CMMC 1.0 & 2.0
Compliance
The Cybersecurity Maturity Model Certification (CMMC) is a new program developed by the U.S. Department of Defense to enhance cybersecurity standards for companies that are part of the defense industrial base. It is designed to protect sensitive unclassified information (FCI and CUI) shared by the DoD with its prime and subcontractors. CMMC incorporates cybersecurity requirements into the acquisition process, giving the DoD assurance that all supply chain contractors are conforming to specific cybersecurity standards.
The CMMC requirements are primarily derived from existing standards such as NIST 800-171 rev2, NIST 800-53 rev5, FIPS 200, ISO 27002:2013 and others. BitSpartan is a RPO pending company that helps organizations become CMMC certified by providing advice, consulting, and recommendations to organizations seeking CMMC certifications. We can help you get to where you are, to the point where we seek out a C3PAO to get you certified.
Who is required to meet DoD CMMC Requirements?
Prime Contractors
Subcontractors
CMMC Requirements
CMMC
CMMC has five levels of maturity that span 17 distinct security domains. There are 171 security practices in total across the 17 security domains. The higher the maturity level, the more practices the contactor is required to meet. These practices are a mixture of security controls, documentations, policies and processes. All DoD contractors will be required to meet at least level 1 by 2026.
​
What does BitSpartan offer?
BitSpartan helps organizations fulfill their CMMC compliance initiatives by offering a suite of security services to help meet the requirements of the 171 practices. We offer CMMC readiness and gap assessments, cyber risk assessments, vulnerability assessments, penetration testing, security program reviews, IR plans, policy writing, blue and red team operation services, and more.
​
17 Domains | 171 Practices
Access Control
(AC)
Awareness and Training
(AT)
Incident Response
(IR)
Personnel Security
(PS)
Risk Management
(RM)
System and Communication Protection (SC)
Asset Management
(AM)
Configuration Management
(CM)
Maintenance
(MA)
Physical Protection
(PE)
Security Assessment
(CA)
System and Information Integrity (SI)
Audit and Accountability
(AU)
Identification and Authentication (IA)
Media Protection
(MP)
Recovery
(RE)
Situational Awareness
(SA)
Maturity Levels
Level 1 is FCI only, Level 2 is FCI and some CUI safeguards. Level 3 and up is CUI safeguards. Regardless of your required or target maturity level we can help.
1
Basic Hygiene
​
17 Practices
2
Intermediate Cyber Hygiene
72 Practices
3
Good Cyber Hygiene
130 Practices
4
Proactive
​
156 Practices
5
Advance / Progressive
171 Practices
Get Ahead
CMMC level requirements during the acquisition process will be a multi-year rollout. The initial timeline for all prime and subcontractors was 2026. Finalization of this timeline has not yet been published, but expect the DoD to publish the official timeline within the next 9–24 months. BitSpartan recommends organizations that are part of the DoD supply chain handling FCI or CUI get ahead of the curve and not wait until the program implementation requirements are official. Many organizations conducting business with the Department of Defense are presently preparing for CMMC 2.0 compliance by identifying their obligations, the level of compliance they are expected to achieve, the systems in scope, and their possible practice requirements. If you need help with any of this, give us a call.
CMMC 2.0
We added CMMC 1.0 material above to give organizations a better understanding of the previous criteria and how they differ from CMMC 2.0. It's also worth noting that CMMC 1.0 isn't required any longer. Following hundreds of public comments and analyses of potential industry concerns with CMMC 1.0, the Department of Defense introduced CMMC 2.0 in late 2021 to address some of those issues while maintaining the program's security objective. The program will be a requirement for all DoD contracts once the DoD completes the rulemaking process for CMMC 2.0 (over the next 9–24 months). Many organizations conducting business with the Department of Defense are presently preparing for CMMC 2.0 compliance by identifying their obligations, the level of compliance they are expected to achieve, the systems in scope, and their possible practice requirements.
Diagram source: https://www.acq.osd.mil/cmmc/about-us.html
How we can help
When rulemaking is complete and CMMC 2.0 becomes official, BitSpartan will help organizations fulfill their CMMC compliance initiatives by offering a suite of security services to meet the requirements of the CMMC security practices. We offer CMMC readiness and gap assessments, cyber risk assessments, vulnerability assessments, penetration testing, security program reviews, Incident Response Plans, Policies, Blue and Red Team Operation Services from us or our partners, and more. With CMMC 2.0, we can also help you with the self-assessments and perform specific assessments to ensure compliance. This will provide your prime with increased assurance of compliance as you move through the contract process. CMMC is a cybersecurity compliance program, and cybersecurity is what we do, we'll be happy to help.
Identify in Scope System and Process
Cyber Risk Assessments, Penetration Testing
CMMC Readiness and Gap Assessments
Maintain Compliance
Gap Remediation, SSP, POAMS, IR Plan
Our suite of cybersecurity services
Ready for help?
We know what you're looking for and we know how to get you there. That's because, from a business perspective, we understand where you need to be. The majority of BitSpartan consultants transitioned from technical IT roles to management, where they provided governance, risk, and compliance expertise to top organizations in the private and public sector. In the field, all consultants are either CISA, CGEIT, CRISC, or trained and supervised by these certified professionals. Our strong technical and IT governance background, blended with assurance expertise, makes our team of consultants one of the best in the industry.