CMMC Compliance Services

CMMC Compliance and Security Services

CMMC is taking shape rapidly with new announcements coming out frequently. If you know you will need CMMC certification or are looking to get a jump start on readying for certification as the CMMC is finalized please contact us today.

CMMC Compliance Services

CMMC is an evolving cybersecurity requirement. Whether you’re looking for cybersecurity support, controls design, or readiness assessments NuHarbor Security can help in a variety of ways:



CMMC Readiness Assessment

If you’re looking to get a head start on preparing for CMMC compliance, a logical place to start is a CMMC Cybersecurity Readiness Assessment. This effort will measure where you are today and the roadmap required to prepare for the upcoming certification.



CMMC Penetration Testing

CMMC derives many of the required controls from NIST. NIST has always had a requirement for penetration testing. This requirement goes beyond an automated vulnerability scan. Penetration testing is conducted by penetration test operators and teams with requisite skills and experience. Our REDSEC teams have technical expertise in network, operating system, and application level security.



CMMC Security Monitoring and MSSP

Our MSSP services fulfill all CMMC auditing and logging requirements. Our Splunk MSSP can support all of the expected CMMC audit compliance initiatives when finalized.



CMMC Development and Documentation of System Security Plans (SSP)

Development of a CMMC System Security Plan (SSP) can be daunting. If you don’t know where to start, need some control design advice, or just need some bench strength contact NuHarbor Security for support.



End-to-End CMMC Support

The CMMC requirements are continuing to evolve. Whatever your CMMC requirements are NuHarbor Security has the end-to-end cybersecurity services to be your trusted partner and help you prepare for certification. Whether you’re getting started or you are nearing the finish line we can support your compliance needs.

CMMC Compliance Overview

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognizes that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. Enter the Cybersecurity Maturity Model Certification (CMMC).

The Cybersecurity Maturity Model Certification (CMMC) is a new requirement for existing DoD contractors, replacing the self-attestation model and moving to independent third-party certification.

The certification will be built on existing requirements such as NIST SP 800-171, NIST SP 800-53, private sector contributions, and input from academia. This new certification is intended to tighten cybersecurity within the defense industrial base. CMMC consists of five levels to measure cybersecurity practices of contractors. Those levels include:

CMMC Levels

Level 1: Performed (Basic Cyber Hygiene)

Process: At this level, practices are performed in an ad-hoc manner so there is no process requirement.
Practice: It addresses protection of FCI and 17 practices are required for the basic safeguarding requirements specified in 48 CFR 52.204.21.

Level 2: Documented (Intermediate Cyber Hygiene)

Process: Policy and documentation of practice are required to develop mature capabilities and achieve process Level 2.
Practice: Progression from Level 2 to Level 3. The majority of practices (65 of 72) comes from NIST SP 800-171 and new 7 practices from other standards are added to Level 2, such as audit log review, event detection/reporting, analyzing triaging events, incident response, Incident RCA (root cause analysis), regular data backup and testing, and encrypted session for device mgmt..

Level 3: Managed (Good Cyber Hygiene)

Process: Not just policy and documentation of practices, a plan is required to demonstrate management of practice implementation activities. The plan needs to address missions, goals, project plans, resourcing, required training and involvement of stakeholders.
Practice: All 110 control requirements of NIST SP 800-171 are required for this level. In addition, 13 new practices from other standards are added to Level 3, such as defining procedures of CUI data handling, collecting audit info into central repositories, regular data backups, periodical risk assessment, risk mitigation plan, separate management of non-vendor-supported products, security assessment of enterprise software, cyber threat intel response plan, DNS filtering, restriction of CUI publication, spam protection mechanisms, email forgery protections, and sandboxing.

Level 4: Reviewed (Proactive)

Process: Practices are reviewed and measured for effectiveness. In addition, correct actions when necessary and communication to higher level mgmt. on a recurring basis are required.
Practice: In order to protect CUI from APTs, 26 practices enhance the detection and response capabilities to address and adapt to TTPs used by APTs.

Level 5: Optimizing (Advanced / Progressive)

Process: Process standardization and optimization.
Practice: The additional 15 practices increase the depth and sophistication of cybersecurity capabilities.

Compliance Services

Recent Blog Posts

2 Questions to Determine if a Security Program Review or Security Assessment is Better for your Company

By: Justin Fimlaid The beginning of the year is a great time to review your security posture. You have many options available to you as to how you conduct security review. The most common ways that we see companies approach a review of their security program generally...