Poseidon is positioned to steer Department of Defense (DoD) contractors, compliance practitioners, and assessors through the mandatory Cybersecurity Maturity Model Certification (CMMC) compliance framework process. Our solutions includes a blend of products and services designed to help you and/or your clients strengthen their cybersecurity controls throughout the organization and prepare for certification.Solutions Include:
- Provisioning of a Compliance Methodology
- Gap Analysis and Baseline Readiness Determination
- Supplier Performance Risk System (SPRS) scoring
- Managing an organization through the process
- Plan and Policy Administration
- Technical Implementation of NIST 800-171 and NIST 800-172 practices/controls; infrastructure (on-premise/cloud/hybrid) design/implementation, technical and written policies, evidence capturing during implementation, and training
- Preparation of Package for delivery to an Assessor
- Assessments (Audits)
- Cyber Maturity-as-a-Service (CMaaS) to maintain and update controls through the mandatory CMMC 3-year cycles
- All of the above is managed through our Risk Management Platform (ATHENA); utilized by organizations, practitioners, and assessors
Phases required to obtain CMMC certification
Current DoD CMMC 2.0 Requirements
The Department of Defense via Office of the Under Secretary of Defense (OSD) Acquisition & Sustainment has created a new cybersecurity standard and certification requirement for defense contractors called the Cybersecurity Maturity Model Certification (CMMC). It’s sole purpose is to reduce the exfiltration of Controlled Unclassified Information (CUI) from the Defense Industrial Base (DIB) and secure the supply chain through the implementation of 48 CFR 52.204-21, NIST SP 800-171, NIST 800-172, DFARS Clause 7012, among other standards.
- CMMC efforts build upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
- The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
- The intent is a combination of self-assessment and/or certified assessment depending on the level required by the contract and authorizes as it may be a critical independent 3rd party organizations to conduct audits and inform risk.
- Contractors who do not handle information deemed critical to national security (Level 1 and a subset of Level 2) will be required to perform annual self-assessments against clearly articulated cybersecurity standards.
- Contractors managing information critical to national security (a subset of Level 2) will be required to undergo third-party assessments.
- The highest priority, most critical defense programs (Level 3) will require government-led assessments.
CMMC 2.0 Maturity Model
DoD Contractors need to determine which CMMC level they want or need to obtain and implement the controls necessary for compliance. Contractors that have already implemented NIST SP 800-171, ISO 9001, ISO/IEC 20000-1 and ISO/IEC 27001, should be 85-90% compliant to the new CMMC requirements. Additional controls will be provided in NIST 800-172.DoD’s CMMC 2.0 Framework Levels consist of the following changes:
CMMC 2.0 Framework Levels
CMMC POA&Ms and Waivers
In CMMC 2.0, the DoD has authorized POA&Ms and Waivers (very limited basis) as of November 2021.
CMMC 2.0 POA&Ms and Waivers
CMMC Analysis, Implementation/Configuration, and Assessment Services
Poseidon has certified Registered Practitioners and Provisional Assessors with the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB), are strategically partnered with Registered Provider Organization’s (RPOs) and CMMC Third-Party Assessor Organization (C3PAO), in addition to applying for a C3PAO certification. We will deliver CMMC assessments for Organizations Seeking Certification (OSCs). Look for us in CMMC-ABs Marketplace https://cmmcab.org/marketplace/
Poseidon will assist DoD contractors in preparing for CMMC. Contact us to learn everything you need to know about preparing for the Cybersecurity Maturity Model Certification (CMMC), which is mandatory for DoD contractors.
See full CMMC 2.0 presentation by Poseidon
See CMMC videos featuring our CEO on our Events page: https://poseidon-us.com/events