Cybersecurity Maturity Model Certification

New Compliance and Security Requirements for Contractors

All Covered is continuing to stay on top of the latest updates and changes being made to the Cybersecurity Maturity Model Certification (CMMC) program. In case you missed it, the Department of Defense (DoD) has announced its suspension of the current CMMC 1.0 program and has moved the timeline for the new CMMC 2.0 requirements to after the Defense Federal Acquisition Regulation Supplement (DFARS) rule making.

All Covered is an Accredited Registered Provider Organization

The enhanced CMMC 2.0 model ensures accountability for companies to implement cybersecurity standards while minimizing barriers to compliance with DoD requirements. Significant changes have been made in efforts to streamline the certification process. As an accredited Registered Provider Organization, All Covered has Registered Practitioners, CMMC Certified Professionals and CMMC Certified Assessors that work under our designation as an RPO. Our capabilities are unparalleled even with C3PAOs, as we are not governed by the same restrictions and have a lot of the same information.

Compliance Deadlines

By 2025, every company within the Defense Supply Chain and the Defense Industrial Base will need to become certified with CMMC through a Certified Third-Party Assessment Organization (C3PAO).

Server Management

Federal Government Security Requirements

Previous attempts by the DoD using the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) to secure its information proved to not be sufficient over time. The DoD is requiring all Defense Supply Chain companies, except COTS providers, to comply by adding to its previous contract clauses FAR 52.204-25 & DFARS 252.204.7012. New enhanced DFARS rules are being implemented throughout the end of the year to first ensure NIST SP 800-171 companies have completed their self-assessment and reporting requirements using SPRS, and secondly allow third party auditing of the basic implementation along with the introduction of CMMC with third party assessments on certain contracts.

The Certification Process

All Covered adheres to the following process to get Organizations Seeking Compliance (OSC) on their Journey. First, our goal is to perform a Practice/Control gap assessment against the Standard (CMMC L1 – 5, NIST SP 800-171, etc…) Next, we create a NIST 800-18 Conforming System Security Plan (SSP) and Plan of Action & Milestone (POAM). We then consult with the organization to remediate and fill all gaps found in the POAM to ensure a score of 110 on NIST SP 800-171 assessments, and also remediate any gaps for full conformance with CMMC. We observe conformance over a 3 to 6 month period to ensure habitual, and persistent behavior. Then we work with the OSC to identify artifacts that prove objective evidence of conformance. Lastly, we will introduce you to a C3PAO for your CMMC Assessment.

Our RPO Capabilities

We can have Registered Practitioners, Certified Professionals and Certified Assessors that work under our designation as an RPO. As an RPO, our capabilities are unparalleled even with C3PAOs. We are not governed by the same restrictions and have a lot of the same information. We can have Certified Assessors and Certified Professionals that work under our designation.

Why Can’t an OSC Prepare for a Certification Assessment Using a C3PAO?

The C3PAO is very limited in the services they can provide to an OSC. They cannot provide recommendations or consulting to OSCs. They can only help organizations with gathering up objective evidence of the implemented criteria. And from a cost perspective, an OSC can spend a significant amount on a certification assessment and not get it.