Edwards & the CMMC Ecosystem

Edwards will play a role in nearly every aspect of the CMMC ecosystem. Currently, Edwards supports Organizations Seeking Certification (OSC) as a Registered Provider Organization (RPO) and Certified Third Party Assessment Organization (C3PAO), providing CMMC-AB approved assessments, consulting, and audit preparation through our proprietary Quick Look Assessments. We are also Licensed Training Provider (LTP) and Licensed Partner Publisher (LPP), developing training and providing CMMC-AB certified classes to organizations and individuals planning to take CMMC-AB certification exams or utilize other LPP curriculum. Check out our CMMC FAQ page!

CMMC is already starting to appear in upcoming statements of work and while CMMC will only apply to new contracts, it is critical to prepare for compliance now. High audit demand means you must be prepared to pass the first time or risk being waitlisted – potentially foregoing large DoD contract opportunities. CMMC compliance will be a go-no-go decision gate at the time of the contract award.

Our team of cybersecurity experts brings more than a half century’s worth of deep understanding and experience in assessing and interpreting standards, guidelines, and best practices to improve cybersecurity programs.

Buttons_CMMC 101
Buttons_Training Education
Buttons_Consulting Audits
Buttons_FAQ

CMMC COURSES AVAILABLE NOW!

As a Licensed Partner Publisher (LPP) and Licensed Training Providers (LTP), Edwards produces quality training materials for LTPs or Organizations Seeking Certification (OSC). We are CMMC advocates, supporting the Defense Industrial Base (DIB) cybersecurity health.

Our CMMC courses include both CMMC Accreditation Body (CMMC-AB) specific training, as well as CMMC topics developed by Edwards’ training experts. These courses are currently provided in an online environment. Our goal is to offer flexible learning at the click of a button – providing an accessible way to become CMMC compliant.

Click Here to Sign Up Today CMMC-AB [Replacement Graphic]

What is CMMC?

On March 18, 2020, the Department of Defense (DoD) released Version 1.02 of the Cybersecurity Maturity Model Certification (CMMC), as a replacement for Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012. As an interim rule effective November 30, 2020; DoD contractors must have a current (not older than three years) National Institute of Standards and Technology SP 800-171 DoD Assessment on record. This interim rule helps to close the gap between DFARS and CMMC requirements.

CMMC will require a Certified 3rd Party Assessment Organization (C3PAO) to independently audit your organization and certify your compliance at a Maturity level commensurate with the data you handle. Processes to establish C3PAOs and specific audit criteria are still being developed; however, once defined, the demand for audits will be high.

All DoD contractors and subcontractors are required to attain at least Maturity Level 1 compliance if they handle Federal Contract Information (FCI). Those processing Controlled Unclassified Information (CUI) must achieve Maturity Level 3.

Maturity
Level 1

Basic Cyber Hygiene
Level 1 entails 17 basic cyber hygiene practices. Requirements include basic cybersecurity practices such as changing passwords regularly and using antivirus software to protect Federal Contract Information (FCI).

Maturity
Level 2

Intermediate Cyber Hygiene
Level 2 ups the requirements to include two processes that address documentation of policies and procedures for all CMMC domains, as well as adding 55 intermediate cyber hygiene practices. The majority of these requirements are derived from the National Institute of Standards and Technology's SP 800-171 Revision 2.

Maturity
Level 3

Good Cyber Hygiene
Level 3 requires that Cybersecurity policies and procedures are not only documented, but that they are also managed and supported by appropriate projects and resource plans. There are 110 practices sourced from NIST SP 800-171 Revision 2 standards, and an additional 20 CMMC specific practices that promote good cyber hygiene.

Maturity
Level 4

Proactive
Level 4 requires contractors to continue to progress in their process maturity and review and measure their security practices for effectiveness. Maturity Level 4 Security practices focus on proactive measures to repel Advanced Persistent Threats (APTs).

Maturity
Level 5

Advanced/Progressive
Level 5 ensures contractors standardize and optimize their cybersecurity processes and practices across the organization as needed. There are an additional 15 practices that further address the identification and removal of APTs.

 CMMC QUICK FACTS

CMMC TIMELINE

Preloader
Dec 31, 2017

NIST 800-171 Security Requirements Adopted

Companies must implement the 110 security requirements of NIST 800-171, or document in a System Security Plan and Plans of Action for those requirements that are not yet implemented and must provide a date when the requirements will be implemented (DFARS 252.204-7012).

Jun 24, 2020

NIST 800-171 Assessment Methodology Established

NIST SP 800-171 DoD Assessment Methodology rev 1.2.1, documents the standard methodology enabling a strategic assessment of a contractor’s implementation of NIST SP 800-171, a requirement for compliance with DFARS clause 252.204-7012.

Jul 01, 2020

NIST 800-171 Assessment Self-Reporting Capability Added to SPRS

DoD announces the deployment of a cyber assessment capability module in the Supplier Performance Risk System (SPRS) to support National Institute of Standards and Technology (NIST) Special Publication SP 800-171 compliance (https://www.sprs.csd.disa.mil/). With this deployment, authorized representatives of the contractor are able to enter results for
self-assessments in SPRS via the Procurement Integrated Enterprise Environment (PIEE) https://piee.eb.mil/piee-landing/.

Nov 30, 2020

DoD Contract Award Requires Current 800-171 Assessment in SPRS

Companies are required to implement the NIST SP 800-171 standard and to have a current (<3 years) NIST SP 800-171 DoD Assessment on record in order to be considered for contract award. The provision requires companies to ensure the results of any applicable current Assessments are posted in the Supplier Performance Risk System (DFARS 252.204-7019).

Dec 01, 2020

DoD Begins Phase in CMMC Standard Over 5 Year Period

Until October 1, 2025:

Inclusion of CMMC requirements in all DoD solicitations is phased in over a 5 year time period.  The contracts that will incorporate CMMC requirements are determined by the DoD’s Under Secretary of Defense for Acquisition and Sustainment.

Oct 01, 2025

All DoD Solicitations Require Compliance with CMMC Standard

After October 1, 2025:

All entities receiving DoD contracts and orders, other than commercial off the shelf (COTS) products, will be required to have the CMMC Level identified in the solicitation, and at a minimum will require a CMMC Level 1 certification.

 

Want More?

Check out our other solutions – Enterprise Management, IT Services, Training & Development, and Cybersecurity.

INTERESTED IN MORE CMMC RESOURCES?

Learn to meet cybersecurity business goals and organizational priorities, while connecting with the best in the business.

LEARN MORE ›

LET’S TALK.

Ready to take on your unique challenge, we will hit the ground running and achieve results—not only through what we deliver, but in how we deliver it.

CONTACT US ›