top of page

CMMC 1.0 & 2.0
Compliance

The Cybersecurity Maturity Model Certification (CMMC) is a new program developed by the U.S. Department of Defense to enhance cybersecurity standards for companies that are part of the defense industrial base. It is designed to protect sensitive unclassified information (FCI and CUI) shared by the DoD with its prime and subcontractors. CMMC incorporates cybersecurity requirements into the acquisition process, giving the DoD assurance that all supply chain contractors are conforming to specific cybersecurity standards.

 

The CMMC requirements are primarily derived from existing standards such as NIST 800-171 rev2, NIST 800-53 rev5, FIPS 200, ISO 27002:2013 and others. BitSpartan is a RPO pending company that helps organizations become CMMC certified by providing advice, consulting, and recommendations to organizations seeking CMMC certifications. We can help you get to where you are, to the point where we seek out a C3PAO to get you certified.

f16.jpeg

Who is required to meet DoD CMMC Requirements?

main-contractor.png

Prime Contractors

subcontractor.png

Subcontractors

cybersecurity-hand-edit.png

Our company specializes in cybersecurity. Put your trust in us to handle security compliance.

CMMC Requirements

CMMC

 

CMMC has five levels of maturity that span 17 distinct security domains. There are 171 security practices in total across the 17 security domains. The higher the maturity level, the more practices the contactor is required to meet. These practices are a mixture of security controls, documentations, policies and processes. All DoD contractors will be required to meet at least level 1 by 2026.

​

What does BitSpartan offer?

 

BitSpartan helps organizations fulfill their CMMC compliance initiatives by offering a suite of security services to help meet the requirements of the 171 practices. We offer CMMC readiness and gap assessments, cyber risk assessments, vulnerability assessments, penetration testing, security program reviews, IR plans, policy writing, blue and red team operation services, and more.

​

17 Domains | 171 Practices

pci4.png

Access Control

(AC)

pci4.png

Awareness and Training

(AT)

pci4.png

Incident Response

(IR)

pci4.png

Personnel Security

(PS)

pci4.png

Risk Management

(RM)

pci4.png

System and Communication Protection (SC)

pci4.png

Asset Management

(AM)

pci4.png

Configuration Management

(CM)

pci4.png

Maintenance

(MA)

pci4.png

Physical Protection

(PE)

pci4.png

Security Assessment

(CA)

pci4.png

System and Information Integrity (SI)

pci4.png

Audit and Accountability

(AU)

pci4.png

Identification and Authentication (IA)

pci4.png

Media Protection

(MP)

pci4.png

Recovery

(RE)

pci4.png

Situational Awareness

(SA)

Maturity Levels

Level 1 is FCI only, Level 2 is FCI and some CUI safeguards. Level 3 and up is CUI safeguards. Regardless of your required or target maturity level we can help.

1

Basic Hygiene

​

17 Practices

2

Intermediate Cyber Hygiene

72 Practices

3

Good Cyber Hygiene

130 Practices

4

Proactive

​

156 Practices

5

Advance / Progressive

171 Practices

cybersecurity-hand-edit.png

Get Ahead

CMMC level requirements during the acquisition process will be a multi-year rollout. The initial timeline for all prime and subcontractors was 2026. Finalization of this timeline has not yet been published, but expect the DoD to publish the official timeline within the next 9–24 months. BitSpartan recommends organizations that are part of the DoD supply chain handling FCI or CUI get ahead of the curve and not wait until the program implementation requirements are official. Many organizations conducting business with the Department of Defense are presently preparing for CMMC 2.0 compliance by identifying their obligations, the level of compliance they are expected to achieve, the systems in scope, and their possible practice requirements. If you need help with any of this, give us a call.

CMMC 2.0

We added CMMC 1.0 material above to give organizations a better understanding of the previous criteria and how they differ from CMMC 2.0. It's also worth noting that CMMC 1.0 isn't required any longer. Following hundreds of public comments and analyses of potential industry concerns with CMMC 1.0, the Department of Defense introduced CMMC 2.0 in late 2021 to address some of those issues while maintaining the program's security objective. The program will be a requirement for all DoD contracts once the DoD completes the rulemaking process for CMMC 2.0 (over the next 9–24 months). Many organizations conducting business with the Department of Defense are presently preparing for CMMC 2.0 compliance by identifying their obligations, the level of compliance they are expected to achieve, the systems in scope, and their possible practice requirements.

cmmc2-levels-lgv3.png

How we can help

When rulemaking is complete and CMMC 2.0 becomes official, BitSpartan will help organizations fulfill their CMMC compliance initiatives by offering a suite of security services to meet the requirements of the CMMC security practices. We offer CMMC readiness and gap assessments, cyber risk assessments, vulnerability assessments, penetration testing, security program reviews, Incident Response Plans, Policies, Blue and Red Team Operation Services from us or our partners, and more. With CMMC 2.0, we can also help you with the self-assessments and perform specific assessments to ensure compliance. This will provide your prime with increased assurance of compliance as you move through the contract process. CMMC is a cybersecurity compliance program, and cybersecurity is what we do, we'll be happy to help.

assessment.png

Identify in Scope System and Process

assessment2.png

Cyber Risk Assessments, Penetration Testing

looking.png

CMMC Readiness and Gap Assessments

action-fix.png

Maintain Compliance

fix2.png

Gap Remediation, SSP, POAMS, IR Plan

gap.png

Our suite of cybersecurity services

bottom-lock-no-line.png

Ready for help?

We know what you're looking for and we know how to get you there. That's because, from a business perspective, we understand where you need to be. The majority of BitSpartan consultants transitioned from technical IT roles to management, where they provided governance, risk, and compliance expertise to top organizations in the private and public sector. In the field, all consultants are either CISA, CGEIT, CRISC, or trained and supervised by these certified professionals. Our strong technical and IT governance background, blended with assurance expertise, makes our team of consultants one of the best in the industry.

bottom of page