Navigate the complexity of achieving Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) compliance and improve your cybersecurity.
As a CMMC Registered Provider Organization (RPO), Echelon helps Organizations Seeking Certification (OSC) navigate the complexity of achieving Cybersecurity Maturity Model Certification 2.0 (CMMC) compliance.
The Department of Defense is working with private industry to enhance their cybersecurity and resiliency in order to further the protection of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) within the Defense Industrial Base (DIB) supply chain. As a result, the DoD released their CMMC program in January 2020.
The DoD initiated an internal review of CMMC’s implementation due to significant critical feedback. Upon completion of the review, the DoD released modifications under a new implementation called CMMC 2.0 which aimed to reduce CMMC 1.0’s complex tiering structure and requirements.
CMMC 2.0 now contains three levels of maturity which are rooted in the requirements outlined in NIST Special Publication 800-171.
Moving up, each level becomes more technically challenging. It’s important to select a partner with the right technical skill sets, coupled with an understanding of the compliance model and framework.
Levels 2 and 3 require external certification from a Certified Third-Party Assessor Organization (C3PAO). Echelon can help you understand the requirements, determine your current state of compliance, and mitigate gaps required to achieve compliance.
Whether a prime contractor, subcontractor, or sub-tier supplier, every organization doing business with (or wishing to do business with) the DoD will need to be CMMC 2.0 certified to the correct levels of the CMMC 2.0 framework.
Implementing many of the practices outlined in the CMMC 2.0 takes time, resources, tools, and other investments. We bring the right resources to support your unique journey and decrease your time to compliance.
We support your organization through the entire CMMC 2.0 process and provide a holistic approach to help you not only achieve compliance, but also long-lasting cybersecurity improvements based on your unique environment.
One of the most critical steps in CMMC 2.0 compliance is proper scoping. We will help to identify and define the organizational and technical boundaries of the environment(s) for the assessment, based on requirements associated with your desired CMMC 2.0 level. We will perform detailed technology survey workshops where we will build our understanding of the current state of CUI and FCI flow within your environment. The outcome will be a defined boundary for the coming phases of the process, or guidance and recommendations to scope down the systems and boundaries where possible. At the conclusion of the scoping phase, we will have built a solid understanding and foundation for CMMC 2.0 compliance based on business data flow and organizational needs.
The gap assessment phase of the CMMC 2.0 compliance process evaluates the current state of your cybersecurity maturity program against the CMMC 2.0 practice and process requirements. We use the assessment methodology defined in NIST Special Publication 800-171A to evaluate all of the CUI security requirement families. The outcome will be a comprehensive report outlining the current state of compliance along with detailed recommendations to achieve the desired state.
As part of the outcome of the CMMC 2.0 Gap Assessment we will help you define and document a phased remediation strategy and roadmap that puts your organization on a path to achieve compliance and make long-lasting cybersecurity improvements. Once the roadmap is in place, we can provide you with on-going support and assistance at various levels within your cybersecurity program. Depending on your own internal capabilities and commitments, we can assist from an overall project management and strategic guidance standpoint, or help you at the task level with engineering, project management and control implementation.
When your organization reaches the point of gap closure and the to-do list is complete, you are nearing the audit milestone. Prior to having an independent third party perform the audit we recommend performing a pre-audit assessment. This pre-audit assessment is much like the gap assessment, however the pre-audit assessment will allow us to dive a little deeper to gain extra assurance that your organization is ready to pass the upcoming CMMC 2.0 assessment.
When your organization is finally ready for the third-party assessment and validation, we can assist you in this process by helping you select a qualified assessment firm or CMMC Third Party Assessor Organization (C3PAO). We can assist you with writing an RFP for C3PAO selection, assist you through the interview and selection process, and then also provide assessment support and concierge services to make the assessment process go as efficiently and effectively as possible. We will support you by being the first interface to the assessment firm and we will help to satisfy evidence requests, answer questions from the assessment firm and provide any other support as necessary to achieve the desired outcome.
Once you have successfully completed the CMMC 2.0 assessment process, we will provide you with on-going cybersecurity support at both the strategic and tactical levels to ensure that your organization continues to achieve compliance and high levels of cybersecurity maturity over time.