Cybersecurity Maturity Model Certification (CMMC) Services
As an Authorized CMMC Third Party Assessment Organization (C3PAO) through the Cyber AB, we bring a wealth of experience in evaluating and implementing various Cybersecurity frameworks. Our expertise spans NIST 800-171, CMMC, NIST CSF, NIST 800-53, and RMF. With a comprehensive approach, we guide businesses throughout their journey, from inception to assessment and beyond.
We provide the following services:
- CMMC Preparation Consulting
- NIST 800-171 Gap Assessment
- CMMC Mock Assessment
- CMMC Certification Assessment*
- Managed Compliance Services
* Joint Surveillance Voluntary Assessment Program
C3PAO Assessment Services
Joint Surveillance Voluntary Assessment Program (JSVA)
The JSVA is a program for Organizations Seeking Certification (OSC) for the Cybersecurity Maturity Model Certification (CMMC) program. It consists of a coordinated assessment between the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and an Authorized C3PAO like KNC Strategic Services.
- DIBCAC conducts an assessment based on DFARS 252.204-7020 for a High Confidence Assessment (referred to as a DIBCAC High Assessment)
- In coordination with DIBCAC, KNC, an Authorized C3PAO, participates and observes the assessment
- Successfully completing a DIBCAC High assessment results in a score entered into the Supplier Performance Risk System (SPRS)
- The JSVA assessment is expected to convert to a CMMC Level 2 certification once the final ruling is completed
OSC must have an active Department of Defense contract or subcontractor to a prime for a DoD contract
OSC must actively possess Controlled Unclassified Information for an active Department of Defense contractor or as a subcontractor
To pursue the JSVA, an OSC must request an Authorized C3PAO to submit them as a candidate for assessment. Prior to submitting the request, the OSC must complete a CMMC Readiness Assessment conducted by the Authorized C3pAO.
CMMC Preparation Services
Becoming compliant with CMMC/NIST SP 800-171 is not easy. It is not quick. It is not cheap.
Cybersecurity is a risk management investment. Many small business defense contractors are taking 12-18 months to fully implement all of the requirements, technology, culture changes, practices and procedures in order to be ready for their assessment.
Delaying until the rulemaking is complete is a roll of the dice in a game you won't win. If you delay, you will be behind the curve, potentially losing competitive advantage, and the ability to do business with the DoD and many of the large prime contractors that are expecting/requiring that their subcontractors are compliant ASAP or they will no longer do business with you.
We team with our client's as trusted partners and advisors.
At KNC, we take a Risk-Based Approach. The general assessment principle we follow is that if documentation and evidence is nonexistent then the practices and processes are non-existent, and the internal control environment is ineffective.
Work with K NC
We are actively supporting the Defense Industrial Base as it prepares for the up-and-coming CMMC Assessments.
Interested in receiving a proposal for our CMMC services? Fill out the CMMC Questionnaire below, and email it to us at sales @ kncss.com and we will send you a detailed proposal.
What is the Cybersecurity Maturity Model Certification (CMMC)?
According to the DoD, the CMMC combines various cybersecurity standards and best practices and maps these controls and processes across several levels that range from basic cyber hygiene to advanced.
For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats. The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels. Authorized and accredited CMMC Third Party Assessment Organizations (C3PAOs) will conduct assessments and issue CMMC certificates to Defense Industrial Base (DIB) companies at the appropriate level.
Source: DoD Department for Acquisition and Sustainment - https://www.acq.osd.mil/cmmc/
The Reality of CMMC for Small Businesses
The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) requirement for the Defense Industrial Base has impacted small businesses significantly. They face a considerable challenge in implementing the requirements for CMMC.
CMMC Doesn't Exist (yet)
This is a direct quote from our good friend Chris Newborn, a retired Cybersecurity Professor at the Defense Acquisition University. It may sound odd, weird, wrong, or even crazy. But it is true and is an important distinction to make. Right now, until the actual lawmaking efforts are complete, CMMC does not exist. What does exist is DFARS 7012, 7019, and 7020. These are the current requirements: NIST 800-171, the DOD Assessment Methodology score, and the submission of your score to SPRS.
There is a DoD program that allows companies to voluntarily get assessed by a C3PAO, before the final rulemaking is done. This is done in coordination with DIBCAC. If a company passes the CMMC Level 2 assessment, once rulemaking is done, they will be certified as CMMC Level 2 (though not guaranteed yet), and their three-year renewal window will not start until final rulemaking is complete. This could be a 1-year to a 2-year increase in your renewal window. This would save time, and significant money spent on preparation, but also on the actual cost of having the assessment done.