What is NIST / CMMC?

 

On November 30, 2020, the Department of Defense (DoD) issued an interim rule to strengthen cybersecurity throughout the Defense Industrial Base (DIB). The new rule applies to all contracts that include DFARS 252.204-7012. Under the new rule, such companies must conduct a self-assessment of their NIST SP 800-171 compliance and submit the results through the Supplier Performance Risk System (“SPRS”). This new rule also lays out the requirements for the CMMC standard, which will soon be a requirement for all DoD contracts.

The CMMC (Cybersecurity Maturity Model Certification) framework was released January 31, 2020. The most recent version, CMMC 2.0, was revealed in November 2021. CMMC focuses on the security and resiliency of the DIB according to the OUSD (A&S) and the DoD. The official CMMC rollout will occur over several years to encompass all contracts and suppliers.

The Structure of CMMC

 

CMMC measures cybersecurity at 3 levels, from Foundational to Expert. Businesses who only handle Federal Contract Information (FCI) will require Level 1. Businesses who handle Controlled Unclassified Information (CUI) will require Level 2. Level 3 exists to protect highly sensitive CUI and will be required by few contractors.

Level 1 (Foundational)

17 Practices

 

  • For contractors who handle CUI
  • Equivalent to all practices in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21
  • Requires annual self-assessment submitted to Supplier Performance Risk System (SPRS) and affirmed by company leadership.
Level 2 (Advanced)

72 Practices

 

    • For contractors who handle CUI
    • Comply with the FAR
    • 110 practices from NIST SP 800-171
    • Lower-priority acquisitions will require annual self-assessment submitted to SPRS and affirmed by company leadership.
    • Higher-priority acquisitions will require a third-party assessment every three years.
Level 3 (Expert)

130 Practices

 

  • For contractors who handle highly sensistive CUI
  • Comply with the FAR
  • 110+ practices from NIST SP 800-171/172
  • Requires government assessment every three years.

Source: CMMC Model v2.0 Approved for Public Release

blank

With CORE’s platform, training and consultants we were able to succeed in a short time and gain a level of understanding and structure we otherwise would never have been able to accomplish.

Anne Mills on BirdEye

blank

The certification process was easy and painless. Suzanne Weber-Smatko did an excellent job of preparing us for the audits and we were certified with no findings.

-Elizabeth Meighan on BirdEye

blank

C&C International was indeed very pleased with the Core training we’ve recently received. Suzanne Weber-Smartko and Norman Verbeck provided very good support and direction. We are very much satisfied with CORE.

Bill James on Google

blank

The Core Solutions team was excellent to work with and made the ISO preparation tolerable. I highly recommend the services of the Core Solutions.

-Paul Amalfitano on BirdEye

blank

Thanks to the CORE team and especially Bruce Newman for a great experience achieving our company’s first ISO certification.

-Flip Crummer on Facebook

Level 1

Foundational

    • Comply with the FAR
    • 17 practices from NIST SP 800-171
    • Annual SPRS self-assessment affirmed by company leadership.

Level 2

Advanced

  • Comply with the FAR
  • Encompasses all practices from NIST SP 800-171r1
  • Annual self-assessment to SPRS with leadership affirmation ( lower-priority acquisitions) or triennial third-party assessement (higher-priority acquisitions).

Level 3

Expert

  • Comply with the FAR
  • Encompasses all practices from NIST SP 800-171 and a subset from NIST SP 800-172
  • Requires assessment by government every three years

Source: CMMC Model v2.0 Approved for Public Release

Consulting Support for CMMC Compliance

Core Business Solutions is a CMMC Registered Provider Organization with several Registered Practitioners on staff. That means we’re officially recognized by the CMMC Accreditation Board as trustworthy implementation experts.

For smaller DoD contractors, CMMC might seem like a complex burden. But we’re here to handle the complicated parts so you can focus on your business.

At Core, we offer a modular approach to certification. We break the requirements down into two broad categories: organizational and technical. We provide training for your employees, your management, and your IT Team or MSP (if you outsource your IT needs).

We also assist you in your guided self-assessment. We will help you develop your System Security Plan (SSP), Plan of Action and Milestones (POAM), Roadmap, and budget.

Our consulting plans also include the CORE Security Suite to help you implement CMMC practices and maintain certification going forward.

    Interested? Get a Free Quote.

    Related Standards

    We also provide consulting support for companies seeking multiple certifications through an Integrated Management System.

     

    ISO 9001

    Quality Management Systems

    ISO 27001

    Information Security Management Systems

    ISO 20000-1

    Service Management Systems

    ISO 9001

    ISO 27001

    ISO
    20000-1

    For more information about compliance, please call our consulting office at 866-354-0300 or contact us online.

    Smartlink Execution Complete Please note that the CORE Application window may have fallen behind this window and your Email client. Close this Message