Logo
bg-hero

CMMC/CUI Compliance & Assessments

Home
/
Services
/
CMMC/CUI Compliance & Assessments
Service

CMMC/CUI Compliance & Assessments

The cybersecurity consultants at H23 work with defense contractors to ensure their compliance with federal contract requirements.

Let H23’s cybersecurity team collaborate with you on how to protect your company information and assets by enlisting cybersecurity protocols that meet required standards and minimize threats to your business. We can support Level I and II self-assessments as well as support readiness for Level II 3rd party C3PAO assessments.

Hills23 has extensive experience providing secure solutions to government and commercial clients. As an RPO, we offer services to meet the CMMC level your company needs to attain. Please note that once the CMMC Program is fully implemented, a DOD solicitation will specify the minimum CMMC Status required to be eligible for award.

  • Level 1 (Self) is a self-assessment to secure FCI processed, stored, or transmitted while fulfilling the contract. Your Company must comply with the 15 security requirements set by FAR clause 52.204-21. All 15 requirements must be met in full—no exceptions are allowed. Self-Attestation will be required; entities or individuals will be held accountable that knowingly misrepresenting their cybersecurity practices.
  • Level 2 (Self) is a self-assessment to secure CUI processed, stored, or transmitted while fulfilling the contract. Your Company must comply with the 110 Level 2 security requirements derived from NIST SP 800-171 R2. Self- Attestation will be required; entities or individuals will be held accountable that knowingly misrepresenting their cybersecurity practices.
  • Level 2 (C3PAO) differs from Level 2 (Self) in the method of verifying compliance. Your Company must hire a C3PAO to conduct an assessment of the OSA's compliance with the 110 security requirements of NIST SP 800-171 R2. You can shop for C3PAOs on the CMMC Accreditation Body (AB) Marketplace. Hills23 can serve as a liaison between your company and the C3PAO.

We can support you in several ways:

  • Gap- Analysis for Level I & II. We will work with you to understand your current state of preparedness and where your existing strengths and weaknesses lie. Once the gaps in your preparedness are identified we assist you in developing a roadmap based on investment priorities that take into consideration required timelines and budgets. The plan for closing those gaps is called your Plans of Action and Milestones (POAMs), and having a well-organized set of POAMs as a result of a robust gap analysis is a key part of successful preparations.
  • Pre-Assessment identifies preparedness for an official CMMC assessment. Conducted in the same manner as an official CMMC assessment with a certified provisional assessor (PA), the pre-assessment evaluates each practice and process to determine compliance with CMMC standards and in accordance with the CMMC assessment guides. Once complete, Hills23 provides a pre-assessment report outlining findings and overall organizational preparedness (prepared/not prepared).

We have built a team of expert assessors who have all been qualified by CMMC-AB. In addition to CMMC training, our team has significant assessment experience and qualifications in similar compliance areas (e.g., the Federal Risk and Assessment Management Program, the Federal Information Security

Background:

The Cybersecurity Maturity Model Certification (CMMC) was developed by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)).

The CMMC standard will be incorporated into the Defense Federal Acquisition Regulation Supplement (DFARS) and become a requirement for contract award.

The 32 CFR Part 170, CMMC rule is final About CMMC (defense.gov)

CMMC Implementation

The CMMC Program implementation date is 60 days after the publication of the final Title 48 CFR CMMC acquisition rule. CMMC assessment requirements will be implemented using a four-phase plan over three years. The phases add CMMC Level requirements incrementally, starting with self-assessments in Phase 1 and ending with full implementation of program requirements in Phase 4. This phased approach allows time to train assessors and for companies to understand and implement CMMC assessment requirements.

Phase 1

In some procurements, DoD may implement CMMC requirements in advance of the planned phase

References:

Federal Register: Federal Register :: Cybersecurity Maturity Model Certification (CMMC) Program

CMMC Main Page: About CMMC

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations | CSRC

NIST Special Publication 800-171 Revision 3: NIST.SP.800-171r3.pdf

Benefits With Our Service

Service Image 2

Flexible Solutions

Completely grow multimedia based content before global scenarios.

Service Image 3

24/7 Unlimited Support

Completely grow multimedia based content before global scenarios.

Questions About Service:

Hills23 Consulting specializes in strategic program management, SCADA security solutions, network engineering services, DOD/DOE mission gap support, electromagnetic superiority development, CMMC/CUI compliance, and risk management framework solutions.

Our Services

Strategic Program Management

SCADA Security Solutions

Network Engineering Services

DOD/DOE Mission Gaps

Electromagnetic Superiority

CMMC/CUI Compliance & Assessments

Risk Management Framework