M&I Consulting LogoCMMC SOC

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a mandatory framework established by the Department of Defense to safeguard Controlled Unclassified Information (CUI) within the Defense Industrial Base. This program ensures organizations handling sensitive defense data meet specific cybersecurity standards—reducing risks to national security.

FAQs

Does My Organization Need to Be Certified?

If your organization contracts or subcontracts with the Department of Defense and handles Controlled Unclassified Information (CUI), you must achieve CMMC certification. Certification is critical for securing and maintaining contracts within the defense supply chain.

The 3 Levels of CMMC

LevelControlsAssessment
Level 1
Basic safeguarding of FCI
15
Requirements aligned with FAR 52.204-21
  • Annual Self-Assessment
  • Annual Affirmation
Level 2
Broad protection of CUI
110
Requirements aligned with NIST SP 800-171 r2
  • C3PAO assessment every 3 years, OR
  • Self-assessment every 3 years for select programs
  • Annual Affirmation
Level 3
Higher-level protection of CUI against advanced persistent threats
134
110 from NIST SP 800-171 r2 plus 24 from 800-172
  • DIBCAC assessment every 3 years
  • Annual Affirmation

Our CMMC examination approach

The scope of our work will focus on evaluating OSC’s information security posture related to designing and implementing security controls in line with expectations defined within NIST SP 800-171. M&I utilizes a multiphase approach that is tried and tested to conduct a myriad of information security assessments and various security governance and compliance program buildouts. Specifically, we will assist the OSC with the following:

01

Planning & oversight

  • Conduct a planning and logistics kickoff meeting with the OSC
  • Develop a document and meeting request list
  • Co-develop the communication expectations regarding periodic status meetings
02

CUI boundary validation

  • Develop a baseline understanding of the OSC’s covered contractor information systems
  • Review the system security plan (SSP) and data flow diagram to confirm the flow of CUI
  • Identify and validate the obligations based on the review of current DoD contracts to determine CUI definition and associated information handling procedures
03

Technical assessment

  • Perform a security controls evaluation based on NIST SP 800-171 to identify operational and technological improvement opportunities
  • Evaluate security controls, processes, capabilities and technical configurations that govern the covered contractor information systems
  • Analyze common themes, strengths and areas for improvement to determine the security gaps based on top-level requirements
04

Remediation validation

  • Review the current state plan of action and milestone (POA&M) to understand noted observations and limited practice deficiencies
  • Perform remediation validation procedures to confirm that deficiencies have been corrected in accordance with the POA&M within five business days of the assessment exit meeting
05

Certification reporting

  • Summarize the current procedural, technological and human capital capabilities and compliance gaps
  • Provide the OSC with an updated high level supplier performance risk system (SPRS) score
  • Socialize results with stakeholders and management
  • Develop the Level 2 assessment report