What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the defense industrial base. While the CMMC Standard was created for the Defense Supply Chain, there are many other government agencies and allies of the United States interested in using the CMMC Standard.

The standard is overseen by the CMMC Accreditation Body (CMMC-AB). The CMMC-AB establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) Program. The CMMC Model itself is created and managed by the DoD.

The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced.

Buttons_CMMC 101
Buttons_Training Education
Button Options_Consulting Audits
Button Options_Meet The Team
Buttons_FAQ
Edwards & the CMMC Ecosystem

Edwards plays a role in nearly every aspect of the Cybersecurity Maturity Model Certification (CMMC) ecosystem — training and education, assessments, and certification. Currently, Edwards supports Organizations Seeking Certification (OSC) as a Registered Provider Organization (RPO) and candidate Certified Third Party Assessment Organization (C3PAO), providing CMMC-AB approved assessments, consulting, and audit preparation through our proprietary Compliance Assessments. We are also Licensed Training Provider (LTP) and Licensed Partner Publisher (LPP), developing training and providing CMMC-AB certified classes to organizations and individuals planning to take CMMC-AB certification exams or utilize other LPP curriculum. Check out our CMMC FAQ page for more in-depth answers to all your CMMC questions!

CMMC is already starting to appear in upcoming statements of work and while CMMC will only apply to new contracts, it is critical to prepare for compliance now. High formal assessment demand means you must be prepared to pass the first time or risk being waitlisted – potentially foregoing large DoD contract opportunities. CMMC compliance will be a go-no-go decision gate at the time of the contract award.

Our team of cybersecurity experts brings more than a half century’s worth of deep understanding and experience in assessing and interpreting standards, guidelines, and best practices to improve cybersecurity programs.

Four Part Circle
CMMC 101

On March 18, 2020, the Department of Defense (DoD) released Version 1.02 of the Cybersecurity Maturity Model Certification (CMMC), as a replacement for Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012. As an interim rule effective November 30, 2020; DoD contractors must have a current (not older than three years) National Institute of Standards and Technology SP 800-171 DoD Assessment on record. This interim rule allows organizations to close the gap between DFARS and CMMC requirements. Roughly 300,000 DoD contractors making up the Defense Industrial Base (DIB). These contractors must all be certified at some level of CMMC by September 30, 2025.

CMMC will require a Certified 3rd Party Assessment Organization (C3PAO) to independently audit your organization and certify your compliance at a Maturity level commensurate with the data you handle. Processes to establish C3PAOs and specific audit criteria are still being developed; however, once defined, the demand for audits will be high.

All DoD contractors and subcontractors are required to attain at least Maturity Level 1 compliance if they handle Federal Contract Information (FCI). Those processing Controlled Unclassified Information (CUI) must achieve Maturity Level 3.

Maturity
Level 1

Basic Cyber Hygiene
Level 1 entails 17 basic cyber hygiene practices. Requirements include basic cybersecurity practices such as changing passwords regularly and using antivirus software to protect Federal Contract Information (FCI).

Maturity
Level 2

Intermediate Cyber Hygiene
Level 2 ups the requirements to include two processes that address documentation of policies and procedures for all CMMC domains, as well as adding 55 intermediate cyber hygiene practices. The majority of these requirements are derived from the National Institute of Standards and Technology's SP 800-171 Revision 2.

Maturity
Level 3

Good Cyber Hygiene
Level 3 requires that Cybersecurity policies and procedures are not only documented, but that they are also managed and supported by appropriate projects and resource plans. There are 110 practices sourced from NIST SP 800-171 Revision 2 standards, and an additional 20 CMMC specific practices that promote good cyber hygiene.

Maturity
Level 4

Proactive
Level 4 requires contractors to continue to progress in their process maturity and review and measure their security practices for effectiveness. Maturity Level 4 Security practices focus on proactive measures to repel Advanced Persistent Threats (APTs).

Maturity
Level 5

Advanced/Progressive
Level 5 ensures contractors standardize and optimize their cybersecurity processes and practices across the organization as needed. There are an additional 15 practices that further address the identification and removal of APTs.

CMMC QUICK FACTS

✅ CMMC draws from NIST standards, the DoD, and the international security community

✅ One size does not fit all – different levels of security are necessary, depending on the contract and sensitivity of the data involved

✅ CMMC requires a third-party assessment from a C3PAO in lieu of a self-certification

✅ CMMC includes the entire DoD industrial base – approximately 300,000 contractors and subcontractors

✅ CMMC-AB LPPs and LTPs are authorized to develop and train OSCs in various CMMC certification and informational courses

CMMC EDUCATION & CERTIFICATION

Working towards certification within the CMMC ecosystem can be a daunting task for any organization. This is where the need for various training and education can make a world of difference in understanding the CMMC Model, best practices, and the ability to apply concepts around protecting information. It is critical to have a solid comprehension of the legal and regulatory guidance as it pertains to the Department of Defense’s (DoD) Cybersecurity posture.

