What is the CMMC?

(Cybersecurity Maturity Model Certification)

The Department of Defense (DOD) has implemented a new program called the Cybersecurity Maturity Model Certification (CMMC). The CMMC program will serve as a framework for enforcing the department’s existing Defense Federal Acquisition Regulation Supplement (DFARS) requirements. The CMMC  program aims to improve CUI (Certified Unclassified Information) and FCI (Federal Contract Information) security by introducing a formal audit compliance process.

We can help you prepare for the Department of Defense’s (DOD) Cybersecurity Maturity Model Certification (CMMC) Audits.

“Our CMMC Journey”

In 2019 we were asked to present at the Missouri Congresswoman Vicky Hartzler Procurement Conference in a breakout session on Cybersecurity and discuss at the time the new Cybersecurity Maturity Model Certification (CMMC).   We accepted and presented to the attendees that included members of the Military and Defense Industry.  Since that time, we have put on a CMMC workshop and now several Zoom meetings on the subject.  We are also helping new clients in the Defense Industry get ready for their Assessment and now the System Security Plan Scoring (SSP).

Five 9s Consulting Achieves CMMC-AB RPO Designation

Five 9s Consulting has announced that it has been approved as a Registered Provider Organization (R.P.O.) by the Cybersecurity Maturity Model Certification Accreditation Board (CMMC-AB). This designation is awarded to companies with deep expertise and experience in cybersecurity services and has trained and certified cybersecurity professionals on staff certified as Registered Providers (RP) by CMMC-AB. The certification also requires R.P.O.s to be owned by U.S.  Citizens.

The CMMC is a unified framework intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place. The CMMC is designed to ensure that robust cyber hygiene is practiced as well as protect Controlled Unclassified Information (C.U.I.) and the Federal Contract Information (F.C.I.) that resides on Defense Industrial Base (DIB) systems.

Visit the accreditation page for more information: https://www.cmmcab.org/rpo

Testimonials: 

“I was very impressed with the seminar and how engaged it seemed the attendees were to the information you were presenting. You did a great job of turning something that can be EXTREMELY DRY and managed to keep things lively.

We would be happy to attend other seminars in the future.”

Sean Canevaro. CEO KISC www.kiscc.com

“It was a pleasure speaking with you as well.  Thank you for the information regarding the CMMC, and how it does or does not apply to our company.  I kept reading blizzard of information being issued by the DOD, NIST, and the Federal Registers but did not pick up on the details regarding the off-the-shelf items.  So I really appreciate your taking the time out of your schedule for a non-paying call.  It was truly appreciated.  I have the information saved on the computer regarding the CMMC requirements.  Should we have to do something, we will definitely get in touch with you or send you others who may have been just as confused as I was.” 

Deborah J. Brandt. Brandt Instruments, Inc. www.brandtinst.com

1. SSP (System Security Plan and Scoring) – DOD requires an SSP with scoring to be on file during this transition time to CMMC requirements.
   1. We will introduce the System Security Plan with scoring
   2. We will engage with your I.T. department and start filling out the plan.
   3. Once we have completed the System Security Plan (SSP), you should be able to identify the gaps in your CMMC and NIST 800-171 requirements you need to address.
   4. POA&M (Plan of Action and Milestones)
      1. Using the identified gaps from the SSP, make a plan with timelines on how and when you will have all gaps completed.
      2. This is your POA&M (Plan of Action and Milestones)
      3. Once the SSP, POA&M, and Score are completed, the assessment results will be stored in the DISA system (SPRS) https://www.sprs.csd.disa.mil.
2. CMMC Consulting: We will walk you through the process of getting your company ready for a CMMC assessment. Notice I said the company, not the I.T. department.  The CMMC will affect more than just your I.T. Department.
   1. Assist in understanding the rollout of the CMMC over the next few years
   2. Kick-off training for your company, so the project gets off to a great start
   3. We will walk your COMPANY through CMMC policies and practices.
3. Pre Assessment Readiness Review – The lead assessor at the beginning of the negotiations will ask your company to produce two forms of Objective Evidence needed to demonstrate sufficient adoption of necessary Practices and Processes for the CMMC level your company is seeking along with what is in scope and what is not in scope etc.
   1. Assist in collecting the two forms of Objective evidence for each practice and procedure
   2. Assist with obtaining C3PAO for the assessment
   3. Assist with identifying Assessment scope
4. Awareness &Training  (DOMAIN): We believe the first item on any project list is informing the team members on what the company is doing and how the team members fit into the project. To that end, we built a program that will train the employees on the CMMC project and work on satisfying the CMMC Awareness & Training domain.  Yes, a two for one.
   1. Please go to the Five 9s Consulting Awareness and Training web page. https://www.five9sconsulting.com/cmmc-awareness-and-training-at/