800-172.
Schneider Downs is currently one of 54 Authorized C3PAOs in the nation. Schneider Downs can help with readiness and consulting services to help you prepare for your CMMC assessment. Once you are ready for your assessment, Schneider Downs can provide partner C3PAOs to conduct the assessment.
The CMMC model framework categorizes cybersecurity best practices at the highest level by domains.
Each domain is further segmented by a set of capabilities and achievements to ensure that cybersecurity objectives are met within each domain. Companies will further validate compliance with the required capabilities by demonstrating adherence to practices and processes that have been mapped across three maturity levels (explained below). Within this context, practices will measure the technical activities required to achieve compliance with a given capability requirement, while processes will measure the maturity of a organizations cybersecurity processes.
The CMMC model has three defined levels, each with a set of supporting practices and processes, from Level 1 that addresses basic cyber hygiene to advanced and expert Levels 2 and 3. To meet a specific CMMC level, an organization must meet the practices and processes within that level and below. Levels are described as follows:
Download our comprehensive CMMC Guide for a detailed overview of CMMC, including a deep dive into the certificate framework, certification process, potential costs and best practices for preparing your organization.
The CMMC 2.0 model is cumulative and consists of 6 Level 1 domains and 8 additional domains for Level 2. Level 1domains originated from Federal Acquisition Regulation (FAR) 52.204.-21 and Level 2 originated from NIST SP 800-171. The domains are as follows:
Level 1:
Level 2 (Also contains all Level 1 Practices):
The final CMMC rule was published and put into effect on December 16, 2024.
For contracts that require CMMC, you may be disqualified from participating if your organization is not certified. Given that, we expect future RFIs and RFPs will allow prime contractors subcontractors to work the cost of compliance into their bids.
Schneider Downs is currently one of the first 54 Authorized Certified Third-Party Assessor Organization (C3PAO) by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Schneider Downs is authorized to provide certification assessments for the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program.
Schneider Downs is one of the first 55 authorized C3PAOs in the nation. We can help your organization become CMMC certified by conducting an official CMMC assessment for your organization. Schneider Downs has several CMMC Certified Professionals (CCP) and CMMC Certified Assessors (CCA) who are trained in using the CMMC Assessment Process (CAP). Schneider Downs is also able to help with a readiness consulting engagements to identify gaps within your controls and help remediate those gaps prior to your CMMC assessment. Organizations Seeking Certification (OSCs) should note that a single firm cannot perform both consulting and assessment service for a single client per the CyberAB standards.
Schneider Downs’ team of experienced risk advisory professionals focuses on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
To learn more, visit our dedicated IT Risk Advisory page.
