CMMC Assessments
As an Authorized Cybersecurity Maturity Model Certification (CMMC) 3rd Party Assessment Organization, Peak InfoSec provides CMMC Assessments for levels 1 through 3.
CMMC Level 1 Assessments
The Draft CMMC Program Rule will establish the requirement for all DoD contractors, their sub-contractors, and External Service Providers (ESP) who have access to Federal Contract Information (FCI) to self-attest to their compliance with Federal Acquisition Regulation (FAR) Clause 52.204-21 Basic Safeguarding of Covered Contractor Information Systems.
While there are only 15 Security Requirements in FAR 52.204-21, §170.15, CMMC Level 1 Self-Assessment and Affirmation requirements of the draft rule requires organizations to measure their conformity against 59 Assessment Objectives.
This self-assessment will have to be submitted annually to DoD’s Supplier Performance Risk System (SPRS). The organization senior officials will have to sign a letter of attestation that will also be uploaded into SPRS. We expect the letter will have to be signed by the organization’s owner or chief executive and by the organization’s Chief Information Security Officer (CISO) or equivalent.
Please go CMMC Level 1 Services to see how Peak InfoSec can help.
CMMC Level 2 Assessments
Like Level 1, the Draft CMMC Program Rule will establish the Level 2 requirement for all DoD contractors, their sub-contractors, and External Service Providers (ESP) who have access to Controlled Unclassified Information (CUI) to self-attest to their compliance with DFARS Clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (c.f., §170.16).
Organizations do this by conducting an internal self-assessment against the 110 Security Requirements in NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which expand out to 320 Assessment Objectives under NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information.
The annual Level 2 self-assessment will have also to be submitted annually to DoD’s SPRS by the organization’s senior leadership.
§170.17, CMMC Level 2 Certification Assessment and Affirmation requirements, establishes the triennial 3rd party attestation by a CMMC 3rd Party Assessment Organization (C3PAO). An authorized C3PAO would come in and conducts a CMMC Conformity Assessment and report the results to DoD.
Please go CMMC Level 2 Services to see how Peak InfoSec can help.
While the rule is in Draft, Peak InfoSec can also conduct a Joint Surveillance Voluntary Assessment (JSVA) or NIST SP 800-171 Conformity Assessment of your organization.
CMMC Level 3 Assessments
The Draft CMMC Program Rule also establishes the Level 3 requirement for a subset of DoD contractors, their sub-contractors, and ESPs who have access to Controlled Unclassified Information (CUI).
Table 1 to §170.14(c)(4) adds 24 additional Security Requirements from NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 and the corresponding Assessment Objectives form NIST SP 800-172A, Assessing Enhanced Security Requirements for Controlled Unclassified Information.
NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, expand out to 320 Assessment Objectives under NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information.
The annual Level 3 self-assessment will have also to be submitted annually to DoD’s SPRS by the organization’s senior leadership.
§170.18, CMMC Level 3 Certification Assessment and Affirmation requirements, establishes the triennial 3rd party attestation by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Please go CMMC Level 3 Consulting Services to see how Peak InfoSec can assist your organization.
Social Contact