Corserva is a CMMC-AB Registered Provider Organization™ and you can find us listed in the CMMC-AB Marketplace. As an RPO, Corserva is authorized by the CMMC-AB to provide pre-assessment consulting services to government contractors and other Organizations Seeking Certification (OSC).
The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard created to increase the security posture of companies operating in government supply chains.
The Department of Defense is gradually transitioning from the NIST 800-171 mandate to the CMMC requirement. By 2026, all new DoD contracts will require compliance with CMMC.
The CMMC qualification applies to subcontractors operating at any subcontracting tier.
The CMMC framework contains 5 maturity processes and 171 cybersecurity best practices progressing across 5 maturity levels. The CMMC maturity processes institutionalize cybersecurity activities to ensure they are consistent, repeatable, and of high quality. The CMMC practices provide a range of mitigation across the levels, starting with basic cyber hygiene at Level 1, moving to the broad protection of Controlled Unclassified Information (CUI) at Level 3, and culminating with reducing the risk from Advanced Persistent Threats (APT) at Levels 4 and 5.
These levels will capture both security control and the processes that enhance a DoD contractor's cybersecurity. DoD contracts stipulate to which level (1, 2, 3, 4, or 5) a defense contractor must meet to be eligible to bid on or work under a contract. A subcontractor working for a prime may not necessarily need to meet the same level as the prime. For example, to win a contract, a prime may need to be at Level 3 but a supplier to a prime may only need to be at Level 1 if that supplier will never receive or touch information that needs to be protected.
Difference Between NIST SP 800-171 and CMMC
You should think of NIST 800-171 as the foundation for CMMC. There are 14 families of requirements in NIST 800-171 and across the 14 families are a total of 110 individual requirements. CMMC levels 1-3 encompass the 110 security requirements specified in NIST 800-171. There are 171 total practices across the five levels in CMMC.
There is a direct correlation to NIST 800-171 requirements and Level 3 of CMMC.
Unlike NIST 800-171, there is no option for self-attestation with CMMC.
How Do I Know If I Need to Meet CMMC?
For contracts that require subcontractors to meet CMMC, you must be certified to CMMC at the time of contract award. Even before that, it is possible that a contractor would expect you to be certified at the time of proposal.
If a contract requires CMMC, it will be included in the RFP in section C ("Description/specifications/statement of work") and section L ("Instructions, conditions, and notices to offerors or respondents").
How to Meet the CMMC Qualification
The CMMC framework requires all companies seeking compliance to work with an accredited and independent third-party organization called a "CMMC Third Party Assessment Organization" or C3PAO. Unlike NIST 800-171, there is no option for self-attestation with CMMC.
A list of approved C3PAOs qualified to perform CMMC assessments can be found on the website of the CMMC Accreditation Body (CMMC-AB).
The process to achieve CMMC compliance is as follows:
- Determine the level of CMMC you want to meet (either based on future contracts on which you plan to bid or internal business goals).
- Prepare internally to meet the selected standard. Corserva provides CMMC readiness services to identify gaps in your processes and systems.
- Select a C3PAO from the CMMC Accreditation Body (CMMC-AB) Marketplace.
- Engage a C3PAO to provide the assessment.
- The C3PAO submits the assessment for review by the CMMC-AB.
- Certification is issued to your company.
As a CMMC-AB Registered Provider Organization™ (RPO), Corserva can advise companies in preparation for a CMMC assessment by a C3PAO.
Corserva offers an easy process for your organization to prepare for a CMMC assessment. Request a quote today to protect your government contracts and prevent cyber threats.