Home | Our Services
CMMC - Cyber Maturity Model Certification Audit
Government Contractors and Information Security – ‘A Look into the Future’
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) will encompass multiple capability and maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intention of CMMC is to serve as a verification mechanism. The standard exists to ensure that appropriate levels of cybersecurity controls and processes are adequate and are established within your organization to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
What does this mean for DoD contractors?
This certification aims to provide better flexibility among contractors working with the DoD to meet the information security requirements relevant to the type of work they perform. It offers a path to the security requirements needed to perform work on increasingly sensitive contracts. As shown below, CMMC uses NIST SP 800-171 as the primary foundation for compliance and splits it across the first 3 levels. If you currently work with CUI, or plan to in the near future, Level 3 is the minimum requirement you must meet for access to those contracts. Levels 4 and 5 primarily source from NIST SP 800-172 and are intended for companies with significantly more sensitive information in their contracts. Identifying the CMMC level your organization should target requires diligent consideration of the information in the contracts you perform, as well as the future goals you hope to pursue. The further you progress through the levels the more challenging and expensive the requirements become. Do not make your decision lightly! The model will require a contractor’s security environment to be assessed by a third-party auditor – ultimately providing an objective evaluation of an organizational compliance score between the five levels.

Note: *Number of controls per level will change in future revisions of CMMC model
Timelines to Consider for DoD Contractors

Becoming Certified
The new requirement for third-party audits is of great interest in the industry today, considering it was previously acceptable for organizations to self-assess their security posture. An independent third party ensuring the effective implementation of the appropriate security controls is a critical requirement to ensure information and information systems are being adequately safeguarded. With Kreative’s long history of proven results in the CMMI and ISO appraisal space, our understanding of the importance and relevancy of maturity levels, and our alignment to the auditing process, we are perfectly positioned to assist with these new changes. We are keeping a close eye on all information as it becomes available in order to stay in front of any new developments, ensuring our clients are proactively prepared.
CMMC: Frequently Asked Questions
What are my responsibilities as a DIB contractor, specifically related to CMMC?
How is CMMC different for large and small contractors?
What should I be doing now to prepare for CMMC eventually being required of my company?

Review current contracts to determine if you currently maintain or create any CUI

Perform a Gap assessment of your current security implementation against the CMMC requirements

Develop a plan to remediate any gap findings