As a CMMC-AB Licensed Partner Publisher (LPP) and Licensed Training Provider (LTP), Edwards produces quality training materials for other LTPs or Organizations Seeking Certification (OSC).

Focused on learning solutions that enhance organizational performance, our courses are created using Edwards’ instructional systems design approach based on industry standards – and have been for 20+ years. This expertise coupled with our cybersecurity team’s experience in assessing and interpreting standards makes for dynamic training solutions. We are CMMC advocates and training professionals supporting the Defense Industrial Base (DIB) cybersecurity health.

Our online courses and accompanying course materials are updated continuously to provide the most accurate, recent CMMC information. We aim to provide flexible learning at the click of a button – delivering an accessible way to become CMMC compliant. We also offer customized training and discounts for multiple seat purchases; inquire to learn more!

VIEW CURRENT COURSES >

CCP FIELD GUIDE & EXAM PREP MANUAL

The key to CMMC preparedness is knowledge, and that is what we provide with our CMMC-AB approved Certified CMMC Professional (CCP) Field Guide and Exam Prep Manual for consultants and assessors. This 650-page, full-color guide is the most comprehensive study guide available, packed with critical components to reinforce dynamic learning.

This comprehensive material can be used to guide you or your organization to prepare for the CMMC Assessment or as an accompanying guide for a CMMC-AB approved training, required prior to sitting for the CCP exam.

CMMC Field Guide CATM
CMMC CONSULTING & ASSESSMENTS

To continue work with the government, organizations must be certified at an appropriate CMMC maturity level, but most aren’t sure where to start. The CMMC-AB created the RPO certification to provide OSCs confidence in their consultant selection for both quality and knowledge of CMMC concepts to get the job done. C3PAOs are the only organizations authorized to conduct official CMMC assessments against the five Maturity Levels of security practices, from Basic to Advanced, designated by the CMMC-AB.

As an RPO and C3PAO, Edwards is equipped to provide advisory CMMC Level 1 or Level 3 consulting services and support, as well as pre-certification assessments to establish a CMMC plan of action. OSCs should work with an RPO or candidate C3PAO to prepare for either certification; however, you cannot engage with the same C3PAO for both pre-assessment consulting services and the actual CMMC assessment. All verified RPOs and candidate C3PAOs are listed on the CMMC-AB Marketplace. Our goal is to advise DoD suppliers on how to best prepare for a successful CMMC assessment and enforce the maturity levels designed by the CMMC-AB.

Our team of cybersecurity experts brings more than a half century’s worth of understanding and experience in assessing and interpreting standards, guidelines, and best practices to improve cybersecurity programs. Edwards is here to assist you on your CMMC journey!

CMMC ASSESSMENTS

To continue work with the government, companies must be certified at an appropriate level of maturity against the CMMC, but many companies need help determining where to start.

Our approach is designed to be affordable and provide you with exactly what you need to do in preparation for a CMMC audit. At this time, Edwards offers a NIST 800-171 Assessment, mapped to the CMMC model, with varying levels of consulting support. Edwards continues to increase our offerings as the DoD provides more CMMC compliance information. Contact us at Info@EdwPS.com for more information.

CMMC Quick Look Assessment Website Graphic

CMMC TIMELINE

Preloader
Dec 31, 2017

NIST 800-171 Security Requirements Adopted

Companies must implement the 110 security requirements of NIST 800-171, or document in a System Security Plan and Plans of Action for those requirements that are not yet implemented and must provide a date when the requirements will be implemented (DFARS 252.204-7012).

Jun 24, 2020

NIST 800-171 Assessment Methodology Established

NIST SP 800-171 DoD Assessment Methodology rev 1.2.1, documents the standard methodology enabling a strategic assessment of a contractor’s implementation of NIST SP 800-171, a requirement for compliance with DFARS clause 252.204-7012.

Jul 01, 2020

NIST 800-171 Assessment Self-Reporting Capability Added to SPRS

DoD announces the deployment of a cyber assessment capability module in the Supplier Performance Risk System (SPRS) to support National Institute of Standards and Technology (NIST) Special Publication SP 800-171 compliance (https://www.sprs.csd.disa.mil/). With this deployment, authorized representatives of the contractor are able to enter results for
self-assessments in SPRS via the Procurement Integrated Enterprise Environment (PIEE) https://piee.eb.mil/piee-landing/.

Nov 30, 2020

DoD Contract Award Requires Current 800-171 Assessment in SPRS

Companies are required to implement the NIST SP 800-171 standard and to have a current (<3 years) NIST SP 800-171 DoD Assessment on record in order to be considered for contract award. The provision requires companies to ensure the results of any applicable current Assessments are posted in the Supplier Performance Risk System (DFARS 252.204-7019).

Dec 01, 2020

DoD Begins Phase in CMMC Standard Over 5 Year Period

Until October 1, 2025:

Inclusion of CMMC requirements in all DoD solicitations is phased in over a 5 year time period.  The contracts that will incorporate CMMC requirements are determined by the DoD’s Under Secretary of Defense for Acquisition and Sustainment.

