As of January, 2020, the federal government has moved to an improved version of CUI called the Cybersecurity Maturity Model Certification (CMMC), which now includes a verification component.

What is CMMC (Cybersecurity Maturity Model Certification)?

Every federal contractor that stores, processes, or transmits Federal Contract Information (FCI) or Covered Defense Information (CDI) is considered a covered entity and therefore required to adhere to the CMMC regulation. This requirement also includes their subcontractors and supply chain that share in FCI and CDI.

CMMC is designed to measure the cybersecurity maturity of an organization through three different levels. The levels consist of cybersecurity best practices, frameworks, and standards from the community. Each level has a set of practices, which build on the previous level.

However, with the flux in the CMMC model, the DoD announced the Interim Rule, which went into effect November 30, 2020. As of that date, contracting officers will check the Supplier Performance Risk System (SPRS) database to confirm that a contracting agency has an active SPRS Assessment prior to the award of a new contract or the continuation of an existing one.

While you can now self-assess using the SPRS database, it is not as straightforward as you might think (or want).

The 3 Levels

Level 1 is equivalent to the entire safeguard requirements from FAR Clause 52.204-21

Level 2 builds on Level 1 and now includes all the safeguards requirements from NIST SP 800-171

Level 3 continues the process even further will be based on a subset of NIST SP 800-172 requirements

The Department of Defense (DoD) disclosed changes to the original CMMC model, resulting in this current CMMC 2.0 model.

What Sets Duffy Compliance Services Apart

Our Methodology

We have a proven methodology that sets us apart.  Anyone can look at the compliance security  requirements.  The real power comes from knowing how to cover security requirements using existing infrastructures and new technologies that don’t require additional staff commitment. We know how to put them in place.  We have created a proprietary three-phase approach to understand where you are, get you compliant, and then keep you there.

Phase 1

Gap Analysis (Finding out what you need to be in compliance)

To know where you are in order to know the path to get to where you need to be.  Then you need a plan to get there (Phase 2).

Phase 2

Remediation Process (Getting you to compliance)

Using the plan in Phase 1, conduct the necessary to the changes, such as encryption, intrusion detection, system monitoring, and role-based access controls.

Many programs end here.  However, we add Phase 3 because security is a process, not a single event.

Phase 3

Security Maintenance (Keeping you in compliance)

Ensure periodic controls are active and in place.  Some examples of these controls include continuous monitoring, scheduled vulnerability assessment, reviews of policies and procedures, table-top exercises, and security awareness training and phishing exercises.

Win and Retain Government Contracts

With a CMMC certification you are able to continue and pursue the government work you already are qualified to be engaged on.

Build your compliance package

The deliverables are the policies, procedures, tests, and tracking system of the CMMC compliance status all bundled in a “compliance package” that an auditor can use to confirm the organization is meeting the mandates required by the government to secure CUI data.

Why Choose Duffy Compliance?

We bring decades of experience in implementing NIST security controls and best practices.  We understand system security risk and how it affects system architecture. Our enterprise-level experience allows us to tailor solutions to your organization’s unique set of requirements that get you compliant with as little change and disruption as possible.

Duffy Compliance Services gives you peace of mind to know that your compliance effort is being professionally handled, and your data is safe and secure.  There have been many times we have been called to an organization after a security breach or event.  It is much more expensive to clean up a breach than it is to prevent one.

Duffy Compliance Services, a provider of cybersecurity consulting and compliance services is a candidate Certified 3rd Party Assessor Organization (C3PAO) by the CMMC Accreditation Body. A C3PAO is authorized to schedule, manage, and provide assessments for organizations seeking to be CMMC compliant.

C3PAO Badge Candidate

Click here to book your no-obligation 15-minute CMMC compliance consultation with one of our Compliance Information Specialists.  This conversation will help you understand exactly what is needed to avoid problems with these new regulations.  A few minutes now could ensure your ability to continue as a Federal contractor (prime or sub).

We can help as a Fractional Compliance Officer, CUI compliance, CMMC, Cyber Security Awareness Training, Supplier Performance Risk System (SPRS) Consulting, and more. We have several decades of cybersecurity and compliance experience in Maryland, the Greater Washington DC area, and beyond.