DFARS/CMMC Compliance Resource Center
Do you have questions about the Department of Defense’s new Cybersecurity Maturity Model Certification (CMMC) audit? You’re not alone, the path to becoming compliant can be confusing. This resource center is designed to help address questions you have about NIST, DFARS compliance, and preparing for a CMMC audit.
As a NIST Consultant, we have extensive experience helping businesses implement the NIST 800-171 cybersecurity framework to comply with DFARS and prepare for CMMC audits. We’ve taken many of the common questions we see companies asking and developed resources to help address them.
Frequently Asked Questions:
What is the National Institute of Standards and Technology (NIST)?
The National Institute of Standards and Technology (NIST) was founded in 1901 and was established to remove major challenges to U.S industrial competitiveness at the time. In today’s world, NIST works with any company acting as a government contractor. The institute publishes a set of guidelines, including the 800 series, that outlines the United States federal government computer security policies.
What is the NIST 800-171 cybersecurity framework?
In 2015, the Department of Defense published “DFARS” which mandated that private DoD contractors adopt cybersecurity standards according to the NIST 800-171 cybersecurity framework. This is part of a government led effort to protect the US Defense supply chain from foreign and domestic cyber threats.
What is the Cybersecurity Maturity Model Certification (CMMC)?
The DoD has released the Cybersecurity Maturity Model Certification (CMMC) to ensure appropriate levels of cybersecurity controls and processes are in place to protect contractor systems. The CMMC will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced.” The intent is to identify the required CMMC level in the RFP and use it as a “go/no go” decision when evaluating vendors.
What kind of companies need to become CMMC compliant?
There are approximately 300,000 DoD contractors that are subject to CMMC. The DoD estimates that only 10% meet the standard as released. By FY26, all new DOD contracts will contain CMMC requirements. All DoD contractors should already be at Level 1 as that parallels some existing requirements. Level 3 is going to be the level that most contractors need to achieve to be relevant.
Can my company pass a CMMC Compliance Audit without outside help?
There is a provision for self-audit, but experts do not believe that is wise. The cocktail of services you need to check all the boxes is really complicated to source and manage on your own. Finding a good partner that can provide critical components “as a service” is essential to moving towards compliance in a timely manner.
How do I find a partner to help my company pass our CMMC Compliance Audit?
The best partner is one with a dedicated cybersecurity team and extensive experience conducting CMMC assessments. Security is constantly changing and having a team of dedicated specialists with certifications in the security space can provide the peace of mind needed. Corsica has a team of NIST Consultants available to help, but it’s important you find whoever makes you feel most comfortable.
Understanding the Basics of CMMC Compliance
This 7-minute-long mini-webinar covers the basics of what every DoD contractor needs to know about CMMC/DFARS compliance.
NIST & DFARS Compliance – What You Need To Know
Learn about NIST, the benefits of becoming compliant, and the risks your company faces for not becoming compliant.
Frequently asked Questions
Commonly Asked Questions About the CMMC Compliance Assessment
From what’s included in the assessment to assessment cost to the implantation of recommendations, this list of FAQs covers common questions about our CMMC assessments.