Trusted CMMC Compliance Solutions
Safeguarding controlled government and military data from unauthorized disclosure is critical to our national security and economic freedom. Up to now, companies that process sensitive government data, whether directly or as a sub-contractor, have only been required to self-attest to their knowledge with relevant regulatory requirements.
The self-attestation approach is not so successful as evidenced by notable breaches of critical government information in both the public and private sector. This has driven the U.S. Department of Defense (and other government agencies to mandate a higher level of attestation; the Cybersecurity Maturity Model Certification (CMMC).
Why FoxPointe?
Our team of trusted experts has developed a comprehensive approach to help manage CMMC attestation. FoxPointe Solutions has years of experience developing and managing information security and risk management systems that comply with government and industry regulations. We have helped numerous public, private, and governmental organizations comply with NIST SP 800-171 which cover 110 of the 130 controls required for CMMC Level 3 certification. While CMMC is a new certification scheme, the process of preparing for CMMC certification isn’t new to FoxPointe Solutions.
CMMC Compliance Attestation
CMMC requires each organization to undergo a third-party audit to determine the maturity of their information security controls. Your organization’s maturity level (set 1→5) is used to determine eligibility to respond to specific RFPs. The levels are listed in the RFP (sections L and M) and they will have to be certified to that CMMC level in advance. CMMC compliance is also required if your organization continues doing business for the DoD. Need to prepare for these upcoming requirements? FoxPointe Solutions can help.
CMMC Readiness Services:
- Assist in determining the CMMC Level of your organization (Level 1, 2, 3, 4, or 5).
- Development of policies and procedures.
- Creation of System Security Plans.
- Perform a readiness/gap assessment with actionable deliverables, to address basic to advanced cyber hygiene processes and practices.
- Evaluate risks to ensure controls are designed appropriately and align with your organization’s risk assessment, which is required for Level 2 and above.
- Develop a Plan of Action and Milestones (PoAM) to prepare the proper roadmap to certification.
The 3 Levels of CMMC Compliance
CMMC compliance is broken up into three levels. Each level has a set of required practices and controls, and each level builds upon the last.
Level 1: Basic cybersecurity controls and hygiene must be demonstrated to reach CMMC level 1. The basic practices that are required to be demonstrated and implemented for CMMC level 1 are represented within the Federal Acquisition Regulation (FAR) 52.204-21 set of cybersecurity controls. Contractors and suppliers may demonstrate CMMC level 1 compliance through self-assessments and self-attestations for the required controls.
Level 2: In addition to having implemented the practices required for CMMC level 1, an organization with a goal of level 2 compliance must have all National Institute of Standards and Technology (NIST) Special Publication 800-171 controls implemented. Dependent on the type of data processed by an organization, compliance with level 2 CMMC may be met through a couple of different avenues. If an organization is processing critical information, such as CUI or FCI, it would be required to undergo a certified independent third party assessment of the required controls, performed by a CMMC Third-Party Assessment Organization (C3PAO). Organizations that are not processing or handling such critical data may have executive leadership perform and certify a self-assessment.
Level 3: This final level of the CMMC tiers is met when a contractor is able to demonstrate compliance with a particular control subset of NIST Special Publication 800-172. This particular set of NIST controls was designed specifically for organizations that need to be protected against threat actors that typically target the DoD supply chain. This represents over 100 controls that must be implemented in addition to those included in the previous two levels. Organizations that wish to achieve CMMC level 3 compliance are required to have a government-led assessment every three years, performed by the Defense Contract Management Agency.
Hear What Our Clients Have to Say
“We were in need of a security officer who would understand our complex needs, help us troubleshoot and address areas of organizational risk in the technological arena, and instill the confidence that our systems and information were as secure as possible. The improvements in our security and the mitigation of risk were immediately appreciated. Carl is an excellent partner, always honest and transparent regarding areas in need of improvement and provides essential professional guidance to ensure compliance with all regulatory requirements.
I highly recommend FoxPointe for other organizations that want to ensure compliance and security with their Information Technology systems.”
Cindy Lee
CEO, OLV Human Services