Industry-leading CMMC Services for Federal Contractors

The Cybersecurity Maturity Model Certification (CMMC), is a three (3) level cybersecurity standards program. CMMC impacts US Department of Defense (DoD) contractors. These contractors are currently required to implement 110 NIST SP 800-171 practices to protect Controlled Unclassified Information (CUI) under current DFARS 252.204-7012 contract obligations. They're also required to  pass a third-party assessment at Level 2. The Department of Defense projects the Interim Rule to be published around March 2024.

Coalfire Federal has 20 years of experience providing advanced cyber support to highly-regulated organizations in the Defense Industrial Base Sector. As one of only a handful of C3PAOs (CMMC Third-Party Assessor Organization), we are uniquely qualified to guide you in your compliance journey. Learn how Coalfire Federal can help you reach your compliance goals with verifiable, accurate results.

Coalfire Federal is one of the few C3PAOs (CMMC Third-Party Assessor Organizations) and has 20 years of experience providing advanced cyber support to regulated organizations in the Defense Industrial Base. We offer advisory guidance and assessment services to help you achieve your compliance goals.

CMMC 2.0 is the next iteration of the DoD's CMMC cybersecurity model. It streamlines requirements into three levels, aligns with NIST cybersecurity standards, and improves supply chain security posture and acquisition confidence. Self-assessments are acceptable for Level 1, while Level 2 aligns with NIST SP 800-171.

The Department’s model will significantly improve its supply chain security posture and acquisition confidence.

• Self-assessments – A self-assessment is acceptable only for those companies that are required to protect the information systems on which FCI is processed, stored or transmitted. Organizations conducting self-attestations for Level 1 will require an annual self-assessment and an annual affirmation by a senior company official.
• Security Practice Alignment – CMMC 2.0 is intended to accommodate a majority of DIB contractors that only handle FCI by eliminating maturity process requirements for Level 1. Level 2 is designed to align with NIST SP 800-171 and its 110 security practices while eliminating all CMMC-specific and unique security practices.
• Increased Vigilance – Instead of check-the-box compliance, organizations must think more in-depth about becoming secure and staying that way. Increased vigilance will likely be necessary to achieve and maintain cyber maturity.

CMMC 2.0 includes a level-based model, focuses on Controlled Unclassified Information (CUI) standards, and includes additional domains beyond NIST 800-171, providing a more comprehensive approach to cybersecurity. Learn more here.

CMMC Level 1: Focuses on the protection of Federal Contract Information (FCI).

CMMC Level 2: Applies to companies handling Controlled Unclassified Information (CUI).

CMMC Level 3: Intended for companies working on the Department of Defense's highest-priority programs in collaboration with CUI.

The Cyber AB is the official accreditation body of the CMMC ecosystem and the sole authorized non-governmental partner of the DoD in implementing and overseeing the conformance regime. The accreditation body verifies the credentials and qualifications of C3PAOs and ensures that they can deliver the appropriate guidance for contracting companies that are trying to meet the compliance requirements. It also establishes the framework and standards for becoming a C3PAO.