What is the CMMC?

(Cybersecurity Maturity Model Certification)

The Department of Defense (DOD) has implemented a new program called the Cybersecurity Maturity Model Certification (CMMC). The CMMC program will serve as a framework for the enforcement of the department’s existing Defense Federal Acquisition Regulation Supplement (DFARS) requirements. Scheduled for implementation in 2020, this program aims to improve CUI (Certified Unclassified Information) and FCI (Federal Contract Information) security by introducing a formal audit compliance process.

DOD contractors must be certified at a specific security level to qualify for bidding on DOD contracts.

We can help you prepare for the Department of Defense’s (DOD) Cybersecurity Maturity Model Certification (CMMC) Audits.

1. SSP (System Security Plan and Scoring) – DOD requires an SSP with scoring to be on file during this transition time to CMMC requirements.
   1. We will introduce the System Security Plan with scoring
   2. We will engage with your I.T. department and start filling out the plan.
   3. Once we have completed the System Security Plan (SSP), you should be able to identify the gaps in your CMMC and NIST 800-171 requirements you need to address.
   4. POA&M (Plan of Action and Milestones)
      1. Using the identified gaps from the SSP, make a plan with timelines on how and when you will have all gaps completed.
      2. This is your POA&M (Plan of Action and Milestones)
      3. Once the SSP, POA&M, and Score are completed, the assessment results will be stored in the DISA system (SPRS) https://www.sprs.csd.disa.mil.
2. CMMC Consulting: We will walk you through the process of getting your company ready for a CMMC assessment. Notice I said the company, not the I.T. department.  The CMMC will affect more than just your I.T. Department.
   1. Assist in understanding the rollout of the CMMC over the next few years
   2. Kick-off training for your company, so the project gets off to a great start
   3. We will walk your COMPANY through CMMC policies and practices.
3. Pre Assessment Readiness Review – The lead assessor at the beginning of the negotiations will ask your company to produce two forms of Objective Evidence needed to demonstrate sufficient adoption of necessary Practices and Processes for the CMMC level your company is seeking along with what is in scope and what is not in scope etc.
   1. Assist in collecting the two forms of Objective evidence for each practice and procedure
   2. Assist with obtaining C3PAO for the assessment
   3. Assist with identifying Assessment scope
4. Awareness &Training  (DOMAIN): We believe the first item on any project list is informing the team members on what the company is doing and how the team members fit into the project. To that end, we built a program that will train the employees on the CMMC project and work on satisfying the CMMC Awareness & Training domain.  Yes, a two for one.
   1. Please go to the Five 9s Consulting Awareness and Training web page. https://www.five9sconsulting.com/cmmc-awareness-and-training-at/