Cybersecurity Maturity Model Certification

CMMC Certification Preparation for DoD Contractors

How Department of Defense Contractors Can Best Prepare for their CMMC Audit


What is CMMC?

CMMCFig1The Department of Defense is taking steps to further prevent the loss of Controlled Unclassified Information (CUI) within the Defense Industrial Base (DIB) as it is critical to maintaining national security. Those steps birthed the CMMC requirement, which builds upon their existing regulations (DFARS 252.204-7012) and combines various cybersecurity control standards (e.g., National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, International Organization for Standardization (ISO) 27001, and Aerospace Industries Association National Aerospace Standards 9933, etc.) into a single, unified standard for cybersecurity. The CMMC program will require DoD suppliers to achieve and maintain certification through a verification process that assesses the institutionalization and maturity of cybersecurity practices and processes.

The CMMC model is based on 5 Levels of Practices and Processes as shown in Figure 1. Practices range from a Level 1 (basic cyber hygiene) to Level 5 (advanced/progressive). Processes range from being performed at Level 1 up to being optimized across the organization at Level 5. In order to meet a specific CMMC level, an organization must meet the practices and processes within that level as well as those below it.

Once implemented, offerors will be required to hold a CMMC certificate at a specified level or higher to be eligible for award on DoD solicitations. To obtain a CMMC certification, companies will coordinate directly with an independent, accredited CMMC Third-Party Assessment Organization (C3PAO) to request and schedule a CMMC assessment. Upon successful demonstration of the appropriate capabilities and organizational maturity, the organization will receive the corresponding CMMC level certification.


What Steps Should I Take to Become Compliant?

Sawdey understands that Cybersecurity is a complex and difficult subject. Our knowledgeable and experienced professional services staff can help expedite your CMMC in a clear and concise manner. We help you navigate the CMMC standard, cybersecurity regulations, and best practices no matter the size or complexity of your business. Sawdey has also been selected by a major university responsible for educating suppliers on the CMMC standard and requirements within the State of Ohio. Sawdey will provide Cybersecurity subject matter expertise in support of content development and delivery, seminars, working groups, and roundtable discussions. Our approach begins here:

1. A Gap Analysis

Conducting a gap analysis is an important first step in identifying the risks to which your company is most susceptible. A gap analysis will expose any deficiencies against the current CMMC standard and DFARS Cybersecurity requirements.

2. Certification

The greatest change in the way the DoD is approaching cybersecurity requirements of its contractors is the fact that long gone are the days of self-attestation. Instead, CMMC certification will be done by an independent certification body. The capabilities DoD suppliers will be required to implement and demonstrate for each maturity level are briefly defined in Figure 2 below. Hiring a third party in advance to conduct a thorough assessment and evaluation of your controls ensures your company’s information security program is ready for inspection.



3. Timing

The DoD expects to begin including CMMC levels in RFPs beginning in early 2021. A phased roll-out to include all DoD contracts will occur thru 2025. If you are a current DoD supplier, or plan to be, now is the time to strengthen your existing cybersecurity processes, policies, and systems.



This email address is being protected from spambots. You need JavaScript enabled to view it.

Pass Your Upcoming CMMC Audit with Confidence

We are helping DoD suppliers throughout the U.S. navigate the complexities of CMMC with ease and confidence.

To gain a competitive advantage in these evolving times, consider being proactive in taking the first step in preparation for the CMMC audit. With us, you can achieve a high quality evaluation of your current cybersecurity posture and learn how best to obtain CMMC certification at the level most in line with your current and future business objectives.