Cybersecurity Maturity Model Certification Services (CMMC)

Primary Contact:  Eric Wright CPA, CITP

Schneider Downs can help your organization prepare for Cybersecurity Maturity Model Certification (CMMC) by performing an assessment using the official DoD assessment guides and will be capable of performing real assessments after becoming an accredited C3PAO. 

What is CMMC?

To enhance the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the supply chain, the U.S. Department of Defense (DoD) has worked with DoD stakeholders, university-affiliated research centers, federally funded centers and industry at large to develop version 2.0 of the CMMC, a process that measures the ability of organizations within the defense industrial base (DIB) sector to protect FCI and CUI. 

CMMC 2.0 will add a certification element to verify the implementation of cybersecurity requirements and DoD contractors storing CUI will need to be certified by a CMMC Third Party Assessment Organization (C3PAO).

CMMC is designed to provide the DoD assurance that a DIB contractor can adequately protect CUI at a level commensurate with the risk and account for flow down to subcontractors in a multitier supply chain. CMMC requirements will begin being phased into RFIs and RFPs in early 2025  and will eventually be mandatory for all.

Ready to Get Started? Contact our team and let us know how we can help.

Download our comprehensive CMMC Guide for a detailed overview of CMMC, including a deep dive into the certificate framework, certification process, potential costs and best practices for preparing your organization. 

The CMMC Model Framework

The CMMC model framework categorizes cybersecurity best practices at the highest level by domains.

Each domain is further segmented by a set of capabilities and achievements to ensure that cybersecurity objectives are met within each domain. Companies will further validate compliance with the required capabilities by demonstrating adherence to practices and processes that have been mapped across three maturity levels (explained below). Within this context, practices will measure the technical activities required to achieve compliance with a given capability requirement, while processes will measure the maturity of an organization's cybersecurity processes.

CMMC Model 2.0 Levels

The CMMC model has three defined levels, each with a set of supporting practices and processes, from Level 1 that addresses basic cyber hygiene to advanced and expert Levels 2 and 3. To meet a specific CMMC level, an organization must meet the practices and processes within that level and below. Levels are described as follows:

  • CMMC Level 1 - The “foundational” level of CMMC compliance requires all contractors that have FCI in their contracts to implement a set of 17 basic cybersecurity practices that are required by the Federal Acquisition Regulation (FAR) 52.204-21. Organizations that fall under level one may perform an annual self-assessment of the FAR 52.204-21 controls and report there score to the Department of Defense.
  • CMMC Level 2 - The “advanced” level of CMMC that requires contractors that handle CUI to implement the National Institute of Standards and Technology (NIST) 800-171 framework which includes 110 practices from 14 CMMC domains. If a contractor handles sensitive CUI, the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 requires the contractor to be level 2 certified by having a CMMC Third Party Assessment Organization (C3PAO) perform an independent assessment to validate that the contractor has fully implemented the NIST 800-171 framework.
  • CMMC Level 3 –  The “expert” level of CMMC maturity that is required for contractors that work with critical DoD infrastructure. Organizations seeking level 3 certification will be required to comply with the NIST 800-172 framework. Level 3 contractors are also required to be accessed by the DoD directly as opposed to an independent C3PAO. Organizations will need to become certified for level 2 practices by a C3PAO prior to being assessed by the DoD for level 3.

CMMC Domains

The CMMC 2.0 model is cumulative and consists of 6 Level 1 domains and 8 additional domains for Level 2.  Level 1domains originated from Federal Acquisition Regulation (FAR) 52.204.-21 and Level 2 originated from NIST SP 800-171. The domains are as follows:

Level 1: 

  • Access Control (AC)
  • Identification and Authentication (IA)
  • Media Protection (MP)

Level 2 (Also contains all Level 1 Practices)

  • Awareness and Training (AT)
  • Audit and Accountability (AU)
  • Configuration Management (CM)
  • Incident Response (IR)

 

  • Physical Protection (PE)
  • System and Communication (SC)
  • System and Information Integrity (SI)

 

  • Maintenance (MA)
  • Personnel Security (PS)
  • Risk Assessment (RA)
  • Security Assessment (CA)

 

CMMC Timeline and Cost

The final CMMC rule was published in December 2023 and is currently in the public comment period. The current expectation is that CMMC will go to congress for final approval by the end of 2024. . CMMC is set to start appearing in RFIs and RFPs in Q1 2025.

For contracts that require CMMC, you may be disqualified from participating if your organization is not certified. Given that, we expect future RFIs and RFPs will allow prime contractors subcontractors to work the cost of compliance into their bids.

CMMC Assessments

Schneider Downs is currently in process to become certified as a Certified Third-Party Assessor Organization (C3PAO) by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Schneider Downs is a Candidate C3PAO and pending a successful CMMC Level 2assessment in Q2 2024, Schneider Downs will be authorized to provide certification assessments for the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program. 

Related Resources

How Can Schneider Downs Help?

Schneider Downs is a Candidate C3PAO. Our team currently offers CMMC readiness and consulting services as a Registered Provider Organization (RPO). Our team includes several Certified CMMC Professionals (CCPs) as well as several candidates to become Certified CMMC Assessors (CCAs). CCPs and CCAs have undergone extensive training on the CMMC model and CMMC Assessment Process (CAP) and can simulate a real assessment to effectively identify gaps that can be remediated prior to the official C3PAO assessment. Organizations Seeking Certification (OSCs) should note that a single firm cannot perform both consulting and audit services for a single client per The Cyber AB standards. 

Get the latest insights and news in our bi-weekly newsletter, Focus on Cybersecurity

About Schneider Downs IT Risk Advisory

Schneider Downs’ team of experienced risk advisory professionals focuses on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.

To learn more, visit our dedicated IT Risk Advisory page. 

View our additional IT Risk Advisory services and capabilities

contact us

Pittsburgh
Columbus
Metropolitan Washington