CMMC Compliance assessment & tracking
Policy development
Annual risk & security assessments
Scoring details
Development of System Security Plan (SSP)
Incident response planning & testing
*Keep Current Contracts.
*Attain New Contracts.
*Expand Contracts.
If the contract contains DFARS 252.204-7012 and/or you are receiving CUI or generating CUI in the performance of a contract then you need to certify under CMMC.
CMMC Certifications apply to Contractors and Sub-Contractors to the Department of Defense (DoD) that process, store, and/or transmit Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI).
“The requirements apply to components of nonfederal systems that Process, Store or Transmit CUI or that provide security protection for such components.” So Prime Contractors, Sub-Contractors, Managed Service Providers (MSP)(MSSP), cloud service providers (CSP) and other associated services that protect or touch FCI and/or CUI.
Sub-Contractors and suppliers that are part of a Prime DoD Contractor’s supply chain at any stage require Supplier Performance Risk System (SPRS) Scores and documentation information is available to the Prime. Your Security team may have already received detailed “Security Questionnaires” from each of your customers. This growing mountain of work can be eliminated by having a SPRS score and documentation available for use by your customers.
You must submit scores, along with other information to DoD via SPRS. Your SPRS score allows procurement officers and prime contractors to compare your cyber posture to competitors. Your company’s score affects Renewals, Extensions and new awards.
Delays , rejections, lost contracts, non-compliant bids
DOD Procurement and Security Groups are reviewing CMMC compliance of their Prime contractors and the Prime’s complete supply chain to identify vulnerabilities. Non-compliant supply chain companies may be removed from the contract in favor of more compliant entities. Contracts may not be awarded or awards delayed while compliance issues are resolved.
⦁ Your company is removed from an existing contract, renewal contract or new business bids.
⦁ Risk of doing it yourself: Time, Resources, Missed opportunities. Is knowing CMMC intricacies a primary driver of your business?
⦁ Just like you don’t do your own business taxes, you would not do this assessment on your own.
⦁ Having a SPRS Score and documentation becomes a huge time and resource saver- completed once and used in all bids and customer security questionnaire requests.
⦁ Your company also rises into your customer’s procurement and compliance teams’ preferred selection group for new and renewal contracts.
⦁ Your company can become a prime contractor.
⦁ Your company wins more awards because it has a posted SPRS Score and documented procedures. – Easy for Primes and DOD Procurement officers to include your company in RFI, RFP and RFQ bids.
CMMC is going away: Quite to the contrary:
The Canadian government recently announced that they will be implementing something very similar to CMMC.
The General Services Administration (GSA) included CMMC language in the 8(a) STARS III GWAC.
United Launch Alliance (ULA) and other contractors are putting CMMC requirements in their contracts.
⦁ We’re a small; micro; mom & pop; disadvantaged; minority-owned; woman-owned; veteran-owned] business. It doesn’t apply to us.”
⦁ We’re already AS9100; ISO 27001; SOC; PCI; HIPAA, etc. certified/compliant.”
⦁ We’re not in scope – it doesn’t apply to us, just our client” (favorite line that comes from an MSP/MSSP with enterprise admin rights).
⦁ “Our IT guys will take care of it.”
⦁ “We’ll just put our data in the cloud.”
⦁ “Our managed service provider handles that/will handle that.” “Can’t we just accept the risk?” “I’m sure there will be waivers.”
"Many security teams have over-invested in a plethora of tools. As a result, they are also suffering from alert fatigue and multiple console complexity and facing the challenges in recruiting and retaining security operations analysts with the right set of skills and expertise to effectively use all those tools."
“There’s a War going on out There. And it’s not about Bullets and Bad Guys. It’s about Information and Who Controls the Data”