Oct 01, 2025

All DoD Solicitations Require Compliance with CMMC Standard

After October 1, 2025:

All entities receiving DoD contracts and orders, other than commercial off the shelf (COTS) products, will be required to have the CMMC Level identified in the solicitation, and at a minimum will require a CMMC Level 1 certification.

 

MEET THE TEAM

Our Cybersecurity Team brings more than ten decades of combined cybersecurity experience in assessing and interpreting NIST, CIS, HIPAA and ISO 27001 standards and guidelines. Our expert management and implementation of security programs throughout the government, commercial, and healthcare industries is well respected and far reaching. Meet our team to see why!

Brian Hubbard

Director, Commercial and Cybersecurity

CISM ⚬ PMP ⚬ RP ⚬ PA ⚬ PI

Brian Hubbard brings 35+ years of cybersecurity program management experience to his role within Edwards Performance Solutions. Brian leads all Commercial business and cybersecurity engagements, including CMMC initiatives, supporting organizations in their CMMC knowledge and preparation. Prior to Edwards, Brian led the contractor team supporting NIST in the development of the “Framework for Improving Critical Infrastructure Cybersecurity” (i.e., the NIST Cybersecurity Framework) in response to Executive Order 13636.

Dana Pickett

Chief Information Security Officer (CISO)

CISM ⚬ SSCP ⚬ RP

Dana Pickett joined Edwards in 2017 as Principal of Cybersecurity and appointed Chief Information Security Officer (CISO) in 2018. He is responsible for maintaining Edwards’ cybersecurity programs, focused on both business and technical risk management for cyber, audit, compliance, and privacy requirements. Dana also manages cyber programs for diverse industries, leading teams and communicating with executive management. He has 32+ years’ of experience successfully implementing security solutions.

Joy Beland

CMMC Training Program Manager

CISM ⚬ SSAP ⚬ PA ⚬ PI ⚬ RP

Joy Beland joined Edwards in 2020. Joy founded and managed a successful security-focused MSP practice for 21 years, then pivoted to serve the MSP community as a cybersecurity instructor. After educating 3,000+ Engineers and Development Reps on cybersecurity fundamentals, Joy joined forces with Edwards and is now responsible for managing and delivering all aspects of CMMC-AB approved certification training. She is also an active participant of the Commercial Cybersecurity Assessment Team.

Sam Bell

CMMC Assessment Program Manager

PMP ⚬ SSCP ⚬ RP

Sam Bell leverages 36+ years of IT and project management experience in managing data warehouse, call center, reporting, and security infrastructure and assessments projects. His focus on process improvement ensures a consistent, repeatable, and measurable approach is taken to deliver value and a secure operating environment for clients. At Edwards, Sam oversees the Cybersecurity Assessments practice, leading NIST 800-53, HIPAA, NIST CSF, and CMMC readiness assessments for firms of all sizes, across diverse industries.

Marcellus Williams

Sr. Penetration Tester

CEH Master ⚬ Security+ ⚬ RP ⚬ CCNA ⚬ CISSP

Marcellus Williams joined Edwards Performance Solutions in 2020 and works concurrently as a Network Analyst in the United States Army Reserves. In addition to 10+ years of penetration testing experience, he holds a Bachelor’s Degree in Computer Science and a Master’s Degree in Computer Information Assurance. Prior to Edwards, he worked at the DoD where he was tasked to emulate Nation State hackers and Advanced Persistent Threats (APTs).

Matt Hoeper

Sr. Cybersecurity Consultant

PMP ⚬ CISSP

Matt Hoeper is an experienced cybersecurity professional with 25+ years of IT experience. Matt holds a Master’s degree in Management Information Systems as well as PMP and CISSP certifications. Prior to joining Edwards, he worked for Fortune 500 companies and small businesses in areas of engineering, financial, marketing, supply chain, manufacturing, and health care. Over his career, Matt has conducted security assessments against multiple standards.

Joe Stoner

Cybersecurity Consultant

CEH ⚬ CySA+ ⚬ RP

Joe Stoner is an IT and cybersecurity professional at Edwards with 6+ years of experience, focusing on computer administration and network/system security. Since joining Edwards in 2014, Joe has conducted security risk assessments for clients, using multiple standards and frameworks (i.e., NIST 800-53, 800-171, CSF, and ISO 27001), provided cybersecurity services to mature client security postures, and developed/implemented procedures to meet security goals.

Tyler Gormus

Cybersecurity Consultant

CEH ⚬ RP ⚬ PA*

Tyler Gormus joined the Edwards Cybersecurity Team in 2018. He provides experience in conducting security risk assessments for clients in using multiple standards and frameworks (i.e., NIST 800-53, 800-171, CSF, and ISO 27001), interviewing appropriate stakeholders, and implements an easy to use/costeffective approach for customers working toward compliance. Tyler also holds a Bachelor’s degree in Secure Computing and Information Assurance.