As of January, 2020, the federal government has moved to an improved version of CUI called the Cybersecurity Maturity Model Certification (CMMC), which now includes a verification component.

Every federal contractor that stores, processes, or transmits Federal Contract Information (FCI) or Covered Defense Information (CDI) is considered a covered entity and therefore required to adhere to the CMMC regulation. This requirement also includes their subcontractors and supply chain that share in FCI and CDI.

CMMC is designed to measure the cybersecurity maturity of an organization through five different levels. The levels consist of processes and cybersecurity best practices, frameworks, and standards from the community. Each level has a set of processes and practices, which build on the previous level.

The 5 Levels

Level 1 is equivalent to the entire safeguard requirements from FAR Clause 52.204-21

Level 2 builds on Level 1 and also includes the documentation of the 14 families of controls [domains] found in NIST SP 800-171

Level 3 builds on Level 1 & 2 and now includes all the safeguards requirements from NIST SP 800-171 including a System Security Plan (SSP) and Plan of Action and Milestones (POAM)

Level 4 continues this process through reviewing and measuring the security control activities for effectiveness

Level 5 continues the process even further with optimizing the security controls across all applicable components in the organization

What Sets Duffy Compliance Services Apart

Our Methodology

We have a proven methodology that sets us apart.  Anyone can look at the compliance security  requirements.  The real power comes from knowing how to cover security requirements using existing infrastructures and new technologies that don’t require additional staff commitment. We know how to put them in place.  We have created a proprietary three-phase approach to understand where you are, get you compliant, and then keep you there.

Phase 1

Gap Analysis (Finding out what you need to be in compliance)

To know where you are in order to know the path to get to where you need to be.  Then you need a plan to get there (Phase 2).

Phase 2

Remediation Process (Getting you to compliance)

Using the plan in Phase 1, conduct the necessary to the changes, such as encryption, intrusion detection, system monitoring, and role-based access controls.

Many programs end here.  However, we add Phase 3 because security is a process, not a single event.

Phase 3

Security Maintenance (Keeping you in compliance)

Ensure periodic controls are active and in place.  Some examples of these controls include continuous monitoring, scheduled vulnerability assessment, reviews of policies and procedures, table-top exercises, and security awareness training and phishing exercises.

Win and Retain Government Contracts

With a CMMC certification you are able to continue and pursue the government work you already are qualified to be engaged on.

Build your compliance package

The deliverables are the policies, procedures, tests, and tracking system of the CMMC compliance status all bundled in a “compliance package” that an auditor can use to confirm the organization is meeting the mandates required by the government to secure CUI data.

Why Choose Duffy Compliance?

We bring decades of experience in implementing NIST security controls and best practices.  We understand system security risk and how it affects system architecture. Our enterprise-level experience allows us to tailor solutions to your organization’s unique set of requirements that get you compliant with as little change and disruption as possible.

Duffy Compliance Services gives you peace of mind to know that your compliance effort is being professionally handled, and your data is safe and secure.  There have been many times we have been called to an organization after a security breach or event.  It is much more expensive to clean up a breach than it is to prevent one.

Duffy Compliance Services, a provider of cybersecurity consulting and compliance services is an approved Certified 3rd Party Assessor Organization (C3PAO) by the CMMC Accreditation Body. A C3PAO is authorized to schedule, manage, and provide assessments for organizations seeking to be CMMC compliant.

C3PAO Badge Candidate
Click here to book your no-obligation 15-minute CMMC compliance consultation with one of our Compliance Information Specialists.  This conversation will help you understand exactly what is needed to avoid problems with these new regulations.  A few minutes now could ensure your ability to continue as a Federal contractor (prime or sub).
CUI-SafeHarbor Logo


And if you want to learn more about CUI-SafeHarbor, our secure platform that provides small businesses and contractors an almost-instant turn-key CMMC compliance solution.

CUI-SafeHarbor Logo