Cybersecurity Maturity Model Certification
The Cybersecurity Maturity Model (CMMC) framework was originally developed by
Carnegie Mellon University and The Johns Hopkins University Applied Physics
Laboratory and funded by the Department of Defense (DoD). The CMMC consists of
maturity processes and cybersecurity best practices from multiple cybersecurity
standards, frameworks and other references as well as inputs from the Defense
Industrial Base (DIB) and DoD stakeholders.
The CMMC is a formal requirement of Defense Federal Acquisition Regulation
Supplement (DFARS) clause 252.204-7021 applying to those DoD contractors who
process, store, or transmit Controlled Unclassified Information (CUI). The CMMC will
apply to all DoD solicitations and contracts, including those for the acquisition of
commercial items (except those exclusively COTS items) valued at greater than the
micro purchase threshold, starting on or after October 1, 2025. Additionally, the rollout
period for the CMMC is 7 years. CMMC 2.0 was announced in November of 2021.
CMMC 2.0 is a streamlined model that reduces assessment costs with high
accountability, collaboration and flexibility. CMMC 2.0 is currently in the rulemaking
phase to become a permanent part of Part 32 of the Code of Federal Regulations
(C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS)
in Part 48 of the C.F.R.

To guide the process of transitioning from DFARS 252.204-7012, the original
requirement of satisfying NIST 800-171 controls through self-attestation, to CMMC,
certification by an authorized independent assessor, the DFARS Interim Rule was
created. The Interim Rule contains the following DFARS clauses:
252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements
252.204-7020, NIST SP 800-171 DoD Assessment Requirements
252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model
Certification Level Requirement
DoD contractors AND subcontractors MUST:
-
1Complete a NIST SP 800-171 Assessment
-
2Upload Assessment scoring and required documentation into the Supplier Performance Risk System (SPRS)
-
3Achieve the appropriate CMMC level certification as required by the contracting documents/solicitation

SCA is a Cyber AB Registered Practitioner Organization (RPO) and offers the below services to help DoD contractors satisfy DFARS and CMMC requirements. View our CMMC marketplace listing here.
NIST 800-171 DoD Assessment
Following DFARS 252.204.7020 requirements, SCA will evaluate your organization
against the 110 controls found in NIST 800-171. Our process includes a gap analysis of
controls, scoring per the NIST 800-171 DoD assessment methodology and creating the
Plan of Action and Milestones (POAM) required to address partially implemented or
missing controls.
System Security Plan
Following our over 16 years of helping organizations document information
security policy, procedures, and employee use guidelines, SCA offers a three tier
System Security Plan program:
-
1Review of existing System Security Plan including recommendations for improvement,
-
2Revising existing or developing a new System Security Plan,
-
3Annual review and maintenance of the System Security Plan to account for changes in people, processes, and technology.
CMMC Readiness Assessment
Depending on your required CMMC Level, SCA offers a gap analysis for CMMC Levels
1 – 3 that will review the following:
CMMC Level 1
CMMC Level 2
CMMC Level 3
CMMC Level 1
Basic cyber hygiene including 17 practices from Federal Acquisition Regulation (FAR) Clause 52.204.21
CMMC Level 2
Advanced cyber hygiene covering 110 practices from NIST 800-171
CMMC Level 3
Expert cyber hygiene covering 110 practices from NIST 800-171 plus 34 additional enhanced practices from NIST 800-172 for a total of 144 practices
Reach out to us to schedule a consultation and learn more about our cybersecurity assessment and advisory services. We will help elevate your security and demonstrate your compliance so that your organization can grow and thrive.
Contact Us Today For Free Consultation
(727) 571-1141