CMMC Compliance Services | Compliance Requirements

AWA’s Security Services for CMMC Compliance

Our team performs gap assessments and remediation of policies and processes focused specifically on meeting the requirements for Cybersecurity Maturity Model Certification. Contact AWA to start preparing for security compliance and CMMC assessments.

CMMC Cybersecurity Compliance Requirements

The Department of Defense has implemented the Cybersecurity Maturity Model Certification (CMMC) framework to help contractors protect unclassified information within the DIB supply chain. CMMC is mandatory for contractors performing work under an approved CMMI-SVC or CMMI‑SE/CMM integrated baseline.

The results of CMMC audits are valid for up to one year, and include the previous 36 months of activities. These assessments measure a company’s cybersecurity risk mitigation maturity level against relevant CMMI implementation ratings. This provides a foundation for risk management and security decisions, enabling federal agencies to better protect contractor data within the DIB supply chain.

According to the latest version CMMC regulations, a self-assessment of security posture is not adequate for contractors and their subcontractors. Compliance auditing and on-site inspections must be conducted by an official CMMC third-party assessment organization (C3PAO) and CMMI certified assessors. It consists of an assessment of information security programs, systems and controls. The CMMC framework includes more than 100 program areas covered by a number of cybersecurity standards.

AWA’s Security Services for CMMC Compliance

Gap Assessment Services

Companies looking to achieve CMMC compliance should work ahead of their formal audit and perform a gap assessment with AWA. During this engagement, we evaluate documentation, processes, and technologies to identify the degree of compliance with CMMC controls.

Any gaps identified will be linked to corresponding CMMC controls, and delivered in a report of findings that enables effective remediation of vulnerabilities.

CMMC auditors at AWA provide clients with an independent CMMC assessment of compliance. Our auditing helps DIB contractors through the CMMC audit readiness assessment phase, assessing and modifying security policies and practices, and preparing documentation for certification.

Policy & Process Remediation

Due to the importance of documentation for CMMC compliance, many companies find that their gaps require them to create formal policy and process documentation.

AWA has a wealth of experience evaluating, creating, and updating policy and process documentation. As part of our CMMC expertise, we offer policy and process remediation services. Let your security engineers focus on deploying and maintaining security infrastructure and let us handle the writing!

We offer a range of comprehensive penetration testing services to help DoD contractors achieve CMMC Level 2 compliance. Our experienced security experts perform internal, external, and web application penetration testing to identify and mitigate potential security risks. With our thorough testing and detailed reporting, you can gain the confidence to ensure your organization’s security posture is at its highest level.

FAQs about CMMC Compliance Services

Who needs CMMC certification?

Any organization that is involved in the defense contract supply chain is required to maintain Cybersecurity Maturity Model Certification. These consist of both prime contractors and subcontractors who work directly with the Department of Defense to complete and/or carry out those contracts. The CMMC announced standards are expected impact approximately 300,000 enterprises, according to the DoD.

What is the difference between NIST 800-171 and CMMC?

While the primary goal of NIST 800-171 compliance is to safeguard controlled unclassified information (CUI) wherever it is kept, transmitted, and processed, an organization must nevertheless adhere to both the CUI and NFO controls. In contrast, NFO controls are not included in the scope of the CMMC audits; only CUI controls are.

When does CMMC go into effect?

It’s already in vigor; the first interim of CMMC regulations went into effect in September 2020. The Department of Defense expects that the new CMMC interim rule will go into effect in May 2023.

What is Cybersecurity Maturity Model Certification?

The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework designed to ensure that Department of Defense (DoD) contractors meet specific cybersecurity requirements. CMMC Level 2 requires contractors to implement and demonstrate basic cybersecurity practices, including regular penetration testing. By performing regular penetration testing, contractors can identify and address weaknesses in their security systems before they can be exploited by malicious actors.

Is the CMMC based on NIST?

The CMMC framework incorporates several NIST 800-171 controls that are relevant to penetration testing. Here are some of the most critical controls:
·       CMMC AC.2.101: Audit and Accountability – NIST 800-171 Rev. 1 3.3.3: Requires organizations to perform vulnerability scanning and penetration testing on a periodic basis.
·       CMMC MP.3.101: Media Protection – NIST 800-171 Rev. 1 3.7.4: Requires contractors to perform periodic vulnerability scanning and penetration testing on systems processing and storing information on removable media.
·       CMMC PE.4.101: Access Control – NIST 800-171 Rev. 1 3.1.13: Requires contractors to perform periodic vulnerability scanning and penetration testing on systems that control access to information.
These controls highlight the importance of regular penetration testing as a critical component of maintaining a secure environment for DoD contractors.

What are the potential consequences of non-compliance with CMMC?

Failure to comply with these controls and regulations can lead to significant fines, penalties, and loss of contracts.

CMMC Assessment & Audit Services

Request Information

AWA’s Security Services for CMMC Compliance

CMMC Cybersecurity Compliance Requirements