The Cybersecurity Maturity Model Certification (CMMC) is the unified framework to be used by the Department of Defense (DoD) for acquisitions of both prime and subcontractors that provide goods and services to the DoD. In the past, both prime and subcontractors needed to attest to Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 compliance as part of the award process. CMMC contrasts DFARS 252.204-7012 by forcing the requirement before award, or ”pre-award.”
Who needs it?
Any prime or subcontractor that provides goods or services to the DoD will need to comply with the CMMC for third-party assurance that they are able to protect controlled unclassified information (CUI). There are multiple levels of CMMC certification, and the DoD will inform organizations of the CMMC maturity level they need to achieve in order to be awarded contracts.
What we do
Sikich works closely with manufacturers, suppliers, and other service providers to mature cybersecurity resilience in the US supply chain and Defense Industrial Base Sector to:
- Bring vision, planning, and support to the implementation of safeguards that achieve compliance with business objectives and obligations;
- Help clients apply their knowledge and resources to maintain information security awareness and operations; and
- Provide effective and efficient advisory services through evidence-based practices and highly skilled, dedicated, and competent consultants.
CMMC Stars Program
The STARS CMMC readiness program supports clients by simplifying Cybersecurity Maturity Model Certification (CMMC) certification and the implementation NIST SP 800-171 for protecting Controlled Unclassified Information (CUI), which ultimately protects the battlefield’s warfighter. As part of this program, Sikich assists with scoping the CMMC enclave, completing self-assessment scoring, identifying compliance gaps, completing the Plan of Action and Milestones (POAM) remediation planning, and documenting the System Security Plan (SSP). We also function as your outsourced cybersecurity and risk consulting partner, helping to guide efforts related to achieving and maintaining compliance.
Where to start
The STARS CMMC readiness program onboarding process scopes the organization’s current CMMC journey. STARS is a holistic approach to meeting CMMC and government contractual requirements. However, aligning the organization’s CMMC maturity with the appropriate STARS phase allows Sikich to integrate established processes and documentation into the program. The onboarding process and alignment saves money and time by streamlining what is required to achieve a secure and compliant environment.
Major milestones and deliverables
The STARS CMMC readiness program onboarding process scopes the organization’s current CMMC journey. STARS is a holistic approach to meeting CMMC and government contractual requirements. However, aligning the organization’s CMMC maturity with the appropriate STARS phase allows Sikich to integrate established processes and documentation into the program. The onboarding process and alignment saves money and time by streamlining what is required to achieve a secure and compliant environment.
Define CUI Scope
- Scope reduction advisory services
- Business objectives
- CUI classification
- Network diagrams
- Data flows
- Technologies
- People
- Shared responsibilities
- CMMC scoping document
Provide Training Materials
- DFARS overview
- CMMC requirements
- CUI data classification and handling
- Documentation management
- CMMC training materials
Implement Continuous compliance support
- CMMC control measure playbook
- Bi-weekly risk remediation advisory services
- Quarterly executive management updates
- Annual incident response training and testing
- Annual security awareness training
- Subcontractor assessments
- CMMC compliance playbook
- Quarterly compliance reports
- Training materials
- Subcontractor compliance reports
Design a strategic remediation roadmap
- Gap remediation recommendations
- Plan of Action and Milestones
- System Security Plan
- NIST SP 800-171 information security policies
- Incident response plan
- Plan of Action and Milestones
- CMMC System Security Plan
- NIST SP 800-171 information security policies
- Incident response plan
Perform DoD Basic Self-Assessment
- NIST SP 800-171 controls review
- Interviews
- Documentation review
- Controls validation
- NIST SP 800-171 gaps identification
- DoD basic self-assessment score
- CMMC risk register
- Executive presentation
Additional CMMC Services
General Information Security
- NIST SP 800-171 information security policy development
- Virtual Chief Information Security Officer (vCISO) consulting
- KnowBe4 security awareness training
- Information security consulting
Incident Response
- NIST SP 800-171 information security policy development
- Virtual Chief Information Security Officer (vCISO) consulting
- KnowBe4 security awareness training
- Information security consulting
- Breach verification and remediation
- Data recovery
- Electronic litigation
- Forensic investigations
- Incident response plan development
Risk Management
- Business continuity planning
- Security and risk assessments with threat modeling
- Vendor management and security assessments
- Cloud security assessments and transition consulting
Security Testing
- Application and network penetration testing
- Network segmentation testing
- Wireless network reviews and testing
- Physical security testing
- External and internal vulnerability scanning
