ARE YOU READY FOR CMMC?
Are You Ready for CMMC?
As experienced CMMC compliance consultants, we not only complete documentation but also run continuous monitoring and develop IT infrastructure to maintain your compliance.
LDD Consulting helps companies meet the US Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) requirements.
We run through the high-level steps that are necessary for DoD contractors to achieve their required level of certification.
CMMC assessment is performed by individual assessors and accredited CMMC Third Party Assessment Organizations (C3PAOs). LDD is one of these. We enable businesses to work in a compliant manner by providing high-value custodial security of CUI, while minimizing interruptions to people, processes, and procedures.
The Background: NIST 800-171 vs CMMC
CMMC is a vehicle used by the US federal government to audit compliance with the NIST SP 800-171 regulation. DoD contractors have been expected to comply with this regulation since January 1, 2018.
However, the DoD has noted unacceptably low levels of compliance by the Defense Industrial Base (DIB) over the first two years, and established CMMC to remedy the slow progress. CMMC itself was released on January 31, 2020.
September 2020, DoD contractors must be certified at the relevant CMMC level to bid on Requests for Proposal (RFPs).
CMMC also applies to subcontractors.
The overall picture gets more complicated. For a start, NIST 800-171 requires compliance with both the Controlled Unclassified Information (CUI) and Non-Federal Organization (NFO) controls. CMMC focuses on CUI controls only.
Therefore, having a CMMC Level 1, 2, 3, 4 or 5 certification does not automatically mean your organization is compliant with NIST 800-171. This simple oversight can put your organization at risk of violating the False Claims Act (FCA) and shows why you need an experienced compliance consultant to make sure every last detail is covered.
The Pentagon is revising its CMMC program by significantly reducing the number of companies that require third-party assessments. It is also providing new waiver processes in specific areas.
The CMMC 2.0 revisions were announced in November 2021, but could take another two years to come into effect. They include consolidation of the current five CMMC certification levels down to three: foundational, advanced, and expert. The revisions will also help to cut red tape for small and medium-sized businesses (SMBs).
Nevertheless, meeting basic cyber hygiene standards and protecting controlled unclassified information (CUI) are now pre-contract award requirements. Verification must take place through an independent, on-site third-party audit.
Non-compliance means no contract and no revenue!
©2023. LDD Consulting, Inc. All Rights Reserved.