Search for:
  • Advisory
  • Assurance
  • Tax
  • Strategic Alliances
Services

Cybersecurity Maturity Model Certification

Are You Ready for CMMC Compliance Requirements?

The Cybersecurity Maturity Model Certification (“CMMC”) is a unified cybersecurity standard for Department of Defense (“DoD”) acquisitions, aimed at securing the Defense Industrial Base (“DIB”) supply chain. This standard was updated in November of 2021 and is now considered “CMMC 2.0”.

The CMMC Program proposed final rule was published in the Federal Register on December 26, 2023. Comments to the proposed rule must be received by February 26, 2024.

How many CMMC levels are there?

The CMMC framework consists of three levels and can require an independent third-party certification by an accredited organization:

  • CMMC Level 1 – Basic safeguarding of Federal Contract Information (FCI)
  • CMMC Level 2 – (previous CMMC 1.0 Level 3) Protecting CUI
  • CMMC Level 3 – (previous CMMC 1.0 Level 4 and 5) Protecting CUI and reducing risk of advanced Persistent Threats (APT)

CMMC 2.0 encompasses the following:

When will CMMC 2.0 compliance be required for DoD contracts?

The below table outlines DoD’s four implementation phases.

Phase

Summary

Timeline

Phase 1

  • The DoD intends to include CMMC Level 1 or CMMC Level 2 Self-Assessments for all applicable DoD solicitations and contracts as a condition of contract award.
  • The DoD may include:
    • CMMC Level 1 or CMMC Level 2 Self-Assessments for applicable DoD solicitations and contracts as a condition to exercise an option period on a contract awarded prior to the effective date of DFARS 7021.
    • CMMC Level 2 Certification Assessment in place of CMMC Level 2 Self-Assessment for applicable DoD solicitations and contracts.

Begins on the effective date of the CMMC revision to DFARS 7021.

Phase 2

  • The DoD intends to include CMMC Level 2 Certification Assessment (requires a C3PAO) for all applicable DoD solicitations and contracts as a condition of contract award.
  • The DoD may:
    • Delay the inclusion of CMMC Level 2 Certification Assessment to an option period instead of as a condition of contract award.
    • Include CMMC Level 3 Certification Assessment for applicable DoD solicitations and contracts.

Begins six months following the start date of Phase 1.

Phase 3

  • CMMC Level 2 Certification Assessment (requires a C3PAO) for all applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded prior to the effective date of DFARS 7021.
  • CMMC Level 3 Certification Assessment requirements included for all applicable DoD solicitations and contracts as a condition of contract award.

Beings one calendar year following the start of Phase 2.

Phase 4

  • Full Implementation: The DoD will include CMMC Program requirements in all applicable DoD solicitations and contracts, including option periods on contracts awarded prior to the beginning of Phase 4.

Begins one calendar year following the start date of Phase 3.

Cherry Bekaert CMMC Third-Party Assessment Organization Authorization and Registered Provider Organization

Cherry Bekaert is an authorized CMMC Third-Party Assessment Organization (C3PAO) and certified Registered Provider Organization (RPO) by the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body, Inc. (The Cyber AB). We assist Organization’s Seeking Certification (OSCs) with CMMC readiness assessments for Levels 1, 2 and 3. Additionally, as an authorized C3PAO, Cherry Bekaert partners with the Defense Contractor Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) under their Joint Surveillance audit program to perform DIBCAC High (NIST 800-171) Assessments which are convertible to CMMC Level 2 Certification if a perfect score is obtained.

Having undergone Level 2 assessment as a Firm, Cherry Bekaert has a deep understanding of the assessment process to guide DoD contractors seeking a CMMC assessment.

Our services include:

  • Certification Level Identification & Consultation
  • System Boundary Determination
  • Assessment Approach Considerations (Entity-Level vs Enclave vs Hybrid)
  • Control Definition & Design
  • Documentation Development & Review
  • Mapping to Existing Frameworks such as NIST 800-53/171 (FedRAMP, FISMA, DFARS 7012), ISO 27001/2, SOC 2, PCI, HITRUST and Others
  • Gap Analysis
  • Remediation Design & Verification
  • DIBCAC Joint Surveillance Audit Program DIBCAC High (NIST 800-171) Assessments in Partnership with DCMA DIBCAC
  • Assistance with Level 1 and Level 2 Self-Assessment Scoring and Submission to SPRS

Readiness

Our CMMC Readiness Assessments are designed to assist management with implementing a CMMC Program tailored to the appropriate level. Cherry Bekaert follows a proven readiness process that includes the following phases:

  • Scope and Boundary Identification
  • Asset Identification and Categorization
  • System Security Plan Development
  • Shared Responsibility Matrix Development
  • Policy and Procedure Development
  • Evidence Collection
  • Gap Assessment
  • Recommendations to address identified gaps

Certifications & Attestations

Our CMMC assessments are streamlined from Planning & Testing though Reporting & Submission to ensure an efficient assessment from beginning to end.

In addition, Cherry Bekaert offers organizations the ability to undergo an attestation to the CMMC Level 1 and Level 2 Standard, NIST 800-171, for those looking for further assurance beyond just a self-assessment. These engagements can be performed individually or in conjunction with an existing SOC 2 audit, e.g., SOC 2+ NIST 800-171.

Contact Our CMMC Team

Related Thought Leadership
Jan 04
Podcast

CMMC Program Proposed Rule Published in the Federal Register: Insights...

Learn More
Aug 01
Podcast

Final CMMC Rule Reaches Critical Milestone

Learn More
Jun 14
Podcast

How Will NIST Special Publication (SP) 800-171, Revision 3 Impact CMMC...

Learn More
Mar 17
Article

Updated Projected Timeline for CMMC: What this Means for Contractors a...

Learn More
Mar 13
Podcast

Final CMMC Rule: March 2023 Update

Learn More
Dec 09
Podcast

CMMC 2.0 – Where Does It Stand?

Learn More
Let's Talk

Kurt Manske

Leader, Information Assurance and Cybersecurity

Let's Talk

Steven J. Ursillo, Jr.

Steven J. Ursillo, Jr.

CMMC Practice Leader

Let's Talk

Neal W. Beggan

Neal W. Beggan

Regional Market Leader- Mid Atlantic

Let's Talk

Related Services

Cybersecurity

Cherry Bekaert’s specialists can identify an organization’s cybersecurity risks, and develop realistic solutions to help...

Learn More

Government Contractor Consulting Services

Cherry Bekaert’s Government Contractor Consulting Services team offers innovative and tailored solutions to help address...

Learn More

Risk & Accounting Advisory

Cherry Bekaert helps organizations manage unforeseen and emerging risks through the Firm’s risk assessment, internal...

Learn More

Financial Services

Learn about our financial risk management consulting services and learn why financial consultancy is vital...

Learn More

Contact Our CMMC Professionals