Cybersecurity Maturity Model Certification

Cherry Bekaert is able to assist with CMMC compliance gap assessments, provide oversight and management of remediation and reporting efforts, or certification as an authorized CMMC Third-Party Assessment Organization (C3PAO).   

On this page:

Are You Ready for CMMC Compliance Requirements?

The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard for Department of Defense (DoD) acquisitions, aimed at securing the Defense Industrial Base (DIB) supply chain by increasing the protection of controlled unclassified information (CUI) and federal contract information (FCI).

The Cybersecurity Maturity Model Certification (CMMC) Programmatic Rule (CFR 32) will become effective 60 days after October 15, 2024, the date the final rule was published to the Federal Register.

Once the CMMC programmatic rule is in effect, authorized CMMC Third-Party Assessment Organizations (C3PAOs) will be able to conduct Level 2 CMMC Assessments.

Who Does CMMC Impact?

Currently, CMMC compliance impacts organizations within the DIB that provide services or products to the DoD. This includes prime contractors and subcontractors handling FCI and/or CUI data. If your company supports DoD prime contractors, they will be reaching out to you regarding CMMC compliance. Organization impacted by CMMC may include:

  • Consulting, legal and other professional services providers
  • IT and cybersecurity services providers
  • Software and technology companies and service providers
  • Logistics and supply chain companies
Graphic of the CMMC levels 1 through 3

What Are the CMMC Levels?

CMMC compliance comprises three levels that dictate the required number of controls and determine whether assessments should be self-conducted or certified by an accredited third party, as well as their frequency.

  • CMMC Level 1 — Organizations handling and safeguarding FCI
  • CMMC Level 2 — Organizations handling and protecting CUI
  • CMMC Level 3 — Organizations safeguarding CUI and subject to Advanced Persistent Threats (APT)

Preparing for CMMC Compliance

As a CMMC C3PAO, we're committed to helping contractors navigate and prepare for CMMC certification. 

What Are the Proposed DoD DFARS Amendments?

The CMMC acquisition rule (CFR 48) was published in the Federal Register on August 15, 2024. The public comment period for the proposed rule is expected to end on October 13, 2024. Following adjudication of the public comments by the DoD and a final review from the Office of Information and Regulatory Affairs (OIRA), the acquisition rule is expected to go into effect March 2025.

Key aspects of the proposal include:

  • Certification at Contract Award: Contractors must hold the appropriate CMMC certification level at the time of the contract award and maintain it throughout the contract's duration.
  • Flow-Down Requirements: The CMMC requirements must be extended to all subcontractors handling FCI or CUI.
  • Continuous Compliance: Contractors are required to annually affirm their compliance with the CMMC level applicable to the systems used in contract performance, with updates required if any changes occur.
  • Phased Implementation: The proposed rules will be rolled out over three years, with selective implementation initially, becoming mandatory for all relevant contracts by the fourth year.

The proposed DFARS rule will impact certain contracts during a phased-in, three-year implementation period. Afterwards, the requirements will apply to all contracts for which the contractor will process, store, or transmit FCI or CUI on contractor information systems. 

During the first three years of the phased rollout, the CMMC requirement will be included only in certain contracts for which the CMMC Program Officer directs DoD component program offices to include a CMMC requirement. After three years, DoD component program offices will be required to include a requirement for CMMC in solicitations and contracts that will require the contractor to process, store, or transmit FCI or CUI on contractor information systems. 

DoD’s Four Implementation Phases

DoD Phase 1 Implementation

The DoD intends to include CMMC Level 1 or CMMC Level 2 Self-Assessments for all applicable DoD solicitations and contracts as a condition of contract award.

The DoD may include:

  • CMMC Level 1 or CMMC Level 2 Self-Assessments for applicable DoD solicitations and contracts as a condition to exercise an option period on a contract awarded prior to the effective date of DFARS 7021
  • CMMC Level 2 Certification Assessment in place of CMMC Level 2 Self-Assessment for applicable DoD solicitations and contracts

Timeline

Phase 1 begins on the effective date of the CMMC revision to DFARS 7021.

DoD Phase 2 Implementation

The DoD intends to include CMMC Level 2 Certification Assessment (requires a C3PAO) for all applicable DoD solicitations and contracts as a condition of contract award.

The DoD may:

  • Delay the inclusion of CMMC Level 2 Certification Assessment to an option period instead of as a condition of contract award
  • Include CMMC Level 3 Certification Assessment for applicable DoD solicitations and contracts

Timeline

Phase 2 begins one calendar year following the start date of Phase 1.

DoD Phase 3 Implementation

  • CMMC Level 2 Certification Assessment (requires a C3PAO) for all applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded prior to the effective date of DFARS 7021
  • CMMC Level 3 Certification Assessment requirements included for all applicable DoD solicitations and contracts as a condition of contract award

Timeline

Phase 3 begins one calendar year following the start of Phase 2.

DoD Phase 4 Full Implementation

The DoD will include CMMC Program requirements in all applicable DoD solicitations and contracts, including option periods on contracts awarded prior to the beginning of Phase 4.

Timeline

Phase 4 begins one calendar year following the start date of Phase 3.

DoD Phase 1 Implementation

The DoD intends to include CMMC Level 1 or CMMC Level 2 Self-Assessments for all applicable DoD solicitations and contracts as a condition of contract award.

The DoD may include:

  • CMMC Level 1 or CMMC Level 2 Self-Assessments for applicable DoD solicitations and contracts as a condition to exercise an option period on a contract awarded prior to the effective date of DFARS 7021
  • CMMC Level 2 Certification Assessment in place of CMMC Level 2 Self-Assessment for applicable DoD solicitations and contracts

Timeline

Phase 1 begins on the effective date of the CMMC revision to DFARS 7021.

