Corserva is a CMMC-AB Registered Provider Organization™, and you can find us listed in the CMMC-AB Marketplace. As an RPO, Corserva is authorized by the CMMC-AB to provide pre-assessment consulting services to government contractors and other Organizations Seeking Certification (OSC).
The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard created to increase the security posture of companies operating in government supply chains.
The Department of Defense is gradually transitioning from the NIST 800-171 mandate to the CMMC requirement. By 2026, all new DoD contracts will require compliance with CMMC.
The CMMC qualification applies to subcontractors operating at any subcontracting tier.
The CMMC framework contains three maturity levels.
DoD contracts stipulate to which level (1, 2, or 3) a defense contractor must meet to be eligible to bid on or work under a contract. A subcontractor working for a prime may not necessarily need to meet the same level as the prime. For example, to win a contract, a prime may need to be at Level 2, but a supplier to a prime may only need to be at Level 1 if that supplier will never receive or touch information that needs to be protected.
You should think of NIST 800-171 as the foundation for CMMC. There are 14 families of requirements in NIST 800-171, and across the 14 families are a total of 110 individual requirements. The CMMC model comprises 14 domains that align with the families specified in NIST SP 800-171.
There is a direct correlation between NIST 800-171 requirements and Level 2 of CMMC.
For contracts that require subcontractors to meet CMMC, you must be certified to CMMC at the time of contract award. Even before that, it is possible that a contractor would expect you to be certified at the time of proposal.
If a contract requires CMMC, it will be included in the RFP in section C ("Description/specifications/statement of work") and section L ("Instructions, conditions, and notices to offerors or respondents").
Your method for CMMC compliance varies based on whether you are protecting FCI or CUI and the priority of the program in which you participate.
Level 1 CMMC companies can self-attest to CMMC.
Some Level 2 CMMC companies can self-attest; others need an outside assessment.
All Level 3 CMMC companies will need a government-led assessment.
Level 2 companies needing an outside assessment must work with an accredited and an independent third-party organization called a "CMMC Third Party Assessment Organization" or C3PAO.
A list of approved C3PAOs qualified to perform CMMC assessments can be found on the website of the CMMC Accreditation Body (CMMC-AB).
The process to achieve CMMC compliance is as follows:
As a CMMC-AB Registered Provider Organization™ (RPO), Corserva can advise companies in preparation for a CMMC assessment by a C3PAO. We can also advise you in self-attestation if that is an option for your company.
Corserva offers an easy process for your organization to comply with CMMC and prepare for a CMMC assessment. Request a quote today to protect your government contracts and prevent cyber threats.