CMMC

“Highly professional, met all deadlines, responsive to all questions, excellent knowledge of the CMMC model as it stands as well as keeping up to date with changes.  Sawdey has been a great company to work with, we are very happy with our selection of your company to help guide us to CMMC compliance.”

– T.J. McCambridge, Quality Manager, Black Diamond Engineered Products, Inc.

“Sawdey has been excellent in following-up and has gone above and beyond in helping us find solutions to issues.”

– Beth Robb, Project Manager, Liona Enterprises, Inc.

“Very good communication and work products.  Accomplished what we set out to do.”

– Doug Barber, Founding Principal/COO/Executive Vice President/FSO/ITPSO, BB&E, Inc.

One eye-opening finding of the pre-assessment came when comparing it to an assessment performed internally.  Certain cybersecurity requirements were more nuanced than originally perceived, which of course translates to vulnerabilities and a lower SPRS score.  Sawdey Solution Services made it easy to identify the CMMC shortcomings and provided a roadmap to compliance.”

– Garrett Sargent, Founder, PSOAS LLC

Our confidence in your [Sawdey’s] understanding of the standard was high.  We appreciate your [Sawdey’s] understanding of our situation as a very small business trying to gain this certification.”

– John Noel, Vice President, Noel-Smyser Engineering Corporation 

CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) PROGRAM

https://dodcio.defense.gov/CMMC/about/ 

What is CMMC? 

The CMMC Program aligns with the Department of Defense’s (DOD) existing information security requirements for the Defense Industrial Base (DIB). It is designed to enforce the protection of sensitive unclassified information shared by the DOD with its contractors and subcontractors. The Program provides the DOD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements for non-federal systems processing Controlled Unclassified Information (CUI).

Key features of the CMMC Program: 

  • Tiered Model: CMMC requires companies entrusted with sensitive unclassified DOD information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The Program also outlines the process for requiring protection of information flowed down to subcontractors. 
  • Assessment Requirement: CMMC assessments allow the DOD to verify DIB implementation of existing cybersecurity standards. 
  • Implementation through Contracts: DOD contractors and subcontractors handling sensitive unclassified DOD information must achieve a specific CMMC level as a condition of contract award. 

Proposed CMMC Program implementation timeline. 

The CMMC Program implementation date is 60 days after the publication of the final Title 48 CFR CMMC acquisition rule. The Draft Title 48 CFR CMMC rule has been published, and the final rule is pending. CMMC assessment requirements will be implemented using a four-phase plan over three years. The phases add CMMC Level requirements incrementally, starting with self-assessments in Phase 1 and ending with full implementation of Program requirements in Phase 4.  

 

If your organization has CUI and is pursing CMMC Level 2, do you still need a third-party assessment from a CMMC Third-Party Assessment Organization (C3PAO)? 

  • It depends. CMMC Level 2 will be split into two paths:
    • Contracts that require an assessment from a C3PAO (every 3 years);
    • Contracts where an annual self-assessment and affirmation from company leadership will suffice. 

How will your organization know if CMMC applies to your DOD contract(s)? 

  • The DOD will specify the required CMMC level in the solicitation and in Requests for Information (RFIs), if utilized. 

Do prime contractors and subcontractors need to be at the same level? 

  • If contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply. In cases where the prime contractor only flows down select information, a lower CMMC level may apply to the subcontractor. 

Other key items your organization should be aware of? 

  • Under Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, contractors were expected to have implemented all 110 controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 no later than December 31, 2017.
  • NIST SP 800-171 and CMMC Level 2 translate to 320 Assessment Objectives (AOs) defense contractors need to meet. 
  • The False Claims Act (FCA) is still a very real enforcement mechanism, and the Department of Justice (DOJ) has already been taking a stronger stance regarding cyber violations.

How is Sawdey well-positioned to help your organization prepare for CMMC? 

  • We have a dedicated team of cybersecurity experts, including a Lead CMMC Certified Assessor (Lead CCA), and CMMC Certified Professionals (CCPs) who have prepared clients for CMMC Self-assessments and C3PAO assessments. 
  • We have advised “how-to” build and maintain numerous CMMC Level 1 and Level 2 compliant Information Systems. 
  • We are a Capability Maturity Model Integration for Services® (CMMI-SRV) Maturity Level 3 (ML3)-appraised company following International Organization for Standardization (ISO) 9001 certified processes. 
  • We have been selected by a major university as a partner responsible for educating suppliers on CMMC within the state of Ohio. 

Specifically, what CMMC services can Sawdey provide your organization? 

  • Identification of the needed CMMC level, based on current DOD work, and existing contract clauses. 
  • Risk mitigation strategies to more effectively manage and reduce cybersecurity risk. 
  • Full Cybersecurity Programs including, but not limited to, System Security Plans (SSPs), Cybersecurity Policies and Procedures, Shared Responsibilities Matrices (SRMs), Implementation Schedules, Self-Assessment advising, and Plans of Action & Milestones (POAMs). 
  • Assistance with enrolling and uploading your self-assessment score in the Supplier Performance Risk System (SPRS). 
  • Continued education and training as DOD cybersecurity rules and standards evolve. 

Prepare for CMMC with confidence. 

Sawdey is assisting DOD suppliers throughout the U.S. navigate the complexities of CMMC. With Sawdey, you can achieve a high-quality evaluation of your current cybersecurity posture and learn how best to obtain your desired CMMC level. To gain a competitive advantage, consider successfully completing your CMMC compliance now. 

Key Resources 

    • DOD CIO CMMC information site 
      • Internal Resource section has the more pertinent information 
    • Accreditation Body (AB) for the CMMC Program 
    • Monthly Town Halls on the CMMC Program Status 
    • CMMC Assessment Process (CAP) 
    • DoD CMMC 101 Brief