*** On 11/4/2021 the DoD approved changes to CMMC and released what is known as CMMC 2.0.

This page has been updated to reflect the changes and will continue to be updated as additional changes or information become available. ***

Read our latest blog on CMMC 2.0 here.  

CMMC Overview

The Cybersecurity Maturity Model Certification (CMMC) was developed by the United States Department of Defense (DoD) and the initial version (CMMC 1.0) went into effect November 30, 2020.  It is meant to protect against the theft of intellectual property and sensitive information within the Defense Industrial Base (DIB).  In November 2021, DoD announced updates to what is now known as CMMC 2.0.   CMMC 2.0 is based on, and replaces the previous requirements of, DFARS, NIST 800-171, and CMMC 1.0.  Previously, contractors would self-report they comply without any true oversight or accountability.  Now, contractors will need to self-report or be certified at the required CMMC level prior to receiving contracts from the DoD.  CMMC 2.0 will take effect as soon as the DoD completes their rulemaking process, which is expected to take 9-24 months.  CMMC 2.0 will become a contract requirement once rulemaking is completed.

Click here to access Dopkins Registered Provider Organization (RPO) page on the CMMC-AB Marketplace.

Practices

CMMC assesses practices which are specific steps or procedures that an organization should be performing within each domain to protect itself from common threats  Practices are assessed at three different levels that represent a progressively more mature and robust security posture.

CMMC Levels

Level 1 – Foundational

17 Practices

Annual self-assessment

Level 2 – Advanced

110 Practices (align with NIST SP 800-171)

Annual self-assessment for “non-prioritized acquisitions”

Triennial third-party certification for “prioritized acquisitions”

Level 3 – Expert

110+ Practices (based on NIST SP 800-172)

Triennial government-led certification

The rules are changing, but the stakes for DoD compliance remain critical:  What does CMMC 2.0 mean for your organization?

Register for a copy of our CMMC 2.0 ebook to learn more:

Our assessment process:

• Through interviews and observations, we mutually review the practices contained in your target level.
• For each practice we will ascertain whether the practice is currently being performed or not, and how it is being performed.
• We provide guidance on best practices and options to accomplish currently unperformed or incomplete practices.
• We mutually review the maturity of processes (documentation, policies, and planning) contained in your target level to ensure practices will continue to be performed.

Delivering recommendations:

Upon completion of the assessment, the client will have a list of CMMC practice gaps and recommendations.  Process maturity will be identified for each practice in your target level.  Each practice that should have additional documentation, policies, or planning will be reported.

We then suggest an action plan that offers a realistic approach to reaching your target level.  New security practices can be overwhelming.  Our action plan structures implementation timing and shared responsibilities to create a sustainable security culture.

Our remediation assistance services include:

• Risk Assessments
• User training and testing
• Identifying and implementing technical controls
• Assistance with documentation development
• Creating policies
• Incident response plans

Sign up for a free CMMC consultation to evaluate your organization’s status:

For more information, please contact Patrick Rost CMMC-AB RP at prost@dopkins.com.