Schneider Downs can help your organization prepare for Cybersecurity Maturity Model Certification (CMMC) by performing an assessment using the official DoD assessment guides and will be capable of performing real assessments after becoming an accredited C3PAO.
To enhance the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the supply chain, the U.S. Department of Defense (DoD) has worked with DoD stakeholders, university-affiliated research centers, federally funded centers and industry at large to develop version 2.0 of the CMMC, a process that measures the ability of organizations within the defense industrial base (DIB) sector to protect FCI and CUI.
CMMC 2.0 will add a certification element to verify implementation of cybersecurity requirements and DoD contractors storing CUI will need to be certified by a CMMC Third Party Assessment Organization (C3PAO).
CMMC is designed to provide the DoD assurance that a DIB contractor can adequately protect CUI at a level commensurate with the risk and account for flow down to subcontractors in a multitier supply chain. CMMC requirements will begin being phased into RFIs and RFPs in early 2025 and will eventually be mandatory for all.
Ready to Get Started? Contact our team and let us know how we can help.
Download our comprehensive CMMC Guide for a detailed overview of CMMC, including a deep dive into the certificate framework, certification process, potential costs and best practices for preparing your organization.
The CMMC model framework categorizes cybersecurity best practices at the highest level by domains.
Each domain is further segmented by a set of capabilities and achievements to ensure that cybersecurity objectives are met within each domain. Companies will further validate compliance with the required capabilities by demonstrating adherence to practices and processes that have been mapped across three maturity levels (explained below). Within this context, practices will measure the technical activities required to achieve compliance with a given capability requirement, while processes will measure the maturity of a organizations cybersecurity processes.
The CMMC model has three defined levels, each with a set of supporting practices and processes, from Level 1 that addresses basic cyber hygiene to advanced and expert Levels 2 and 3. To meet a specific CMMC level, an organization must meet the practices and processes within that level and below. Levels are described as follows:
The CMMC 2.0 model is cumulative and consists of 6 Level 1 domains and 8 additional domains for Level 2. Level 1domains originated from Federal Acquisition Regulation (FAR) 52.204.-21 and Level 2 originated from NIST SP 800-171. The domains are as follows:
Level 1:
Level 2 (Also contains all Level 1 Practices):
The final CMMC rule was published in December 2023 and is currently in the public comment period. The current expectation is that CMMC will go to congress for final approval by the end of 2024. . CMMC is set to start appearing in RFIs and RFPs in Q1 2025.
For contracts that require CMMC, you may be disqualified from participating if your organization is not certified. Given that, we expect future RFIs and RFPs will allow prime contractors subcontractors to work the cost of compliance into their bids.
Schneider Downs is currently in process to become certified as a Certified Third-Party Assessor Organization (C3PAO) by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Schneider Downs is a Candidate C3PAO and pending a successful CMMC Level 2assessment in Q2 2024, Schneider Downs will be authorized to provide certification assessments for the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program.
Schneider Downs is a Candidate C3PAO. Our team currently offers CMMC readiness and consulting services as a Registered Provider Organization (RPO). Our team includes several Certified CMMC Professionals (CCPs) as well as several candidates to become Certified CMMC Assessors (CCAs). CCPs and CCAs have undergone extensive training on the CMMC model and CMMC Assessment Process (CAP) and can simulate a real assessment to effectively identify gaps that can be remediated prior to the official C3PAO assessment. Organizations Seeking Certification (OSCs) should note that a single firm cannot perform both consulting and audit services for a single client per The Cyber AB standards.
Schneider Downs’ team of experienced risk advisory professionals focuses on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
To learn more, visit our dedicated IT Risk Advisory page.
Receive all the latest insights and industry tips.
Schneider Downs is a Top 60 independent Certified Public Accounting (CPA) firm providing accounting, tax, audit and business advisory services to public and private companies, not-for-profit organizations and global companies. We also offer Internal Audit; Technology Consulting; Software Solutions; Personal Financial Services; Retirement Plan Solutions and Corporate Finance Services. Schneider Downs is the 13th largest accounting firm in the Mid-Atlantic region and serves individuals and companies in Pennsylvania (PA), Ohio (OH), West Virginia (WV), New York (NY), Maryland (MD), and additional states in the United States with offices in Pittsburgh, PA, Columbus, OH, and McLean, VA.
© 2024 Schneider Downs & Co., Inc. Maryland license number 35239.
Every moment counts. For urgent requests, contact the Schneider Downs digital forensics and incident response team at 1-800-993-8937. For all other requests, please complete the form below.
