All Covered is an accredited Registered Provider Organization
The Cybersecurity Maturity Model Certification (CMMC) is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices, processes and capabilities are in place to ensure an adequate level of cyber hygiene is achieved by the Defense Supply Chain (DSC), as well as the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The New DFARS Contract Clauses introduced in the September 30, 2020 DFARS Interim rule add further clarity for contractors. Namely DFARS 252.204-7019 ensures contractors understand DoD Assessment requirements. DFARS 252.204-7020 requires contractors to provides the Defense Contracts Management Agency (DCMA) with access to its facilities, systems, and personnel when higher-level reviews are required. DFARS 252.204.7021 introduces the CMMC standard for use as a new verification vehicle. These clauses are to be included in all solicitations and contracts after November 30, 2020, including those for commercial items, unless solely deemed “Commercial Off the Shelf” (COTS) products.
Start the Certification Process
- By 2025, every company within the Defense Supply Chain and the Defense Industrial Base will need to become certified with CMMC through a Certified Third-Party Assessment Organization (C3PAO).
Federal Government Security Requirements
Previous attempts by the DoD using the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) to secure its information proved to not be sufficient over time. The DoD is requiring all Defense Supply Chain companies, except COTS providers, to comply by adding to its previous contract clauses FAR 52.204-25 & DFARS 252.204.7012. New enhanced DFARS rules are being implemented throughout the end of the year to first ensure NIST SP 800-171 companies have completed their self-assessment and reporting requirements using SPRS, and secondly allow third party auditing of the basic implementation along with the introduction of CMMC with third party assessments on certain contracts.
The Certification Process
All Covered adheres to the following process to get Organizations Seeking Compliance (OSC) on their Journey. First, our goal is to perform a Practice/Control gap assessment against the Standard (CMMC L1 – 5, NIST SP 800-171, etc…) Next, we create a NIST 800-18 Conforming System Security Plan (SSP) and Plan of Action & Milestone (POAM). We then consult with the organization to remediate and fill all gaps found in the POAM to ensure a score of 110 on NIST SP 800-171 assessments, and also remediate any gaps for full conformance with CMMC. We observe conformance over a 3 to 6 month period to ensure habitual, and persistent behavior. Then we work with the OSC to identify artifacts that prove objective evidence of conformance. Lastly, we will introduce you to a C3PAO for your CMMC Assessment.
Our RPO Capabilities
We can have Registered Practitioners, Certified Professionals and Certified Assessors that work under our designation as an RPO. As an RPO, our capabilities are unparalleled even with C3PAOs. We are not governed by the same restrictions and have a lot of the same information. We can have Certified Assessors and Certified Professionals that work under our designation.
Why Can't an OSC Prepare for a Certification Assessment Using a C3PAO?
The C3PAO is very limited in the services they can provide to an OSC. They cannot provide recommendations or consulting to OSCs. They can only help organizations with gathering up objective evidence of the implemented criteria. And from a cost perspective, an OSC can spend a significant amount on a certification assessment and not get it.