To enhance the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the supply chain, the U.S. Department of Defense (DoD) is working with DoD stakeholders, university-affiliated research centers, federally funded centers and industry at large to develop the Cybersecurity Maturity Model Certification (CMMC), a process that measures the ability of company within the defense industrial base (DIB) sector to protect FCI and CUI. CMMC also adds a certification element to verify implementation of cybersecurity requirements and certifications will need to be performed by accredited third parties such as Schneider Downs.
CMMC is designed to provide the DoD assurance that a DIB contractor can adequately protect CUI at a level commensurate with the risk and account for flow down to subcontractors in a multitier supply chain. The CMMC will be included in RFIs and RFPs in 2020 and will eventually be mandatory for all.
To learn more about the potential costs and how your organization can prepare for CMMC, download our Cybersecurity Maturity Model Certification (CMMC) Guide.
The CMMC model framework categorizes cybersecurity best practices at the highest level by domains.
Each domain is further segmented by a set of capabilities and achievements to ensure that cybersecurity objectives are met within each domain. Companies will further validate compliance with the required capabilities by demonstrating adherence to practices and processes that have been mapped across five maturity levels (explained below). Within this context, practices will measure the technical activities required to achieve compliance with a given capability requirement, while processes will measure the maturity of a companyâs processes.
The CMMC model has five defined levels, each with a set of supporting practices and processes, from Level 1 that addresses basic cyber hygiene to proactive and advanced Levels 4 and 5. In parallel, processes range from being performed at Level 1, documented at Level 2 and optimized across the organization at Level 5. To meet a specific CMMC level, an organization must meet the practices and processes within that level and below. Levels are described as follows:
The CMMC model consists of 17 domains, the majority which originated from the FIPS 200 security-related areas and the NIST SP 800-171 control families. The domains are as follows:
While draft versions of the CMMC are currently available for review, the final version of CMMC is not expected to be released until January 2020. CMMC is set to start appearing in RFIs in June 2020, and the expectation is that it will start appearing in RFPs in September 2020.
As it relates to price, the FAQ section of the CMMC webpage notes that, the cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC, you may be disqualified from participating if your organization is not certified. Given that, we expect future RFIs and RFPs will allow prime contractors subcontractors to work the cost of compliance into their bids.
Schneider Downs has successfully completed the Certified Third-Party Assessor Organization (C3PAO) accreditation process and applied for the CMMC ML-3 assessment performed by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Schneider Downs is a Candidate C3PAO and pending a successful CMMC ML-3 assessment, Schneider Downs will be authorized to provide certification assessments for the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program.
Schneider Downs is a Candidate C3PAO. Our team currently offers CMMC readiness and consulting services as a Registered Provider Organization (RPO). Our team includes several members currently in the process of applying for CMMC Certified Assessor status. OSCs should note that a single firm cannot perform both consulting and audit services for a single client per the CMMC-AB standards. In the meantime, until such requirements are made public, we can help your organization prepare for CMMC by performing an assessment against the NIST 800-171 framework. To learn more about our CMMC services download our CMMC Service Overview.
For more information, please email Eric Wright.
Schneider Downs’ team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
To learn more, visit our dedicated IT Risk Advisory page.
Receive all the latest insights and industry tips.
Schneider Downs is a Top 60 independent Certified Public Accounting (CPA) firm providing accounting, tax, audit and business advisory services to public and private companies, not-for-profit organizations and global companies. We also offer Internal Audit; Technology Consulting; Software Solutions; Personal Financial Services; Retirement Plan Solutions and Corporate Finance Services. Schneider Downs is the 13th largest accounting firm in the Mid-Atlantic region and serves individuals and companies in Pennsylvania (PA), Ohio (OH), West Virginia (WV), New York (NY), Maryland (MD), and additional states in the United States with offices in Pittsburgh, PA, Columbus, OH, and McLean, VA.
© 2024 Schneider Downs & Co., Inc. Maryland license number 35239.
Every moment counts. For urgent requests, contact the Schneider Downs digital forensics and incident response team at 1-800-993-8937. For all other requests, please complete the form below.
"*" indicates required fields