Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification (CMMC)
Mike Cullen
CISA, CISSP, CIPP/US
Principal
Matt Gilbert
CISA, CRISC, CMMC
Principal
Peter J. Lauria
CPA
Principal
Baker Tilly is a candidate CMMC Third-Party Assessor Organization (C3PAO), ready to help you achieve CMMC readiness or official assessment objectives.
Our certifications
CMMC webinar series
CMMC: How to confirm readiness
In this webinar, Baker Tilly CMMC professionals review the planning required for success of a Cybersecurity Maturity Model Certification (CMMC) assessment.
CMMC scoping: How to ensure your scope is ready for assessment
Need to ensure you’re prepared for your CMMC assessment? Better understand controlled unclassified information (CUI), CMMC asset types, third party rules and more in this deep dive webinar.
CMMC rulemaking: Where are we now?
Baker Tilly CMMC professionals review the proposed CMMC rule and important considerations learned from that proposed rule.
CMMC: What to expect during an official assessment
Specialists walk through the key phases of the CMMC assessment – from planning and fieldwork to reporting, and any needed remediation.
Ensure CMMC success: seven common scoping mistakes to avoid
The third webinar in our Cybersecurity Maturity Model Certification (CMMC) readiness series focuses on the details of how to scope your organization and avoid common pitfalls.
Cybersecurity Maturity Model Certification (CMMC) readiness series – Part II
Baker Tilly Cybersecurity Maturity Model Certification (CMMC) specialist Matt Gilbert and Jeff Dalton, Chair of the CMMC Accreditation Body’s (AB) Credentialing Committee Joined together to discuss CMMC requirements, important factors of the assessment process and what contractors (and their supply chain / subcontractors) should do next to prepare for certification.
Understanding CMMC and the implications for DoD contractors
Watch this on-demand webinar to review the basics of the CMMC requirements and what to expect, along with the next steps needed to prepare your organization.
The impact of CMMC
With the goal of protecting federal contract information (FCI) and controlled unclassified information (CUI) within the Department of Defense (DOD) contracting community, the Cybersecurity Maturity Model Certification (CMMC) version 1.0 became a requirement for participation in some DOD request for information (RFIs) and request for proposals (RFPs) in 2020, ultimately expanding to include DOD procurement by fiscal year 2026 (FY2026).
In November 2021, the DOD announced changes to the program branded as CMMC 2.0.
While there are some structural changes many of the original requirements still apply. DOD contractors cannot afford to stand still, as CMMC will apply to both prime and subcontractors.
CMMC services
Based on current CMMC guidance, we can help your organization think through the level and the scope for your CMMC requirement that stems from the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021 and the CMMC 2.0 changes. This could include evaluating if the commercial item exception applies and/or recommending how to best define your scope, and support your representations that CUI does not exist outside of that boundary. Additionally, our CMMC services can help you determine when or how to use the enclave concept for separate scope.
CMMC 2.0 affirmation support
With CMMC 2.0 the DOD announced the requirement for contractors to post a self-assessment score along with an affirmation from a senior official. The U.S. Department of Justice (DoJ) recently communicated a focus on enforcing false claims related to cybersecurity. Before making such affirmation, we can help validate and perform testing so that the senior official is confident in making that affirmation.
CMMC 2.0 gap assessment
Using our extensive understanding of cybersecurity, NIST SP 800-171 and the requirements of the CMMC 2.0 model, we help map your existing controls to the CMMC 2.0 model, identify gaps between your controls and the CMMC 2.0 model and provide recommendations for remediating those control gaps. This can be in a mock assessment or more advisory structure to suit your needs.
CMMC remediation and documentation support
If needed, our specialists can work with you to build a plan and close your existing gaps. We can help formalize your processes and controls, and document your compliance.
CMMC business impact and readiness support
CMMC 2.0 will have impacts on your supply chain, bid and proposal and project-specific IT systems. Specifically, DFARS 252.204-7019 through 7020 includes requirements for flow down and validation of Supplier Performance Risk System (SPRS) scores and CMMC levels. Leveraging our expertise and years of experience supporting contractors, we can help you think about and develop strategy to respond to issues such as risk assessment of teaming partners. This will ensure they are ready for CMMC 2.0 so you can successfully bid, flow-down clause management, estimate cost implications and respond to RFP and RFI CMMC 2.0 requirements.
Cost allowability
The DOD indicated they understand contractors will incur incremental costs to establish good cyber hygiene and compliance with new requirements. Our specialists will help you navigate within the appropriate frameworks of cost allowability and allocability.
Entry or expanding your government contracting business
If you are contemplating entering or expanding your government contracting business, we can help you determine gaps with CMMC 2.0 (or to achieve a higher level of CMMC) and other Defense Federal Acquisition Regulation Supplement (DFARS), Federal Acquisition Regulation (FAR) and Cost Accounting Standards (CAS) requirements, as well as support your implementation of those process. We can also help you think about a strategy to increase your opportunities via General Services Administration (GSA) schedules or other programs.
Certification assessments
We are committed to supporting organizations with their official certification assessments. As a candidate C3PAO, Baker Tilly will complete assessments for certification for CMMC 2.0 Level 2. Principal and CMMC Services Leader Matt Gilbert was one of the first-certified provisional assessors and participant in the CMMC-AB working groups.
Disclosure
All CMMC services are performed by Baker Tilly Data Systems, a wholly owned subsidiary of Baker Tilly US, LLP. Baker Tilly Data Systems is a candidate CMMC Third-Party Assessor Organization.
“We are committed to helping government contractors meet all of their compliance requirements from CMMC, to the increasing supply chain risk management obligations under section 889 as well as the whole host of complex regulatory compliance, audit and other government oversight burdens.”Matt Gilbert, CMMC Leader
Delivering CMMC readiness services remotely
Our cybersecurity practice uses a variety of technology tools to streamline our service delivery model and make document sharing and requests seamless. Our specialists are well versed in methods for facilitating video conferences, teleconference calls and live, online document-sharing sessions to perform CMMC readiness services as efficiently as if we were live on-site. You can expect the same quality service, all while minimizing travel expenses and space constraints that can accompany on-site work.