DoD Phase 2 Implementation

The DoD intends to include CMMC Level 2 Certification Assessment (requires a C3PAO) for all applicable DoD solicitations and contracts as a condition of contract award.

The DoD may:

  • Delay the inclusion of CMMC Level 2 Certification Assessment to an option period instead of as a condition of contract award
  • Include CMMC Level 3 Certification Assessment for applicable DoD solicitations and contracts

Timeline

Phase 2 begins one calendar year following the start date of Phase 1.

DoD Phase 3 Implementation

  • CMMC Level 2 Certification Assessment (requires a C3PAO) for all applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded prior to the effective date of DFARS 7021
  • CMMC Level 3 Certification Assessment requirements included for all applicable DoD solicitations and contracts as a condition of contract award

Timeline

Phase 3 begins one calendar year following the start of Phase 2.

DoD Phase 4 Full Implementation

The DoD will include CMMC Program requirements in all applicable DoD solicitations and contracts, including option periods on contracts awarded prior to the beginning of Phase 4.

Timeline

Phase 4 begins one calendar year following the start date of Phase 3.

Your Full-Service CMMC Provider

Cherry Bekaert is a full-service CMMC provider that can assist your organization with a wide variety of CMMC compliance needs. In addition to CMMC gap assessments, our professionals can provide oversight and management of remediation and reporting efforts. We also offer certification when independent as an authorized CMMC Third-Party Assessment Organization (C3PAO) and certified Registered Practitioner Organization (RPO) by the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body, Inc. (The Cyber AB).

We assist Organization’s Seeking Certification (OSCs) with CMMC readiness assessments for Levels 1, 2 and 3. As an authorized C3PAO, Cherry Bekaert partners with the Defense Contractor Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) under their Joint Surveillance Audit Program to perform DIBCAC High (NIST 800-171) Assessments, which are convertible to CMMC Level 2 Certification if a perfect score is obtained.

Our team is composed of CMMC certified practitioners with information technology (IT) and cybersecurity leadership experience. With our professional guidance, we drive practical and pragmatic recommendations and solutions that benefit your team.

CMMC Compliance Gap Assessments

Gap assessments are crucial in establishing a clear understanding of the current state of compliance against CMMC.

Our CMMC Compliance Gap Assessments are designed to assist management in understanding the scope and extent of the organization’s CMMC compliance needs.

At the end of our gap assessment, we provide a CMMC compliance roadmap that includes practical and pragmatic recommendations for CMMC remediation, so your organization has a clear plan forward.

CMMC Compliance Advisory Services

Once we have developed a clear view of gaps in CMMC compliance, our team of CMMC compliance advisory professionals will work with you to remediate gaps and drive the implementation of a CMMC program tailored to your organization.

We assist many organizations with crucial components of the CMMC program, including:

  • Scope and boundary identification and definition
  • Asset identification and categorization
  • System security plan development
  • Shared responsibility matrix development
  • Policy and procedure development
  • Alignment with/leveraging other compliance initiatives and efforts (where appropriate)
  • Vendor and third-party selection and compliance (i.e., FedRAMP Moderate and CMMC requirements for CSPs and ESPs)

In addition, we can fully support your self-assessment efforts to make sure that all necessary program parameters are in place before being signed by an appropriate organizational executive.

CMMC Certifications and Attestations

Our CMMC assessments are streamlined from planning and testing though reporting and submission, to ensure an efficient assessment from beginning to end.

Cherry Bekaert follows a proven assessment process that includes the following phases:

  • Plan and prepare the assessment
    • Establish roles and responsibilities
    • Validate CMMC assessment scope
    • Verify readiness to conduct the assessment
  • Conduct the assessment
    • Collect and examine evidence
    • Conduct interviews
    • Determine FedRAMP Moderate Equivalency for Cloud Service Providers (CSPs)
    • Score OSC practices and validate preliminary results
  • Report recommended results
    • Deliver recommended assessment results
    • Submit, package, and archive assessment documentation
    • Upload assessment results into CMMC eMASS
    • Schedule a CMMC POA&M close-out assessment (if necessary)
  • Close-Out POA&Ms and assessment (if necessary)
    • Perform POA&M close-out assessment
    • Update POA&M close-out

In addition, Cherry Bekaert offers organizations the ability to undergo an attestation to the CMMC Level 1 and Level 2 Standard, NIST 800-171, for those looking for further assurance beyond just a self-assessment. These engagements can be performed individually or in conjunction with an existing SOC 2 audit, e.g., SOC 2+ NIST 800-171.  

CMMC Third-Party Assessment Organization Authorization (C3PAO) and Registered Practitioner Organization (RPO)

Cherry Bekaert is an authorized CMMC Third-Party Assessment Organization (C3PAO) and certified Registered Practitioner Organization (RPO) by the Cyber AB. We assist Organization’s Seeking Certification with CMMC readiness assessments for Levels 1, 2 and 3.

Our Professionals

Connect With Us

Kurt Manske

Information Assurance & Cybersecurity Leader

Partner, Cherry Bekaert Advisory LLC

Steven J. Ursillo, Jr.

Information Assurance & Cybersecurity

Partner, Cherry Bekaert LLP
Partner, Cherry Bekaert Advisory LLC

Neal W. Beggan

Risk Advisory Services

Partner, Cherry Bekaert Advisory LLC

Dan Sembler

Advisory Services

Partner, Cherry Bekaert LLP
Partner, Cherry Bekaert Advisory LLC

Brian Kirk

Information Assurance & Cybersecurity

Sr. Manager, Cherry Bekaert Advisory LLC

Contact Our CMMC Professionals