Corserva is a CMMC-AB Registered Provider Organization™, and you can find us listed in the CMMC-AB Marketplace. As an RPO, Corserva is authorized by the CMMC-AB to provide pre-assessment consulting services to government contractors and other Organizations Seeking Certification (OSC).
The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard created to increase the security posture of companies operating in government supply chains.
The Department of Defense is gradually transitioning from the NIST 800-171 mandate to the CMMC requirement. By 2026, all new DoD contracts will require compliance with CMMC.
The CMMC qualification applies to subcontractors operating at any subcontracting tier.
The CMMC framework contains three maturity levels.
- Level 1 - Foundational
- Level 2 - Advanced
- Level 3 - Expert
DoD contracts stipulate to which level (1, 2, or 3) a defense contractor must meet to be eligible to bid on or work under a contract. A subcontractor working for a prime may not necessarily need to meet the same level as the prime. For example, to win a contract, a prime may need to be at Level 2, but a supplier to a prime may only need to be at Level 1 if that supplier will never receive or touch information that needs to be protected.
Difference Between NIST SP 800-171 and CMMC
You should think of NIST 800-171 as the foundation for CMMC. There are 14 families of requirements in NIST 800-171, and across the 14 families are a total of 110 individual requirements. The CMMC model comprises 14 domains that align with the families specified in NIST SP 800-171.
There is a direct correlation between NIST 800-171 requirements and Level 2 of CMMC.
How Do I Know If I Need to Meet CMMC?
For contracts that require subcontractors to meet CMMC, you must be certified to CMMC at the time of contract award. Even before that, it is possible that a contractor would expect you to be certified at the time of proposal.
If a contract requires CMMC, it will be included in the RFP in section C ("Description/specifications/statement of work") and section L ("Instructions, conditions, and notices to offerors or respondents").
How to Meet the CMMC Qualification
Your method for CMMC compliance varies based on whether you are protecting FCI or CUI and the priority of the program in which you participate.
Level 1 CMMC companies can self-attest to CMMC.
Some Level 2 CMMC companies can self-attest; others need an outside assessment.
All Level 3 CMMC companies will need a government-led assessment.
Level 2 companies needing an outside assessment must work with an accredited and an independent third-party organization called a "CMMC Third Party Assessment Organization" or C3PAO.
A list of approved C3PAOs qualified to perform CMMC assessments can be found on the website of the CMMC Accreditation Body (CMMC-AB).
The process to achieve CMMC compliance is as follows:
- Determine the level of CMMC you want to meet (either based on future contracts on which you plan to bid or internal business goals).
- Prepare internally to meet the selected standard. Corserva provides CMMC readiness services to identify gaps in your processes and systems.
- Select a C3PAO from the CMMC Accreditation Body (CMMC-AB) Marketplace.
- Engage a C3PAO to provide the assessment.
- The C3PAO submits the assessment for review by the CMMC-AB.
- Certification is issued to your company.
As a CMMC-AB Registered Provider Organization™ (RPO), Corserva can advise companies in preparation for a CMMC assessment by a C3PAO. We can also advise you in self-attestation if that is an option for your company.
Corserva offers an easy process for your organization to comply with CMMC and prepare for a CMMC assessment. Request a quote today to protect your government contracts and prevent cyber threats.