top of page

Cybersecurity Maturity Model Certification (CMMC)

CMMC is essential for businesses seeking to participate in DoD contracts, ensuring that they are capable of protecting United States national defense information and defending against cyber threats and maintaining the highest standards of information security.​​ 

By achieving CMMC, companies not only comply with DoD requirements but also demonstrate their commitment to national security, maintaining the integrity of the supply chain, and protecting our war fighters. 

image.png

CMMC History

2010

Executive Order (EO) 13556, "Controlled Unclassified Information" (CUI) program established. 

2023

CMMC 2.0 published in the Federal Register as a proposed rule​ 

2024​​

CMMC 2.0 public comments due by Feb. 26th 

NIST published the final versions of NIST SP 800-171 rev 3 in May 

DoD class deviation to DFARS 252.204-7012 in May 

DoD submitted the CMMC Program rule to the OIRA 

OIRA has 90-120 days to review the rule and publish it 

Once published in the Federal Register, the rule will be effective 60 days later, making the CMMC Program official 

2021

CMMC 2.0 Framework proposed 

  • Reduced maturity levels from five to three 

  • Added limited POAMs with up to 180 days to resolve 

  • ​Added self-attestation from senior official for Level 1 

  • Added controls from NIST SP 800-172 for Level 3 

2020

CMMC 1.0 Framework ​

DFARS 252.204-7019 – Self Assessment and Report in SPRS ​

DFARS 252.204-7020 – Available for DIBCAP Audit ​

DFARS 252.204-7021 – CMMC Certification ​

2017

Defense Industrial Base (DIB) contractors required to implement NIST SP 800-171r2 cybersecurity program to protect sensitive controlled-unclassified-information (CUI). 

2015

NIST SP 800-171​ published to provide Defense Industrial Base (DIB) contractors with recommended requirements for protecting the confidentiality of CUI and the processing, storing, or transmitting of CUI.

2016

DFARS 252.204-7012​ – Defense Industrial Base (DIB) contractors became responsible for instituting their own cybersecurity safeguards in accordance with NIST SP 800-171, monitoring their compliance, and self-certifying. DIB contractors were given until December of 2017 to comply. 

CMMC 2.0

The CMMC 2.0 model has been streamlined to three levels, aligning its requirements with the NIST SP 800-171 and NIST SP 800-172 standards. 

The assessment process has been revised, with limited use of Plans of Action and Milestones (POA&Ms) and time-bound waivers requiring senior DoD approval. 

 

Level 1 DIB contractors are allowed to self-assess their cybersecurity programs and provide an attestation to the DoD. 

 

Most Level 2 and all Level 3 DIB contractors are required to obtain a third party assessment of their cybersecurity program. 

CMMC Kickstarter Program

AXIOTROP has partnered with Polaris MEP, the resource for Rhode Island’s small and medium-sized manufacturers to present an affordable, educational solution to help defense contractors make progress on their journey towards CMMC Level 2.

 

​By the end of the cohort series, participants will...
 

  • Gain 60% to 80% of the required CMMC points

  • Have a roadmap for additional implementation, purchases and work needed to achieve CMMC Level 2

  • Have implemented a CMMC compliance platform

  • Benefit from more than 15 hours of group training and more than 80 hours of individual implementation of relevant controls

Ready to start your CMMC journey?

horizontal white (1).jpg

Our Proven CMMC Process

Click each part of the process to learn more!

Proven CMMC Process Diagram.png

Projects: We create discrete projects from the POA&M, linking each item to one or more projects so you can see what work must be accomplished to achieve CMMC compliance.  

AXIOTROP will work with your team to: 

  • Create a project portfolio detailing project objectives, potential technology solutions, estimated labor time and costs, and all impacted CMMC controls. 

  • Create a prioritized technology implementation plan, and high-level overview (roadmap) to CMMC Level 2 certification. 

Discovery: Identify key data, business processes, and technology. CMMC is about protecting data! Understanding which data to protect, how it flows in, is stored, used and flows out is critical to right-sizing your cybersecurity plan. 

AXIOTROP will work with your team to: 

  • Develop a high-level data flow diagram. 

  • Implement a CMMC compliance platform (Future Feed) to provide CLIENT leadership with oversight and governance of all CMMC related activities in one place. 

CMP Assessment: Our CMMC SMEs will assess the Cybersecurity Maturity Posture of your organization. The CMPA will be based on the NIST SP-800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” 

 

AXIOTROP will work with your team to: 

  • Assess your organization on all NIST 171 controls and objectives. 

  • Develop an updated network map, a list of all technology tools and services, a list of application vulnerabilities, and a detailed data flow diagram. 

  • Create a detailed Plan of Action and Milestones (POA&M). 

Risk Management:  CMMC compliance is a journey not a destination. As the organization grows, business processes and technologies change, items will be uncovered that need to be added to the POA&M to close gaps. The Risk Management process assures continuous improvement and CMMC compliance.  

 

AXIOTROP will work with your team to: 

  • Schedule and hold Risk Management meetings to identify and document continuous improvement efforts. 

  • Risk Management meetings also provide evidence of compliance work and process maturity. 

  • Test the Incident Response Plan. 

  • Create commitment matrix with daily, weekly, monthly cadence. 

Remediation: We guide you through the prioritized technology implementation plan. Our scalable remediation approach allows you to move forward at the expense and time commitment rate that matches your needs.  

 

AXIOTROP will work with your team to: 

  • Develop a training plan to increase CMMC awareness. 

  • Select the technology solutions for each project through a vendor agnostic analysis. 

  • Implement technology upgrades and security controls in accordance with the project plans. 

  • Document your system security plan (SSP) including policies, plans, procedures, and lists. 

Validation:  Prepare for the upcoming CMMC third party assessment. Our compliance software (Future Feed) tracks your requirements, documented SSP, and objective compliance evidence to put your assessor at ease right from the start.  

 

AXIOTROP will work with your team to: 

  • Collect and store evidence of cybersecurity maturity in Future Feed to demonstrate CMMC compliance. 

  • Select a C3PAO through a vendor agnostic analysis. 

  • Complete the C3PAO assessment process. Working side-by-side with your team to meet the assessors’ requirements as efficiently as possible to reduce time and cost to your organization. 

CMMC Related Blog Posts

CMMC Client Testimonials

Greg Ferrian  President

Varioprint Inc.

"A year ago, as an aspiring contractor to the defense industrial base we weren’t sure how to get started with CMMC. We turned to Axiotrop for help, and they have been a great partner every step of the way. Together, we started from the ground up and Axiotrop worked with us in phases to meet our timing and budget requirements. We started with a plan to meet our prime contractor expectations (all five-point practices met) and have been improving our SPRS score consistently over time. We are on pace for our C3PAO assessment in Q4 of this year."
bottom of page