Cybersecurity Maturity Model Certification

What Are the Proposed DoD DFARS Amendments?

The CMMC acquisition rule (CFR 48) was published in the Federal Register on August 15, 2024. The public comment period for the proposed rule is expected to end on October 13, 2024. Following adjudication of the public comments by the DoD and a final review from the Office of Information and Regulatory Affairs (OIRA), the acquisition rule is expected to go into effect March 2025.

Key aspects of the proposal include:

• Certification at Contract Award: Contractors must hold the appropriate CMMC certification level at the time of the contract award and maintain it throughout the contract's duration.
• Flow-Down Requirements: The CMMC requirements must be extended to all subcontractors handling FCI or CUI.
• Continuous Compliance: Contractors are required to annually affirm their compliance with the CMMC level applicable to the systems used in contract performance, with updates required if any changes occur.
• Phased Implementation: The proposed rules will be rolled out over three years, with selective implementation initially, becoming mandatory for all relevant contracts by the fourth year.

The proposed DFARS rule will impact certain contracts during a phased-in, three-year implementation period. Afterwards, the requirements will apply to all contracts for which the contractor will process, store, or transmit FCI or CUI on contractor information systems. 

During the first three years of the phased rollout, the CMMC requirement will be included only in certain contracts for which the CMMC Program Officer directs DoD component program offices to include a CMMC requirement. After three years, DoD component program offices will be required to include a requirement for CMMC in solicitations and contracts that will require the contractor to process, store, or transmit FCI or CUI on contractor information systems. 

Your Full-Service CMMC Provider

Cherry Bekaert is a full-service CMMC provider that can assist your organization with a wide variety of CMMC compliance needs. In addition to CMMC gap assessments, our professionals can provide oversight and management of remediation and reporting efforts. We also offer certification when independent as an authorized CMMC Third-Party Assessment Organization (C3PAO) and certified Registered Practitioner Organization (RPO) by the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body, Inc. (The Cyber AB).

We assist Organization’s Seeking Certification (OSCs) with CMMC readiness assessments for Levels 1, 2 and 3. As an authorized C3PAO, Cherry Bekaert partners with the Defense Contractor Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) under their Joint Surveillance Audit Program to perform DIBCAC High (NIST 800-171) Assessments, which are convertible to CMMC Level 2 Certification if a perfect score is obtained.

Our team is composed of CMMC certified practitioners with information technology (IT) and cybersecurity leadership experience. With our professional guidance, we drive practical and pragmatic recommendations and solutions that benefit your team.

CMMC Compliance Gap Assessments

Gap assessments are crucial in establishing a clear understanding of the current state of compliance against CMMC.

Our CMMC Compliance Gap Assessments are designed to assist management in understanding the scope and extent of the organization’s CMMC compliance needs.

At the end of our gap assessment, we provide a CMMC compliance roadmap that includes practical and pragmatic recommendations for CMMC remediation, so your organization has a clear plan forward.

CMMC Compliance Advisory Services

Once we have developed a clear view of gaps in CMMC compliance, our team of CMMC compliance advisory professionals will work with you to remediate gaps and drive the implementation of a CMMC program tailored to your organization.

We assist many organizations with crucial components of the CMMC program, including:

• Scope and boundary identification and definition
• Asset identification and categorization
• System security plan development
• Shared responsibility matrix development
• Policy and procedure development
• Alignment with/leveraging other compliance initiatives and efforts (where appropriate)
• Vendor and third-party selection and compliance (i.e., FedRAMP Moderate and CMMC requirements for CSPs and ESPs)

In addition, we can fully support your self-assessment efforts to make sure that all necessary program parameters are in place before being signed by an appropriate organizational executive.

CMMC Certifications and Attestations

Our CMMC assessments are streamlined from planning and testing though reporting and submission, to ensure an efficient assessment from beginning to end.

Cherry Bekaert follows a proven assessment process that includes the following phases:

• Plan and prepare the assessment
  • Establish roles and responsibilities
  • Validate CMMC assessment scope
  • Verify readiness to conduct the assessment
• Conduct the assessment
  • Collect and examine evidence
  • Conduct interviews
  • Determine FedRAMP Moderate Equivalency for Cloud Service Providers (CSPs)
  • Score OSC practices and validate preliminary results
• Report recommended results
  • Deliver recommended assessment results
  • Submit, package, and archive assessment documentation
  • Upload assessment results into CMMC eMASS
  • Schedule a CMMC POA&M close-out assessment (if necessary)
• Close-Out POA&Ms and assessment (if necessary)
  • Perform POA&M close-out assessment
  • Update POA&M close-out

In addition, Cherry Bekaert offers organizations the ability to undergo an attestation to the CMMC Level 1 and Level 2 Standard, NIST 800-171, for those looking for further assurance beyond just a self-assessment. These engagements can be performed individually or in conjunction with an existing SOC 2 audit, e.g., SOC 2+ NIST 800-171.