last changes: Oct 21st 2024
ECURON offers CMMC Consulting Services that are designed to take you from where you are to full CMMC compliance in the most efficient way.
Every organization starts the CMMC compliance process from a different point:
Your organization might be out of compliance with existing DFARS rules and lacking a NIST SP 800-171 assessment, resulting score, and required documentation (SSP & POA&M). Maybe you just need CMMC consulting and help with the implementation of certain control requirements. Or you might have implemented CMMC requirements and need an independent party to verify your current status with a CMMC Pre-Assessement before you schedule the certification assessment by a C3PAO.
Every organization is different – which is why our CMMC Consulting Services will be tailored to your unique situation and needs.
WHAT IS CMMC?
In an effort to simplify the requirements and tighten the security for Department of Defense (DOD) contractors, the DOD is in the process of rolling out a new cybersecurity framework standard called the Cybersecurity Maturity Model Certification (CMMC). This new umbrella standard includes requirements from NIST SP 800-171, the Federal Acquisition Requirements (FAR) document 52.204-21 and beyond. This new standard is focused on protecting two sets of information: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Unlike with the NIST SP 800-171 requirements through existing DFARS rules, self-assessments will be accepted only for a subset of the contracts limited to FCI and will require an additional annual affirmation from a senior company official that the company is meeting requirements.
Contractors receiving, handling, or creating CUI will be required to undergo third-party assessments by an authorized auditing entity (C3PAO) before being awarded a contract or subcontracting through a prime.
Only contracts for Commercial off-the-shelf (COTS) products will be exempt from CMMC compliance requirements.
For a brief 3 minute summary of the CMMC for DOD contractors see our blog post:
CMMC Compliance – A Quick Overview. Or download our more detailed report that covers all Cybersecurity Requirements for DoD Contractors:
CMMC IN MORE DETAIL
Under the new CMMC Compliance Rules, there are three CMMC compliance levels that are based on the information (FCI vs CUI) managed by the contractor and that differ in control as well as assessment requirements.
The vast majority of the DoD supply chain will be required to become certified for CMMC Level 1 or 2. For a more detailed description of the 3 different levels and their respective requirements see CMMC Certification Levels.
CMMC TIMELINE
The 32 CFR CMMC Program rule defines a phased role out in 4 stages. CMMC will be implemented contractually by the DoD when DFARS clause 252.204-7021 is revised, and 60 days after the 48 CFR rule is published as final in the Federal Register. This is expected to be in Q2/3 of 2025.
Depending on the current status, your IT environment, and the size of your organization we estimate 10-18 months to prepare for a CMMC Level 2 certification assessment. A potential bottleneck will be the availability of C3PAOs as everybody will want to get certified at the same time and the requirements for CMMC assessors were increased recently. In other words – it’s time to get ready sooner than later to ensure eligibility for those new contracts.
CMMC CERTIFICATION PROCESS
Here are some rough time estimates and a general overview of the CMMC Certification Process.
CMMC CONSULTING SERVICES – HOW WE CAN HELP
Due to our status as a CMMC Registered Practitioner Organization™ (CMMC-RPO), Ecuron can perform CMMC Consulting for the pre-assessment phases which include CMMC gap analysis, implementation support, CMMC pre-assessment. We do not conduct the final Certification Assessments.
Depending on your current cybersecurity status as well as the CMMC Level you are required to achieve, implementation of the requirements will take anywhere from several weeks to more than a year. Starting now by implementing the requirements and cyber security best practices will save you valuable time and will get you ahead of the curve and competition.
Our CMMC Consulting Services are designed to get you CMMC compliant in 4 Steps:
- CMMC Gap Analysis / CMMC Gap Assessment
See where your organization stands and what it takes to achieve compliance - CMMC Implementation Help
Based on the results of the first phase we will help you to close existing gaps by implementing suitable controls and any missing requirements. This includes developing and writing the extensive documentation required. - CMMC Pre-Assessment
Think of it as a mock audit. We will verify that all controls and documentation are in place, mature, and can be proven to an auditor. If we find issues we will help you fix them. Once we are confident that you are ready for the CMMC Assessment we will recommend to schedule the actual assessment.
If you would like us to take a look at only the documentation part, our CMMC Readiness Check is for you. - CMMC Assessment Support
We help you prepare for the certification audit, gather & organize evidence for a smooth assessment by the C3PAO. We will be at your side throughout the process.
If you would like to speak to our team to discuss your CMMC requirements and schedule a complimentary 30 min consultation, email us at cmmc@ecuron.com or give us a call: +1-713-646-5044
Join Our CMMC Notification List
Sign up below and we will notify you about any CMMC service updates.