Your Full-Service CMMC Provider
Cherry Bekaert is a full-service CMMC provider that can assist your organization with a wide variety of CMMC compliance needs. In addition to CMMC gap assessments, our professionals can provide oversight and management of remediation and reporting efforts. We also offer certification when independent as an authorized CMMC Third-Party Assessment Organization (C3PAO) and certified Registered Practitioner Organization (RPO) by the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body, Inc. (The Cyber AB).
We assist Organization’s Seeking Certification (OSCs) with CMMC readiness assessments for Levels 1, 2 and 3. As an authorized C3PAO, Cherry Bekaert partners with the Defense Contractor Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) under their Joint Surveillance Audit Program to perform DIBCAC High (NIST 800-171) Assessments, which are convertible to CMMC Level 2 Certification if a perfect score is obtained.
Our team is composed of CMMC certified practitioners with information technology (IT) and cybersecurity leadership experience. With our professional guidance, we drive practical and pragmatic recommendations and solutions that benefit your team.
CMMC Compliance Gap Assessments
Gap assessments are crucial in establishing a clear understanding of the current state of compliance against CMMC.
Our CMMC Compliance Gap Assessments are designed to assist management in understanding the scope and extent of the organization’s CMMC compliance needs.
At the end of our gap assessment, we provide a CMMC compliance roadmap that includes practical and pragmatic recommendations for CMMC remediation, so your organization has a clear plan forward.
CMMC Compliance Advisory Services
Once we have developed a clear view of gaps in CMMC compliance, our team of CMMC compliance advisory professionals will work with you to remediate gaps and drive the implementation of a CMMC program tailored to your organization.
We assist many organizations with crucial components of the CMMC program, including:
- Scope and boundary identification and definition
- Asset identification and categorization
- System security plan development
- Shared responsibility matrix development
- Policy and procedure development
- Alignment with/leveraging other compliance initiatives and efforts (where appropriate)
- Vendor and third-party selection and compliance (i.e., FedRAMP Moderate and CMMC requirements for CSPs and ESPs)
In addition, we can fully support your self-assessment efforts to make sure that all necessary program parameters are in place before being signed by an appropriate organizational executive.
CMMC Certifications and Attestations
Our CMMC assessments are streamlined from planning and testing though reporting and submission, to ensure an efficient assessment from beginning to end.
Cherry Bekaert follows a proven assessment process that includes the following phases:
- Plan and prepare the assessment
- Establish roles and responsibilities
- Validate CMMC assessment scope
- Verify readiness to conduct the assessment
- Conduct the assessment
- Collect and examine evidence
- Conduct interviews
- Determine FedRAMP Moderate Equivalency for Cloud Service Providers (CSPs)
- Score OSC practices and validate preliminary results
- Report recommended results
- Deliver recommended assessment results
- Submit, package, and archive assessment documentation
- Upload assessment results into CMMC eMASS
- Schedule a CMMC POA&M close-out assessment (if necessary)
- Close-Out POA&Ms and assessment (if necessary)
- Perform POA&M close-out assessment
- Update POA&M close-out
In addition, Cherry Bekaert offers organizations the ability to undergo an attestation to the CMMC Level 1 and Level 2 Standard, NIST 800-171, for those looking for further assurance beyond just a self-assessment. These engagements can be performed individually or in conjunction with an existing SOC 2 audit, e.g., SOC 2+ NIST 800-171.