CMMC
The Cybersecurity Maturity
Model Certification
Stay Compliant, Protect Your Data, Win Contracts
CMMC Update:
With the Department of Defense's release of the CMMC 2.0 framework on November 4th, 2021, much of the content presented below is now out of date. designDATA remains at the forefront of the evolution of the CMMC standard and is thoughtfully reviewing these changes to
ensure we can continue to be a leader in our clients’ CMMC journey.
In the meantime, if you have questions about what CMMC 2.0 means for you and your business, don't hesitate to get in touch.
designDATA is dedicated to providing robust information technology services. We continually support this dedication through certifications and compliance maintenance for both ourselves and our customers. We are pleased to add Cybersecurity Maturity Model Certification (CMMC) capabilities to our list of compliance services.
What is the CMMC?
Recently, the U.S. Department of Defence (DoD) implemented a required certification for all contractors and sub-contractors: the Cybersecurity Maturity Model Certification. This replaces and builds on the NIST 800-171 standard and related DFARS clauses and will be steadily phased into all contract bidding in the coming months.
The key differences between the new CMMC model and the old NIST 800-171 model are:
5 Levels of CMMC
Which level of CMMC certification you need will depend on the size of your organization, the service you provide the government, and the nature of controlled, unclassified information (CUI) you manage. CMMC levels range from 1 (for the 1-5 person shops) to 5 (for the largest contractors), with most mid-sized professional organizations requiring level 3.
Requires an Outside Audit
To be CMMC compliant, you need to get the appropriate certification from a Certified Assessor (CA) working under a Certified 3rd Party Assessment Organization (C3PAO). While previous models allowed for self-attestation, CMMC requires that a CMMC-certified CA and C3PAO do the work and issue you the certification.
Pass or Fail: No More POAMs
While previous models allowed organizations to have partial compliance, accepting a Plan of Action and Milestones (POAM) for how they plan to close the identified gaps, CMMC does not allow for this sort of “get better plan.” Your CMMC certification is a pass/fail; missing even one category when you’re audited means you have failed to get your CMMC and must be re-assessed once the problem is fixed.
Contracting Officers Won’t Have Leeway
While contracting officers and other government decision-makers may have had some latitude on the cybersecurity posture of their contractors, with CMMC, there will be specific certification levels required for certain contracts. For example, if a bidder does not have their level 3 CMMC for a contract that requires it, they cannot win the bid.
Having an appropriate CMMC certification can distinguish your organization from your competition when bidding on government contracts. Furthermore, failing to acquire your CMMC will make you entirely ineligible to win those contracts as a primary or sub.
Achieving this certification is a necessary and urgent step towards winning and retaining contracts with the DoD and other U.S. federal agencies.
designDATA CMMC Certification Services
designDATA is proud to be in the final stages of approval from the CMMC Accreditation Board to become a Certified 3rd Party Assessment Organization (C3PAO), with a number of our employees on track to become Certified Assessors (CAs). These rare distinctions will allow designDATA and its auditors to perform CMMC audits and issue CMMC certifications at levels 1, 2, and 3.
Stay tuned for more information about CMMC Certification Services.
Certification Readiness for Our Clients
designDATA assists many of our customers with meeting industry and government regulations, compliance, privacy laws, and certifications necessary for the type of work they do, including CMMC compliance.
designDATA can perform CMMC levels 1, 2, and 3 readiness assessments. These readiness assessments act as a precursor to acquiring the actual certification. They are a necessary step to ensure that the time-consuming and expensive process of hiring a Certified Assessor and a Certified 3rd Party Assessment Organization results in a successful audit and the acquisition of your certification.
During the readiness assessment, our experienced auditors will review your current policies and controls, compare them with the CMMC standards, identify the gaps, and help you build your Plan of Action and Milestones (POAM) to ensure you’re ready for the entire audit. designDATA also offers consulting services to help implement your POAM, fill the critical niche for your existing compliance and security staff, and fast-track the POAM’s completion.
A key distinction in designDATA’s CMMC readiness assessment is that our organization and personnel are trained and authorized by the CMMC Accreditation Board to perform full CMMC audits. Our readiness assessments will ensure you meet the requirements of auditors because we are auditors ourselves; we know the evidence, behaviors, and policies auditors are looking for to grant certification. We use the same auditing framework, methods, and tools used in an actual CMMC audit and perform them using the same Certified Assessors to ensure that getting your certification is smooth sailing.
Can one company provide both Certifications and Readiness Assessments?
designDATA’s core values require that all of our business units operate ethically. We aim to proactively avoid negative situations like conflicts of interest.
It would be a conflict of interest for designDATA to perform an official CMMC audit for an organization for which we have completed a CMMC readiness assessment (or any other Managed IT Services). Therefore, we forbid ourselves from performing a CMMC audit for any organization that is a current CMMC readiness assessment or MSP client, or one that has been a client in the last five years.
Internal CMMC Certifications
As part of our efforts to become a C3PAO, designDATA is pursuing an internal CMMC certification at Level 3. We are currently on the waiting list for a DIBCAC assessment from the United States Department of Defense to validate our controls, policies, and practices. After that assessment, we expect to be awarded our CMMC Level 3 Certification.
designDATA is on track to becoming one of the first Managed IT Services companies to be CMMC compliant. We hope that this acts as assurance that our clients can trust designDATA with their network and data. In addition, this allows our clients to directly pursue government contracts with CMMC requirements, knowing that those pass-down requirements to subcontractors will be met with designDATA’s certification status.