Advisory Services: CMMC-AB Registered Provider Organization
CMMC Assessment: Candidate Certified 3rd Party Assessment Organization (C3PAO)
CMMC Assessment: Candidate Certified 3rd Party Assessment Organization (C3PAO)
With Registered Practitioners on staff, Waterleaf has the necessary certifications, resources, and cybersecurity expertise to enable you to successfully prepare for your CMMC Assessment. Our staff can guide your team through:
- Understanding CMMC requirements
- Evaluating current CMMC readiness
- Developing compliance plan
- Implementing changes to
With Registered Practitioners on staff, Waterleaf has the necessary certifications, resources, and cybersecurity expertise to enable you to successfully prepare for your CMMC Assessment. Our staff can guide your team through:
- Understanding CMMC requirements
- Evaluating current CMMC readiness
- Developing compliance plan
- Implementing changes to procedures and practices
- Completing pre-assessment evaluation
Depending on the level of CMMC Compliance sought, your organization will need to comply with up to 171 practices across NIST SP 800-171 r2 & Rev b, (FAR) 48 CFR 52.204-21 and other practices. We can help!
CMMC Assessment: Candidate Certified 3rd Party Assessment Organization (C3PAO)
CMMC Assessment: Candidate Certified 3rd Party Assessment Organization (C3PAO)
CMMC Assessment: Candidate Certified 3rd Party Assessment Organization (C3PAO)
Waterleaf has been cleared by the CMMC-AB as a candidate Certified 3rd Party Assessment Organization (C3PAO). Our staff have been certified by the CMMC-AB as Provisional Assessors Level 1-3 and upon completion of certification will be able to complete assessments.
Contact us to discuss your assessment needs.
WHAT ARE CMMC, RPO, AND C3PAO?
Cybersecurity Maturity Model Certification (CMMC)
The Cybersecurity Maturity Model Certification, introduced by the Department of Defense (DoD) in 2019, requires suppliers and contractors to pass a third-party audit of their cybersecurity readiness or risk losing their ability to compete for and deliver on certain DOD contracts starting in 2021. When fully operational, the CMMC will be mandatory for all entities doing business with the DoD at any level.
All contractors and suppliers, primes and subs are required to:
- Establish protocols to protect Controlled Unclassified Information (CUI), Federal Contract Information (FCI), and other data, network, and systems of the Defense Industrial Base (DIB) sector.
- Meet one of the three CMMC trust levels and
- Demonstrate that cybersecurity has been sufficiently implemented through the completion of independent validation activities.
Initial Award, or continuance, of DoD contracts will be dependent upon CMMC compliance.
In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:
- Safeguard sensitive information to enable and protect the warfighter
- Dynamically enhance DIB cybersecurity to meet evolving threats
- Ensure accountability while minimizing barriers to compliance with DoD requirements
- Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience
- Maintain public trust through high professional and ethical standards
With its streamlined requirements, CMMC 2.0 aimed to cut red tape for small and medium sized businesses, set priorities for protecting DoD information, and reinforce cooperation between the DoD and industry in addressing evolving cyber threats.
CMMC Levels
Progressively More Difficult Compliance Obligations
There are three Certification levels to the CMMC:
There are three cumulative Certification levels to the CMMC 2.0:
- Level 1 – focuses on the protection of FCI and consists of only practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21, commonly referred to as the FAR Clause. (This level has 17 practices and requires annual self-certification.)
- Level 2 “Advanced” – focuses on the protection of CUI and encompasses the 110 security requirements specified in NIST SP 800-171 Rev 2. This level requires third party certification.
- Level 3 “Expert” – Level 3 will be based on a subset of NIST SP 800-172 requirements. Details will be released at a later date.
Learn More
Waterleaf is an expert in the requirements for CMMC compliance and can guide you on your journey. In addition, Waterleaf's Cyberleaf cybersecurity-as-a-service can be a key component in your compliance plan.