The U.S. Department of Defense (DoD) is committed to protecting its data and information systems and preventing cyber threats at every level. Integral to this effort is ensuring that the businesses and suppliers competing for DoD contracts have achieved certain levels of effectiveness in their own internal cybersecurity programs – so that the voluminous and often highly-sensitive data to which they have access is secure. The accreditation the DoD now requires, Cybersecurity Maturity Model Certification (CMMC), affirms the level of “maturity,” or effectiveness, of a prime or subcontractor’s cybersecurity safeguards.
Defense contractors and suppliers count on us to secure mandated cybersecurity certification and enhance their DoD competitiveness.
Meet Our Professionals
Types of CMMC
To achieve the appropriate level of certification, every organization within the DoD contractor community must now engage an independent third-party entity that has been formally approved by the CMMC Accreditation Body, which manages the accreditation process. If you are looking for a CMMC provider, our CMMC team can help you understand what is required and help you acquire what you need.
In addition to helping organizations prepare for CMMC assessments, PKF O’Connor Davies is an officially authorized CMMC Third Party Assessment Organization (C3PAO), authorized by the CyberAB to conduct CMMC Level 2 certification assessments. While our advisory services focus on gap analysis, policy development, and remediation planning, our C3PAO team provides independent, certification assessments in compliance with U.S. DoD requirements.
There are three levels of CMMC:
- CMMC Level 1: Basic safeguarding of Federal Contract Information (FCI). This can be done as a self-assessment on an annual basis. This applies to contractors who do not handle Controlled Unclassified Information (CUI).
- CMMC Level 2: Protection of CUI. This assessment should be completed every three years by a third-party that is a certified C3PAO if a contract involves critical national security information. Most contractors that store, process, or transmit CUI need CMMC Level 2 certification. PKF O’Connor Davies is fully authorized by the CyberAB as a C3PAO qualified to provide this level certification.
- CMMC Level 3: Reduces risk from Advanced Persistent Threats (APTs). This type of assessment is exclusively handled by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC), a unit within the DoD. While this type of assessment only applies to a small number of contractors handling the most sensitive defense information, a C3PAO must still provide a level 2 certification first.
Cybersecurity and Digital Forensics Expertise
If you’re a defense contractor or supplier, selecting cybersecurity specialists well-versed in CMMC requirements is a sound first step. Cybersecurity acumen is essential and our decades of experience has proven irreplaceable for our clients. Our professionals evaluate the full range of technology platforms and engineer customized solutions to protect system, network and data resources. Adopting a pragmatic approach, we leverage existing resources to correct safety shortcomings and are committed to producing clear and logical findings that are readily understood. In more challenging situations, we tailor specific remedies to protect multi-faceted systems and environments characterized by sizeable amounts of confidential, financial, health and other personal data.
In addition, our deep experience in this arena qualifies our specialists to identify supply chain entities also subject to CMMC requirements and help these companies prepare for and obtain certification, as well. Our professionals help:
- Safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
- Avoid forfeiting current or pending DoD contracts, recently-won bids and renewals.
- Strengthen positioning in contract competitions.
- Prevent reputational damage associated with compliance failure.
- Minimize subcontractor oversight and risk.
- Preserve internal staff time, labor and financial resources.
- Eliminate unexpected noncompliance issues.
Comprehensive Service and Solutions
To help businesses reach the optimal maturity level, our specialists provide contractors and subcontractors assistance in the following key areas which are available as an entire program or individually on an as-needed basis:
-
Assessment
To identify security gaps that must be addressed to achieve certification at the appropriate level, we undertake a thorough cybersecurity audit. This includes a complete review of all DoD contracts, subcontracts, bids and agreements in which an organization is engaged and of all internal platforms and systems that collect, save and use FCI and CUI.
-
Remediation
Once we’ve identified problematic issues, we launch a remediation program to identify optimal solutions, customize and implement necessary security improvements. Subsequent testing of new protocols affirms both adequate protection and effective processes.
-
Documentation
Accurate documentation is critical to verifying cybersecurity program efficacy, which is why clients rely on our in-depth reporting on all data protection policies and controls required for the certification level being sought. Our specialists gather, review and prepare all necessary paperwork in preparation for certification application.
- CMMC and Supply Chain Assessment
PKF O’Connor Davies has been helping companies in the defense supply chain with CMMC program implementation, including plan, policy, and procedure development, gap assessments, and certification preparation. As an authorized C3PAO, we are able to certify companies for CMMC Level 2 compliance. Additionally, to reduce the risk of supply chain noncompliance, we help identify activities requiring stronger controls for vendors, subcontractors and other entities that are part of the organization’s DoD project fulfillment.