CMMC / Cybersecurity
Cybersecurity Maturity Model Certification
The US Government initiated SWEEPING ACQUISITION CHANGE the end of 2020, amending the DFAR to include 100% MANDATORY CMMC CERTIFICATION COMPLIANCE beginning 2021 & 100% Compliance phased in by FY2025.
SoundWay recently launched its Cybersecurity Maturity Model Certification (CMMC) practice. As you may know, ALL DoD prime contractors and subcontractors MUST obtain their CMMC Certification to continue doing business with the DoD. 100% CMMC compliance is required by FY25; the DoD phasing in CMMC beginning FY21. The CMMC Accreditation Board (CMMC-AB) recognizes SoundWay’s CMMC Expertise and Capabilities, and our ability to provide consulting services.
SoundWay provides pre-assessment readiness reviews that allow our clients to have clear understanding of what gaps exist, how to remediate, and how to ensure success in a manner that is cost, and business justified.
Our Separation of Duties offering allows our clients to outsource the tedium of cybersecurity to practitioners to meet regulatory requirements, improve security posture, and dramatically lower costs of ownership.
THE 4 THINGS YOU MUST KNOW ABOUT CMMC
2. The US Government SHALL ONLY recognize CMMC Certification Assessments conducted by CMMC Accreditation Board (CMMC-AB) Certified 3rd Party Assessment Organizations (C3PAO).
3. Only CMMC-AB Registered Provider Organizations (RPO) are VETTED BY THE CMMC-AB as CMMC experts capable of helping businesses identify & remediate non-compliance.
4. The CMMC-AB recommends beginning CMMC compliance preparation a minimum of six months prior to the desired Certification Assessment.
Free CMMC Consultation
SoundWay has been helping the U.S. Government and its business partners for over a decade. To schedule a free CMMC consultation, please contact us at CMMC@soundwayconsulting.com
CMMC Frequently Asked Questions
What is CMMC and Why Now?
CMMC is the DoD’s response to increased cybersecurity failures across its Industrial Base (DIB) despite prior self-managed compliance requirements imposed on the DIB.
“In the past two years, Pentagon officials have become increasingly concerned that one of their greatest cybersecurity risks lies in the second- and third-tier contractors who work with the Defense Department and the largest defense companies.” Ms. Ellen Lord, DoD Undersecretary for Acquisition & Logistics, March 2019.
Prior to CMMC, the DIB was asked to comply with, and attest that it was meeting the many controls, goals, & objectives of the National Institute of Standards and Technology (NIST) Special Publication 800-171: Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations.
- Malicious Cyber Attacks by U.S. Persons, Foreign Governments, & Non-State Cyber-Terrorists occur daily, costing the economy tens of billions of dollars every year and threaten our country’s and global community’s economic security.
- Cyber Theft, Mishandling Materials, & Accidental Spills place our national security at risk and result in the loss of U.S. industrial & military information, innovations, & advantages.
- Lack of Compliance Mandate resulted lack of compliance and a continuance and increase in cybersecurity failures.
Will I lose my current DoD contract if I don't have my CMMC certification?
No. You won’t lose any current contracts awarded to your business that do not contain a CMMC requirement regardless your CMMC certification status. And, CMMC will not be retroactive, meaning that your current contracts will not be amended to add the CMMC requirement.
Does my business need CMMC certification to bid on DoD contracts?
Your business does not need its CMMC certification to bid on contracts. However, if your business bids on a contract that includes the CMMC level requirement, then your business must have its CMMC certification at the required level the time of award or your business will be disqualified. There is no forgiveness.
How long does CMMC certification take?
The CMMC Accreditation Board (CMMC-AB) estimates that it will take approximately three to six (3 – 6) months for a business to prepare for CMMC Level 3 certification. This is just an estimate and it doesn’t take into account the unique requirements and dependencies that may apply to your business. Ask yourself: What is the state of our current NIST 800-171 compliance? Who within the business will support CMMC? How much time can these staff devote to CMMC daily? What do I have to budget for and for over what period of time? There are a lot more questions, of course. SoundWay can help. Let us help make this less scary and more manageable for you and your business. We’ll come up with a plan and a budget that works for you.
Can I put off CMMC certification until I have a contract that requires it?
Putting off CMMC certification is RISKY. If your business bids on a contract that includes the CMMC level requirement, then your business must have its CMMC certification at the required level the time of award or your business will be disqualified. There is no forgiveness.
Additional Risk in Putting Off CMMC Certification: Something to keep in mind – there are over 300,000 businesses supporting the DoD. Most ALL of these businesses will seek CMMC certification. Only a CMMC-AB Certified C3PAOs is qualified to conduct a certification assessment, and there will be a finite number of C3PAOs. If you wait too long, even if you’re business is ready for its assessment, you may lose a contract if you cannot be assessed in time.
How many CMMC certification levels are there?
There are five (5) CMMC Maturity Level Certifications ranging from Basic Cyber Hygiene to Advanced / Progressive Cyber Hygiene. The level your business needs will be determined by the Government contracting officer and Government client. The below figure identifies the CMMC certification levels and the number of cybersecurity practice requirements for each level.
For most businesses, CMMC compliance and certification will have a noticeable impact on the business culture and business practices. This is why SoundWay emphasizes the need to start your CMMC-certification journey sooner rather than later.
What CMMC certification level does my business need?
The level your business needs is dependent on a number of factors, but the primary factor is – what CMMC certification level does your DoD client require or has indicated it will require.
Other factors that influence the level you’ll need include: What does your business do and where do they do it? Where does your business store its Controlled Unclassified Information (CUI) and its Federal Contract Information (FCI)?
Can any cybersecurity company help my business prepare for CMMC certification?
Your business, any business, may choose to prepare itself for its CMMC certification assessment if it’s confident that it has the in-house expertise to do so. The DoD’s CMMC website provides the most recent CMMC Model used for CMMC certification assessment.
However, many businesses don’t have the in-house expertise – and that’s why SoundWay is here!
We can help your company determine the CMMC certification level it needs, conduct a thorough gap analysis to determine what you need to do for compliance, put together a project plan for conducting and completing the tasks needed for compliance, conduct a mock-compliance assessment for confidence, and much more. Contact SoundWay for more information on how SoundWay can help you meet your CMMC certification goal.
Can I prepare my business for its CMMC certification assessment in-house?
The CMMC-AB Marketplace is a directory of companies that the CMMC-AB has certified as Registered Provider Organizations (RPO); companies formally recognized for their CMMC expertise & capabilities, and their ability to provide CMMC certification-preparation consulting Services. SoundWay a RPO & listed in the Marketplace. Contact SoundWay for more information on how SoundWay can help you meet your CMMC certification goal.