Advisory Services: CMMC-AB Registered Provider Organization
CMMC Assessment: Candidate Certified 3rd Party Assessment Organization (C3PAO)
CMMC Assessment: Candidate Certified 3rd Party Assessment Organization (C3PAO)
With Registered Practitioners on staff, Waterleaf has the necessary certifications, resources, and cybersecurity expertise to enable you to successfully prepare for your CMMC Assessment. Our staff can guide your team through:
- Understanding CMMC requirements
- Evaluating current CMMC readiness
- Developing compliance plan
- Implementing changes to
With Registered Practitioners on staff, Waterleaf has the necessary certifications, resources, and cybersecurity expertise to enable you to successfully prepare for your CMMC Assessment. Our staff can guide your team through:
- Understanding CMMC requirements
- Evaluating current CMMC readiness
- Developing compliance plan
- Implementing changes to procedures and practices
- Completing pre-assessment evaluation
Depending on the level of CMMC Compliance sought, your organization will need to comply with up to 171 practices across NIST SP 800-171 r2 & Rev b, (FAR) 48 CFR 52.204-21 and other practices. We can help!
CMMC Assessment: Candidate Certified 3rd Party Assessment Organization (C3PAO)
CMMC Assessment: Candidate Certified 3rd Party Assessment Organization (C3PAO)
CMMC Assessment: Candidate Certified 3rd Party Assessment Organization (C3PAO)
Waterleaf has been cleared by the CMMC-AB as a candidate Certified 3rd Party Assessment Organization (C3PAO). Our staff have been certified by the CMMC-AB as Provisional Assessors Level 1-3 and are able to complete assessments on behalf of the company.
Contact us to schedule your assessment!
WHAT ARE CMMC, RPO, AND C3PAO?
Cybersecurity Maturity Model Certification (CMMC)
The Cybersecurity Maturity Model Certification, introduced by the Department of Defense (DoD) in 2019, requires suppliers and contractors to pass a third-party audit of their cybersecurity readiness or risk losing their ability to compete for and deliver on certain DOD contracts starting in 2021. When fully operational, the CMMC will be mandatory for all entities doing business with the DoD at any level. All contractors and suppliers, primes and subs are required to:
- Establish protocols to protect Controlled Unclassified Information (CUI), Federal Contract Information (FCI), and other data, network, and systems of the Defense Industrial Base (DIB) sector.
- Meet one of the five CMMC trust levels and
- Demonstrate that cybersecurity has been sufficiently implemented through the completion of independent validation activities.
Initial Award, or continuance, of DoD contracts will be dependent upon CMMC compliance.
CMMC compliance ranges from Basic Cyber Hygiene (Level 1) to Advanced/Progressive (Level 5) with requirements based on the types of information and the level of CUI protection required. Previously, companies could self-certify compliance with the appropriate Defense Federal Acquisition Regulations (DFARs). Now companies must pass an audit conducted by a certified third-party assessment organization (C3PAO).
In 2021 Waterleaf International was selected and qualified by the CMMC-AB to provide advisory services to prepare for your CMMC Assessment (Registered Provider Organization) and has Registered Practitioners on staff. In addition, we have been selected to perform Assessments as a Certified Third Party Assessment Organization (C3PAO). Please note that due to potential conflicts, in accordance with CMMC-AB policy, Waterleaf may only serve in one capacity as either an RPO or as a C3PAO.
CMMC Levels
Progressively More Difficult Compliance Obligations
There are five cumulative Certification levels to the CMMC:
- Level 1 – Basic Cyber Hygiene: Includes basic cybersecurity appropriate for small companies utilizing a subset of universally accepted common practices. The processes at this level would include some performed practices, at least in an ad hoc manner. This level has 35 security controls that must be successfully implemented.
- Level 2 – Intermediate Cyber Hygiene: Includes universally accepted cybersecurity best practices. Practices at this level would be documented, and access to CUI data will require multi-factor authentication. This level includes an additional 115 security controls beyond that of Level 1.
- Level 3 – Good Cyber Hygiene: Includes coverage of all NIST SP 800-171 Rev. 1 controls and additional practices beyond the scope of current CUI protection. Processes at this level are maintained and followed, and there is a comprehensive knowledge of cyber assets. This level requires an additional 91 security controls beyond those covered in Levels 1 and 2.
- Level 4 – Proactive: Includes advanced and sophisticated cybersecurity practices. The processes at this level are periodically reviewed, properly resourced, and are improved regularly across the enterprise. In addition, the defensive responses operate at machine speed and there is a comprehensive knowledge of all cyber assets. This level has an additional 95 controls beyond the first three Levels.
- Level 5 – Advanced / Progressive: Includes highly advanced cybersecurity practices. The processes involved at this level include continuous improvement across the enterprise and defensive responses performed at machine speed. This level requires an additional 34 controls.
Learn More
Waterleaf is an expert in the requirements for CMMC compliance and can guide you on your journey. In addition, Waterleaf's Cyberleaf cybersecurity-as-a-service can be a key component in your compliance plan.