DOD Cybersecurity Compliance
Get your business ready for the new CMMC requirements
Simpatico Systems CMMC Registered Provider Organization
Simpatico Systems is proud to be a Registered Provider Organization (RPO). Your company can trust Simpatico Systems with your CMMC and DOD Cybersecurity needs! Find us on the CMMC-AB Marketplace list of providers.
What is CMMC?
What are the CMMC Levels?
When does the CMMC go into effect?
How do I achieve CMMC Compliance?
What is the CMMC?
Inside the Cybersecurity Maturity Model Certification (CMMC)
The CMMC model will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use it as a “go / no go decision.”
The intended destination for the CMMC model combine various cybersecurity control standards such as NIST SP 800-171 (Rev. 1 & Rev. B), NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.
What do we know about the CMMC?
The CMMC will serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified Information (CUI) that resides on the Department’s industry partners’ (Contractors) networks.
What can DOD contractors expect as this is pushed out?
DoD contractors will have to become CMMC certified by passing an audit performed by a DoD accredited auditor. Contractors will have to meet the appropriate level of cybersecurity for their business. This will become the requirement for anyone who wants to hold contracts with the Department of Defense or work as a subcontractor on DoD related projects.
What level of CMMC is right for me and my business?
Basic Cyber Hygiene
In order to pass an audit for this level, the DoD contractor will need to implement 17 controls of NIST 800-171 rev1.
Intermediate Cyber Hygiene
In order to pass an audit for this level, the DoD contractor will need to implement another 48 controls of NIST 800-171 rev1 plus 7 new “Other” controls.
Good Cyber Hygiene
In order to pass an audit for this level, the DoD contractor will need to implement the final 45 controls of NIST 800-171 rev1 plus 14 new “Other” controls.
In order to pass an audit for this level, the DoD contractor will need to implement 13 controls of NIST 800-171 RevB plus 13 new “Other” controls
Advanced / Progressive
In order to pass an audit for this level, the DoD contractor will need to implement the final 5 controls in NIST 800-171 RevB. plus 11 new “Other” controls
What level of the CMMC will I need to get certified?
This will depend entirely upon what level of certification your contract requires and the sensitivity of the information you handle. The entire point of CMMC is to make it more feasible for small to mid-sized business to become compliant while ensuring that any sensitive information or CUI your organization handles remains safe. This means that most companies will fall under Level 1 or Level 2 (which will map 64 controls from 800-171), while prime contractors can expect to become Level 3 certified (which will map all 110 controls from 800-171). Level 4 and 5 (which will map additional controls found in 800-171revB) are going to typically be required of the large primes like Lockheed Martin and Northrop Grumman.
When does CMMC go into effect?
How do I achieve CMMC compliance?
Defense contractors are not compliant with CMMC until they coordinate with an accredited and independent third party certification organization to perform a CMMC audit. It is in contractors best interest to partner with an agency like Simpatico Systems to help them prepare for a CMMC audit.
What should I do to prepare for an audit?
- For DoD contractors that have already implemented all NIST SP 800-171 controls, they should have no issues with passing a CMMC audit successfully up to CMMC Level 3.
- For DoD contractors who have not implemented the NIST SP 800-171 Rev1 or RevB controls, the following options are available to prepare for a CMMC audit.
Although the DoD contractor is ultimately responsible for ensuring their company meets the cybersecurity requirements, many DoD contractors that don’t have the resources or IT staff available to ensure compliance, they choose to outsource the task to a Managed Security Service Provider (MSSP) that understands the complexity around the CMMC.
What should I do right now?
Without a gap analysis, it’s impossible to know what changes an organization needs to make before it meets the required CMMC Level. The professionals at an MSSP use their findings to create remediation plans that will correct any problems and keep our clients in line with CMMC requirements. The gap analysis will either aid a DoD contractor in performing their own remediation plan, or they may opt to have a third-party, such as an MSSP, perform the remediation for them.
Simpatico Systems understands the urgency around obtaining compliance. Also the complexity around navigating NIST compliance and the Cybersecurity Maturity Model Certification (CMMC) to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) on DoD contractor systems and ensure a successful audit and certification.
Get Started Today
Get In Touch
When bidding on large contracts, one aspect that benefits our chances of winning are getting all points available on Cyber Security evaluations. The benefits provided by Simpatico’s Cyber Security Program helps our company stand out from the competition because of the thorough understanding of potential threats.
Angela Barnes, ITS Quest, Inc.
Simpatico has allowed us to focus on our business and not technology. They have handled our phone and data networks with a sense of professionalism and urgency; making us more profitable and our customers extremely happy.
Nathan Zeigler, Principle Nathan Zeigler & Associates
The Cyber Security Program Simpatico offers provides an interesting and fun way for our staff to learn and become more aware of potential threats. The information in the training has influenced our company’s policy & procedures, allowing us to be more proactive when it comes to protecting data we are responsible for.
Sarah Reagan, ITS Quest, Inc.