No CMMC compliance can mean no DoD business!

The United States Department of Defense (DoD) Office of the Under Secretary of Defense for Acquisition
and Sustainment [OUSD(A&S)] is committed to working with the Defense Industrial Base (DIB) aka DoD Contractor sector to enhance the protection of sensitive data – namely, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), within the supply chain. The sharing of FCI and CUI with DIB sector contractors expands the Department’s attack surface because sensitive data is distributed beyond the DoD’s information security boundary.

Cybersecurity Maturity Model Certification (CMMC) is a DoD certification process that measures a Federal Prime or Sub-Contractor company’s ability to protect FCI and CUI. CMMC combines various cybersecurity standards and maps these best practices and processes to maturity levels, ranging from basic cyber hygiene to highly advanced practices.

The CMMC model framework (Figure 1) categorizes
cybersecurity best practices at the highest level by domains.

Each domain is further segmented by a set of capabilities.
Capabilities are achievements to ensure cybersecurity
objectives are met within each domain. Companies will further demonstrate compliance with the required capabilities by demonstrating adherence to practices and processes, which have been mapped across the five maturity levels of CMMC.

Under this context, practices will measure the technical
activities required to achieve compliance with a given capability requirement, and processes will measure the maturity of a company’s processes.

Within each domain, DIB companies will be accredited under the CMMC only if they can demonstrate compliance with the required practices and demonstrate mature processes as required for the given CMMC level. The intent is to identify the required CMMC level in Request for Proposals (RFP) sections L and M to be used as a “go / no go decision.” This means that instead of the ability to bid and win a contract and then comply post-award with cybersecurity requirements, DoD contractors will have to be certified to the CMMC level required in advance, pre-bid, to even be eligible to bid.

The CMMC model has five defined levels, each with a set of supporting practices and processes, illustrated in Figure 2. Practices range from Level 1 (basic cyber hygiene) and to proactive and advanced Levels 4 and 5. In parallel, processes range from being performed at Level 1, to being documented at Level 2, to being optimized across the organization at Level 5. To meet a specific CMMC level, an organization must meet the practices and processes within that level and below.

InterSec CMMC Capabilities

  • Ground up CMMC compliance
  • Maturing from one CMMC level to the next
  • Gap analysis
  • Control Selection and Tailoring
  • Control Implementation guidance
  • Develop System Security Plan (SSP)
  • Develop Plan of Action and Milestones (POA&Ms)
  • Audit ready artifacts
  • Managed Security Service Provider for ongoing CMMC compliance

Why InterSec

We are an accredited CMMI Svc 3, ISO 27001:2013 and ISO 9001:2015 cyber security company. Our specialized security team have deep expertise in FedRAMP, FISMA, NIST SP 800-37 RMF, NIST SP 800-53, NIST 800-37A, NIST 800-171 and DFARS.

We have performed multiple assessments and audits for Commercial, State and Federal sector clients. This experience has helped us mature our processes, develop and mature internal controls, and develop trusted partnership with audit companies. We go beyond disclosing weaknesses and findings. Our Security Professional Services provide remediation advise that are cost effective and tailored to your unique organization needs. We provide quality service at a reasonable price and make our client meet compliance needs in a timely manner.

We will be trusted partners in your journey to obtain and maintain CMMC compliance. Our key differentiators include:

  • A dedicated team of security professionals that are available to you throughout the CMMC compliance process.
  • Our assessors undergoing ongoing professional training and hold various industry certifications such as CISSP, CCSP, CISA, CEH, ECSA, CHFI, CTIA
  • We have successfully completed more than 100 compliance assessments and audits across Federal, State and Commercial clients
  • Strategic partnerships with auditors and product vendors to provide turnkey solution to meet CMMC compliance
  • Multiple service models that can be easily customized to meet your organizations’ unique needs
  • Flexible pricing models and referral credits