CMMC

CyRoot’s CMMC practice is lead by a CyberAB Registered Practioner (RP) who will guide you along your registration path prior to CMMC self attestation

CyRoot’s CMMC practice is lead by a CyberAB Registered Practioner (RP) leading you to CMMC Level 1 and CMMC Level 2 certification. This exhaustive approach will satisfy the stringent CMMC rules.

A quick checklist of requirements is below:

CMMC Level 1 Self-Attestation Requirements Checklist

To comply with CMMC Level 1 and perform self-attestation, a supplier must:

• Understand FCI: Identify if the organization handles Federal Contract Information (FCI).

• Implement FAR 52.204-21: Implement the 17 basic safeguarding requirements outlined in Federal Acquisition Regulation (FAR) Clause 52.204-21. These requirements are focused on basic cyber hygiene.

• Meet NIST SP 800-171A Objectives: Ensure that the 17 FAR 52.204-21 requirements are met by achieving a “MET” result for all applicable assessment objectives as defined in NIST SP 800-171A.

• Document Implementation: Document policies, processes, procedures, and/or technologies implemented to satisfy each of the 17 FAR 52.204-21 requirements.

• Define Assessment Scope: Clearly define the scope of the self-assessment, identifying all assets (people, technology, facilities, and external service providers) that process, store, or transmit FCI.

• Conduct Self-Assessment: Perform a self-assessment of the organization’s security practices against the CMMC Level 1 requirements.

• Prepare Documentation: Compile all necessary documentation related to the self-assessment.

• SPRS Registration: Register in the Supplier Performance Risk System (SPRS).

• Submit Self-Assessment Results: Report the results of the self-assessment, including:

  • Organization’s CAGE code.

  • CAGE codes for any Higher Level Organizations (HLO), if applicable.

  • Date the CMMC Level 1 self-assessment was completed.

  • The assessment scope.

  • Number of employees in scope

  • Compliance result.

• Annual Affirmation: A senior company official must submit an annual affirmation to the DoD, attesting that the organization has implemented and will maintain CMMC Level 1 compliance.

To comply with CMMC Level 2 and perform self-attestation, a supplier must:

• Understand CUI: Identify if the organization handles Controlled Unclassified Information (CUI).

• Implement NIST SP 800-171 R2: Implement all 110 security requirements outlined in NIST SP 800-171, Revision 2.

• Meet NIST SP 800-171A Objectives: Ensure that all 110 NIST SP 800-171 requirements are met by achieving a “MET” result for all applicable assessment objectives as defined in NIST SP 800-171A.

• Document Implementation: Document policies, processes, procedures, and/or technologies implemented to satisfy the NIST SP 800-171 requirements. This includes creating a System Security Plan (SSP).

• Define Assessment Scope: Clearly define the scope of the self-assessment, identifying all assets (people, technology, facilities, and external service providers) that process, store, or transmit CUI.

• Conduct Self-Assessment: Perform a self-assessment of the organization’s security practices against the NIST SP 800-171 requirements.

• Prepare Documentation: Compile all necessary documentation related to the self-assessment.

• SPRS Reporting: Report the results of the self-assessment, including the required score and other details, to the DoD’s Supplier Performance Risk System (SPRS).

• Annual Affirmation: A senior company official must submit an annual affirmation to the DoD, attesting that the organization has implemented and will maintain CMMC Level 2 compliance.