top of page

CMMC 

Advanced consulting services for US Department of Defense suppliers

What is CMMC?

Cybersecurity Maturity Model Certification (or CMMC for short) is a cybersecurity certification required for any organization that intends to work with the US Department of Defense (DoD), or as a subcontractor of an organization working for the US Department of Defense in the coming years.

CMMC in its new version (ver 2) consists of 3 different levels of certification, each of which is adapted to a different level of information security required in the organization.

The level of certification required of each organization depends on the type and classification of information to which it is exposed during its work with the Ministry of Defense, and is defined in tenders that are distributed to the public.

 

Please note that CMMC definitions are dynamic, and are expected to be updated along with the industry, therefore CMMC certification is valid for 3 years, after which renewal is necessary. It should also be known that each certification level "contains" those that follow below it, that is, a certification for level 2 contains within it the requirements of level 1, etc.

How does the process work?

Preparing the organization

We come to your organization and identify gaps against the existing cyber defenses, analyze the gaps and create a plan to complete them (according to the level of certification required by the organization).

Level 2 or 3

Rrequires an evaluation  once every 3 years by an external auditor from an official body for certification on behalf of the DoD called Certified 3rd Party Assessment Organization (C3PAO).

We will accompany the preparation for the test, the test itself and answer the gaps if they are found.

Certified accompaniment

The process is carried out under the leadership of a Certified Registered Practitioner (RP) who is a certified implementer on behalf of CMMC-AB who accompanies the organization in the certification process.

We are the first in Israel to receive recognition from the organization.

WhatsApp Image 2024-01-21 at 21.13_edite
  • How will the requirement for CMMC certification affect my existing business engagements with the DoD?
    The DoD intends to require CMMC certification from its entire supply chain of suppliers and service providers, both in future tenders that include access to CUI or FCI information, and as an addition to existing contracts. Therefore, even an organization that currently works with DoD will have to present certification even if it does not intend to access future tenders after 2025, as well as its entire supply chain.
  • Can my organization obtain CMMC certification on its own?
    Although it is possible to prepare for CMMC certification internally, the process can be complex, expensive, and take a long time, especially if the organization does not employ both information security and quality assurance experts. An outside consultant with CMMC expertise can help streamline the process, ensure all requirements are met effectively, and increase the likelihood of passing the certification audit on the first try, saving a lot of time and money.
  • What is the difference between NIST SP 800-171 and CMMC?
    The NIST SP 800-171 is a guidance document intended for non-federal entities exposed to CUI. CMMC is based on these guidelines, but expands them by adding additional practices and processes as well as dividing into 5 levels of certification. Unlike NIST, which is based on self-assessment, CMMC requires certification by a third party (C3PAO).
  • What happens if we fail the CMMC assessment?
    An organization that has not met the CMMC assessment requirements will receive from the C3PAO a list of deficiencies that must be addressed. He will have to implement corrective actions for these areas and then undergo a reassessment. Please note that there may be a waiting period before a reassessment can be performed. For these reasons, it is recommended to consider the accompaniment of a professional in the certification process.
  • Will there be exceptions that will be exempt from CMMC certification?
    Currently there are no exceptions. Every contractor and subcontractor working as part of the DoD supply chain and exposed to FCI or CUI will be required to present CMMC certification regardless of their size and the industry in which they operate, although the level of certification required may vary. This also includes services provided in the cloud.
  • Will CMMC requirements change over time? And how can my organization prepare for this?
    Yes. As the threats and information security technologies evolve, so too will the model's reference to them be updated accordingly by the official accreditation body called CMMC Accreditation Body or AB. A professional consultant who will accompany the organization in the accreditation process can also assist in building a plan to keep the organization updated.
  • Can organizations that are not part of the supply chain of the US Department of Defense also be certified for the CMMC model?
    Yes. Although there is no obligation, the CMMC certification is a signal to the market about the organization's professionalism and the seriousness with which it takes the security of the information to which it is exposed.
  • How much is CMMC certification expected to cost?
    The costs vary according to a number of factors, including the level of certification requested, the size and complexity of the organization and its information networks, and the amount of existing gaps in the information security system. In addition, there are the costs for the actual third-party assessment. In a rough estimate: certification for level 1 is expected to cost between hundreds and thousands of dollars, certification for level 2 may reach thousands to tens of thousands of single dollars, and certification for level 3 and above may even reach hundreds of thousands of dollars. For an initial consultation, you can leave details in the form at the bottom of the page, or contact us directly.
  • How long is the certification process expected to take?
    Here too - it is difficult to determine since there are many variables in the process. The time it takes to prepare the organization for the test can last from a few weeks to several months.
  • How can you get professional help in the organization certification process?
    For consultant and support from our quality assurance and information security experts, you can contact us - Maof Quality, Improvement, Optimization Ltd.

​Secure your organization's future

​Ready to embark on your journey to CMMC certification and enhanced cyber security?

Leave your details here

Thank you for your message

bottom of page