CMMC Compliance Solutions for DoD Contractors

How U.S. Department of Defense Contractors Can Prepare for the Cybersecurity Maturity Model (CMMC) Certification

If you are one of the over 221,000 suppliers to the U.S. Department of Defense—whether a large prime contractor or a smaller subcontractor handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)—you must achieve Cybersecurity Maturity Model Certification (CMMC) to secure or work on DoD contracts.

Be aware that the certification process typically takes most organizations between nine to twelve months or more to complete.

Is Your Cybersecurity Program Ready?

If you work on DOD contracts – whether as a prime or subcontractor and you want to keep that kind of work moving forward, passing the new CMMC is crucial. If you don’t know how to get started, are stuck somewhere between, aren’t 100% certain you’ll pass, or need help maintaining CMMC once you achieve it — ArcherHall has a four-step CMMC compliance service plan that is a perfect fit for you.

At ArcherHall, we are a CMMC Registered Practitioner Organization (RPO), with CMMC Registered Practitioners (RP) on staff. As CMMC compliance experts for DoD contractors, we help companies effectively and efficiently reach certification.

Our 4-Phase CMMC Process is Called COMPaaS – Compliance-as-a-Service:

A proven formula providing accurate direction — going from assessment to secure with the following four steps:

• Pre-CMMC Assessment Service
• Remediation
• Coordination, Guidance, and Advocacy during the formal CMMC C3PAO Audit/Assessment
• On-going Compliance

Why ArcherHall?

• ArcherHall is a CMMC Registered Practitioner Organization (RPO) since January 2021 through The Cyber AB
• ArcherHall employs CMMC Registered Practitioners (RP)
• ArcherHall is listed in the CMMC-AB Marketplace
• We have more than 20 years of information security / cybersecurity experience across multiple frameworks
• Expertise in NIST 800-171 (the predecessor to the CMMC)
• Focus on small and mid-size enterprises / organization

Learn more:  ArcherHall Capability Statement

CMMC Solutions for your Subcontractors

ArcherHall helps you ensure your subcontractors are CMMC compliant, offering tailored solutions to meet the compliance needs of your subcontractors.

Prime Contractor Package

• Joint presentations (webinars/in-person) to your subcontractors
• No cost to you; costs are borne by the subcontractor
• Regular reporting to provide clarity on where subcontractors stand in their compliance journey

Benefits to you as a Prime

• Strengthen your subcontractor’s supply chain
• Gain visibility into subcontractor compliance efforts
• Meet your obligations under CMMC
• Be seen as a hero in the eyes of your subcontractors

CMMC Explained

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) newest verification mechanism designed to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI) that resides on Defense Industrial Base (DIB) systems and networks.

As part of DoD contracts, primes and subcontractors are subject to the flowdown rules contained in the Federal Acquisition Regulation (FAR) as well as the Defense Federal Acquisition Regulation Supplement (DFARS). In an effort to continue to improve cybersecurity and prevent the loss of intellectual property and other sensitive information, this government-led effort is being implemented to protect the U.S. Defense Supply Chain (DSC) from foreign and domestic cybersecurity threats, and reduce the overall security risk of the sector.

Since the adoption of DFARS 252.204-7012 in 2016, nearly 300,000 US DoD Contractors have been scrambling to understand and implement NIST SP 800-171 standards within their companies in order to be compliant with the regulation. Some have had the internal resources to become compliant themselves, while others have outsourced the task to vendors, such as ArcherHall, who help DoD suppliers comply with their cybersecurity mandates – and yet, others have ignored or failed to implement such requirements.

Due to this slow adoption rate of the DFARS 252.204-7012 regulation, the Department of Defense has released the Cybersecurity Maturity Model Certification (CMMC).

CMMC is designed to ensure appropriate levels of cybersecurity controls and the processes are adequate and in-place to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC 2.0 outlines three compliance maturity levels that range from Basic Cybersecurity Hygiene (Maturity Level 1) to Advanced Cybersecurity Practices (Maturity Level 3). When implemented, adherence to the CMMC will reduce the risk of hostile agents breaching a supplier’s cybersecurity defenses.

Unlike in the past (NIST 800-171) where a supplier was able to “self-assess” conformance with the standard, CMMC 2.0 requires that to be awarded prioritized contracts at Level 2 and all contracts at Level 3, the organization needs to undergo a thorough, evidence-based, external audit performed by a Certified Third Party Assessor Organization (C3PAO), (Level 2), or from DIBCAC (Level 3).

For those organizations that can self-assess, a senior officer of the company will need to attest that the controls are in place and working as designed.

Compliance is required in order to be awarded a DoD contract. Depending on a supplier’s requirements and current state, the CMMC Accreditation Body (CMMC-AB) has advised that obtaining certification to the CMMC program will likely take a minimum of 6 months. ArcherHall’s experience with similar frameworks (and our deep knowledge on both NIST 800-171 and CMMC) would indicate that organizations may need a minimum of 12 months. Contact us for more information about our CMMC compliance services for DoD contractors.

Learn More

Official U.S. Department of Defense (DoD) CMMC web page: https://dodcio.defense.gov/CMMC/