CMMC Guidance

What is the Cybersecurity Maturity Model Certification (CMMC)?

Cyber attacks targeting the Defense Industrial Base (DIB) pose a risk to our national security.  Businesses large and small play a role in the DIB ecosystem.  This diversity brings a great variety in business processes,  IT systems, controls, and cybersecurity practices.  The Department of Defense (DoD) has established the CMMC framework to provide a common set of requirements to ensure proper safeguarding for both Federal Contract Information and Controlled Unclassified Information.

Controlled Unclassified Information (CUI)

We cannot talk about the CMMC without discussing CUI. Ultimately, the CMMC has been developed to ensure that organizations properly safeguard CUI. What is CUI? From the CUI Program Blog: Controlled Unclassified Information (CUI), is sensitive information that laws, Federal regulations, or Government-wide policies require or permit executive branch agencies to protect.

Consider an example: a manufacturer makes a part or assembly that ultimately ends up in a Defense related application. The blueprints or drawings used to machine the part are likely CUI. Should these documents exist in physical form at the manufacturer, certain practices must be in place to safeguard them (handling, storage, destruction, etc.). When this information exists digitally on the manufacturer’s computer network, specific controls must be put in place to safeguard that information. The CMMC outlines the safeguards that must be in place to process, store, or transmit this data.

The following links provide information on the CUI Program, training, and others:

National Archives CUI Program Home

CUI Program Blog

CUI Training

How can Bound Planet help?

Rule making is moving forward, we recommend being proactive in addressing the CMMC.

We offer the following:

  • Education on CMMC requirements
  • Pre-assessment readiness evaluations and guidance
  • Scoping guidance
  • Self-assessment score development and assistance in posting to SPRS
  • Assistance in meeting DFARS 252.204-7012 reporting requirements
  • Advisory specific to CMMC initiatives
  • POA&M Development
  • SSP development
  • Consulting and project management related to implementing Practices or Processes
  • Policy documentation and review
  • Service offerings to meet practice requirements. Examples: Awareness and Training

Whether you don’t know where to start, or you simply need a specific solution to satisfy a practice requirement, Contact us today to find out how we can help your organization prepare.

Our Approach

  • Establish Baseline – Our CMMC Pre-Assessment Readiness Evaluation establishes the current state of the OSC’s practices in comparison to CMMC requirements. This initial baseline supports later activities such as scoping, POAM development, and implementation.
  • Identify Scope – The people, processes, and technology (PPTs) associated with the processing, storing, or transmitting CUI can greatly influence the scope of implementation.  OSCs may reduce the scope by limiting which PPTs constitute the CMMC assessment scope.  In some cases, a reduced scope approach may not be feasible, however scope should be identified early in the process.
  • Establish POAM – Once the scope has been determined, the action plan for implementation can be developed.
  • Develop SSP – An SSP is required for uploading scores to the Supplier Performance Risk System (SPRS).
  • Implement Practices – Practices must be implemented for the PPTs within the CMMC assessment scope.  While implementation occurs, the OSC should manage the POAM and SSP, keeping them up to date.