CMMC/CUI Compliance & Accreditation
We can assist our clients with compliance and accreditation of CMMC/CUI standards as they will become a part of future acquisitions by the Federal Government.
We can assist our clients with compliance and accreditation of CMMC/CUI standards as they will become a part of future acquisitions by the Federal Government.
Hills23 has extensive experience providing secure solutions to government and commercial clients. As a RPO, we offer the following services:
Pre-Assessment identifies preparedness for an official CMMC assessment. Conducted in the same manner as an official CMMC assessment with a certified provisional assessor (PA), the pre-assessment evaluates each practice and process to determine compliance with CMMC standards and in accordance with the CMMC assessment guides. Once complete, Booz Allen provides a pre-assessment report outlining findings and overall organizational preparedness (prepared/not prepared).
CMMC assessment achieves certification. This assessment follows the CMMC-AB Assessment Guide to determine the satisfaction and maturity for each practice and process using the CMMC verification criteria. Hills23 can provide liaison support during your CMMC assessment.
Hills23 will be ready to fulfill its RPO role to conduct CMMC gap assessments once final rulemaking is finalized. We have built a team of expert assessors who have all been qualified by CMMC-AB. In addition to CMMC training, our team has significant assessment experience and qualifications in similar compliance areas (e.g., the Federal Risk and Assessment Management Program, the Federal Information Security Modernization Act, the Department of Defense's Risk Management Framework, National Information Assurance Partnership certification).
While the rulemaking efforts are ongoing, organizations can get ahead now:
Voluntarily undergo the new CMMC 2.0 Level 2 certification. DOD plans to offer incentives to companies willing to undergo Level 2 certification.
Implement NIST 800-171 standard across the organization. The Pentagon plans to suspend its CMMC pilot efforts and will not include CMMC requirements in any contracts until the rulemaking efforts are completed. However, organizations complying with NIST 800-171 will continue to be evaluated favorably.
Define policies and procedures. CMMC 2.0 eliminates many documentation requirements associated with the maturity processes at Level 3 and above in v1.2. However, the policies and procedures will continue to play an important role in NIST 800-171 as well as CMMC 2.0.
Self-Attest. Department of Justice (DOJ) announced an intent to hold entities or individuals accountable that knowingly misrepresent their cybersecurity practices.
Background:
The Cybersecurity Maturity Model Certification (CMMC) was developed by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)).
The CMMC standard will be incorporated into the Defense Federal Acquisition Regulation Supplement (DFARS) and become a requirement for contract award. An implementation will be announced soon.
About CMMC (defense.gov)Is a unified cybersecurity standard for future Department of Defense (DoD) acquisitions. Measures cybersecurity maturity with three levels. Each level has a set of practices:
With the implementation of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program, the Department is introducing several key changes that build on and refine the original program requirements. These are:
Streamlined Model
- Focused on the most critical requirements:Streamlines the model from 5 to 3 compliance levels
- Aligned with widely accepted standards:Uses National Institute of Standards and Technology (NIST) cybersecurity standards
Reliable Assessments
- Reduced assessment costs:Allows all companies at Level 1, and a subset of companies at Level 2, to demonstrate compliance through self-assessments
- Higher accountability:Increases oversight of professional and ethical standards of third-party assessors
Flexible Implementation
- Spirit of collaboration:Allows companies, under certain limited circumstances, to make Plans of Action & Milestones (POA&Ms) to achieve certification
- Added flexibility and speed:Allows the Government to waive inclusion of CMMC requirements under certain limited circumstances
Rulemaking and Timeline for CMMC 2.0
The changes reflected in CMMC 2.0 will be implemented through the rulemaking process. Companies will be required to comply once the forthcoming rules go into effect. The Department intends to pursue rulemaking both in Part 32 of the Code of Federal Regulations (C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R. Both rules will have a public comment period. Stakeholder input is critical to meeting the objectives of the CMMC program, and the Department will actively seek opportunities to engage stakeholders as it drives towards full implementation.
While these rulemaking efforts are ongoing, the Department has suspended prior CMMC Piloting efforts.
The Department encourages contractors to continue to enhance their cybersecurity posture during the interim period while the rulemaking is underway. The Department has developed Project Spectrum to help DIB companies assess their cyber readiness and begin adopting sound cybersecurity practices.
References:
CMMC Main Page: Chief Information Officer > CMMC (defense.gov)
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
NIST Special Publication 800-171 Revision 2: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf
Benefits With Our Service
Flexible Solutions
Completely grow multimedia based content before global scenarios.
24/7 Unlimited Support
Completely grow multimedia based content before global scenarios.