Cybersecurity Maturity Model Certification (CMMC) Services
Cybersecurity Maturity Model Certification (CMMC)
We are an Authorized CMMC Third Party Assessment Organization (C3PAO) through the Cyber AB. We have extensive experience in assessing and implementing Cybersecurity frameworks including NIST 800-171, CMMC, NIST CSF, NIST 800-53, and RMF. We are adept at helping businesses from start to finish.
We provide the following services:
• CMMC Preparation Consulting
• NIST 800-171 Gap Assessment
• CMMC Readiness Assessment
• CMMC Assessment through Joint Surveillance Voluntary Assessment
C3PAO Assessment Services
KNC Strategic Services is an Authorized CMMC Third Party Assessment Organization (C3PAO) through the Cyber-AB
Joint Surveillance Voluntary Assessment Program (JSVA)
The JSVA is a program for Organizations Seeking Certification (OSC) for the Cybersecurity Maturity Model Certification (CMMC) program. It consists of a coordinated assessment between the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and an Authorized C3PAO like KNC Strategic Services.
- DIBCAC conducts an assessment based on DFARS 252.204-7020 for a High Confidence Assessment (referred to as a DIBCAC High Assessment)
- In coordination with DIBCAC, KNC, an Authorized C3PAO, participates and observes the assessment
- Successfully completing a DIBCAC High assessment results in a score entered into the Supplier Performance Risk System (SPRS)
- The JSVA assessment is expected to convert to a CMMC Level 2 certification once the final ruling is completed
OSC must have an active Department of Defense contract or subcontractor to a prime for a DoD contract
OSC must actively possess Controlled Unclassified Information for an active Department of Defense contractor or as a subcontractor
To pursue the JSVA, an OSC must request an Authorized C3PAO to submit them as a candidate for assessment. Prior to submitting the request, the OSC must complete a CMMC Readiness Assessment conducted by the Authorized C3pAO.
What is the Cybersecurity Maturity Model Certification (CMMC)?
According to the DoD, the CMMC combines various cybersecurity standards and best practices and maps these controls and processes across several levels that range from basic cyber hygiene to advanced.
For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats. The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels. Authorized and accredited CMMC Third Party Assessment Organizations (C3PAOs) will conduct assessments and issue CMMC certificates to Defense Industrial Base (DIB) companies at the appropriate level.
Source: DoD Department for Acquisition and Sustainment - https://www.acq.osd.mil/cmmc/
The Reality of CMMC for Small Businesses
The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) requirement for the Defense Industrial Base has impacted small businesses significantly. They face a considerable challenge in implementing the requirements for CMMC.
CMMC Doesn't Exist (yet)
This is a direct quote from our good friend at the Defense Acquisition University, Chris Newborn. It may sound odd, weird, wrong, or even crazy. But it is true and is an important distinction to make. Right now, until the actual lawmaking efforts are complete, CMMC does not exist. What does exist is DFARS 7012, 7019, and 7020. These are the current requirements: NIST 800-171, the DOD Assessment Methodology score, and the submission of your score to SPRS.
There is a DoD program that allows companies to voluntarily get assessed by a C3PAO, before the final rulemaking is done. This is done in coordination with DIBCAC. If a company passes the CMMC Level 2 assessment, once rulemaking is done, they will be certified as CMMC Level 2 (though not guaranteed yet), and their three-year renewal window will not start until final rulemaking is complete. This could be a 1-year to a 2-year increase in your renewal window. This would save time, and significant money spent on preparation, but also on the actual cost of having the assessment done.
Our CMMC Preparation Services
Becoming compliant with 800-171 is not easy. It is not quick. It is not cheap. Cybersecurity is a risk management investment. Many small business defense contractors are taking 12-18 months to fully implement all of the requirements, technology, culture changes, practices and procedures in order to be ready for their assessment. Delaying until the rulemaking is complete is a roll of the dice in a game you can't win. If you delay, you will be behind the curve, potentially losing competitive advantage, and the ability to do business with the DoD and many of the large prime contractors that are expecting/requiring that their subcontractors are compliant ASAP or they will no longer do business with you.
KNC is here to help you, however you need it. We can compliment your existing team, or help manage the entire preparation process. Our goal is for you to do everything you want to, and for us to only help with what you do not want to do, or cannot do. We team with our client's as trusted partners and advisors. We provide our Red, White, and Blue Glove service to our clients and treat them as friends.
At KNC Strategic Services, we take a Risk-Based Approach. The general assessment principle we follow is that if documentation and evidence is nonexistent then the practices and processes are non-existent, and the internal control environment is ineffective.
We are actively supporting the Defense Industrial Base as it prepares for the up-and-coming CMMC Assessments.