Cybersecurity Maturity Model Certification (CMMC)
DoD Forecasts adding CMMC Certification requirements to new contracts starting in May 2023. Companies that don’t have a CMMC Level 2 Certification won’t be able to win those contracts.
As one of the first ten companies to achieve Authorized CMMC Third-Party Assessment Organization (C3PAO) status, La Jolla Logic is a market leader in assisting the Defense Industrial Base with meeting their requirements for protecting Controlled Unclassified Information (CUI). Our three phased approach of Plan, Assess, and Certify has been developed from more than five years of evaluating organizations and information systems for compliance with NIST SP 800-171 and performing CMMC Gap Analysis assessments. The La Jolla Logic method complies with the CMMC Assessment Process (CAP) and ensures our assessors will quickly and accurately determine your organization’s compliance with CMMC Assessment Guide practices. Our assessors work closely with your internal compliance team throughout the assessment, providing you with daily trending updates so that you have full visibility into your progress toward final CMMC certification. Select Get Started to contact us for a free consultation and estimate.
Find us on the CMMC-AB Marketplace list of providers.
Not ready for CMMC Certification? Not sure where to start?
No Worries. We Got You.
While rulemaking for CMMC has taken longer than forecast by DoD, the government has not wavered in its commitment to protecting CUI. CMMC proposed rule changes to CFR 32 and CFR 48 are forecast to be published in September 2023. Based on past history for public comment periods and implementation, we can estimate that rules will go into effect next autumn. Most organizations need 6-12 months to achieve full compliance with CMMC. As an Authorized C3PAO, we know what assessors are looking for and we will ensure your team does too. We used our proven four-step process to pass our own CMMC Level 2 assessment by DoD’s DIBCAC team. We’ll show your team how to use it to protect your networks and earn your CMMC Level 2 certification before the competition so you’re the one with a competitive edge when the rules go into effect.
The time to get ready for CMMC is now!
Step 1: Map your CUI
Our approach starts with understanding your specific needs based upon the sensitivity of information your organization is required to protect. We work with your team to document the flow of Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) throughout your environment to identify the systems and processes that need to be protected. We help you define the scope and limit your liability.
Step 2: Know where you stand
We perform a Gap Analysis by examining your existing policies, plans, and procedures to understand how you protect your information. Then we interview your IT and security teams, and business process experts to validate our understanding, document your security strengths and identify areas for improvement. Based on the Gap Analysis, we provide you with a report that shows whether your have “Met” or “Not Met” each of the CMMC / NIST SP 800-171 practices and that defines the specific vulnerabilities that must be addressed to comply with the standards and clauses specified in federal contracts for protecting sensitive data.
Step 3: Build a roadmap
We’ll review those vulnerabilities with you and provide the simplest, most cost efficient and technically sound solutions to remediate the gaps and protect your data. We’ll help your team develop a prioritized Plan of Action and Milestones (POAM), so you have everything necessary to add or update your Cyber Risk Score in DoD’s Supplier Performance Risk System (SPRS). The roadmap and a phased implementation strategy will help you establish a budget and prioritization for future expenditures.
Step 4: Secure your information
With the definitive roadmap to get your organization to full compliance with CMMC / NIST SP 800-171 requirements, we will assist your team in designing and implementing the right security architecture for your needs. Whether you need support to directly implement changes or just advice and training for your team, our engineers have the direct DoD Cybersecurity experience, industry certifications (CISSP, Security+, CASP…), and DoD security clearances to guide you from start to finish on your path to compliance.
Contact us to learn how we can help you beat the CMMC deadline
Comply with List 800-171
Wondering where NIST fits in the CMMC?
For Defense Contractors that have Controlled Unclassified Information (CUI), DFARS 252.204-7012 and NIST SP 800-171 compliance are required today.
DoD is actively reviewing defense contractor attestations and, in some cases, performing spot checks to ensure companies are indeed complying with DFARS and NIST. All defense contractors and subcontractors with CUI must complete a Basic NIST SP 800-171 DoD Assessment and report their Cyber Risk Score in the Supplier Performance Risk System (SPRS) prior to contract award. Additionally, if using cloud-hosted systems to process or store CUI, then they must ensure their cloud providers comply with DFARS 2252.204-7012 paragraphs (c) through (g).
As a DoD Cybersecurity and Advanced Technology Firm, working with NIST guidance and security controls is our second nature. We have been supporting partner defense contractors with DFARS 7012 and NIST SP 800-171 compliance since 2017, and have developed efficient processes, procedures, and templates to help you:
- Conduct a NIST SP 800-171 Basic Self-Assessment (and subsequent score for SPRS entry)
- Build your System Security Plan (SSP)
- Define a Plan of Action and Milestones (POAM)
- Remediate Controls (to achieve compliance)
Our experienced cybersecurity engineers will assist your IT team as they evaluate your risk, plan mitigations, and get you to 100% compliance.
Call us before the DoD auditors call you.
Accredit Classified Systems
Earn an Authorization to Operate information systems for classified processing
Information systems used to process or store classified information within the Department of Defense or under DoD contracts must be accredited in accordance with DoD Instruction 8510.01 and NIST SP 800-37 rev2 Risk Management Framework (RMF). For Defense contractors, navigating the processes to obtain an Authorization to Operate (ATO) can be a complex and daunting challenge.
La Jolla Logic cybersecurity engineers bring decades of DoD experience accrediting and fielding systems and applications under DITSCAP, DIACAP, and RMF. We understand each branch and its network of subordinate commands have their own unique set of requirements and preferences in the accreditation process; our engineers leverage years of experience with these organizations and their ever-changing processes to accredit industry developed products, systems, applications, and even facilities for our clients through Defense Counterintelligence and Security Agency (DCSA) and DoD Authorizing Officials across the various service components and agencies. We offer tailorable support options so your company can leverage our cybersecurity experts in a manner that best suits your needs:
- General RMF Guidance (Steps 1-7) to coach your team
- ISSM to oversee package preparation and submission
- ISSE categorization, control selection, implementation, and/or testing
- Validator review of package to ensure it meets rigorous agency specific requirements
- Full RMF Package Lifecycle to minimize your effort and achieve an ATO as soon as possible
Use our engineers to develop the entire RMF package, submit through eMASS (we are experts in this tool!), respond to DCSA questions, and remediate any deficiencies,
Consult our experts on an as-needed basis to guide and train your team and assist with all or some portions of the package – you choose!
We’ll help you get your system all the way through the RMF process to attain your Authorization to Operate (ATO) so your team can focus on what you do best and deliver on your classified contracts.
Manage Cyber Risk
Limit your network attack surface and reduce your insurance cost
Whether you are a Defense contractor or not, achieving compliance with trusted national and international cybersecurity standards is good for business. Cybercrime and Industrial Espionage are threats to us all. The average cost of a data breach in the United States is $9.44 Million (IBM Cost of a Data Breach Report, 2022). It is no surprise then that cyber insurance costs are skyrocketing, and insurers are requiring proof that companies are taking adequate security steps before issuing insurance. Compliance with trusted cybersecurity standards reduces your risk and insurance costs.
Cybersecurity is a changing landscape, and every business needs to understand their security posture and the cybersecurity risk to critical business and customer data in their information systems. As a third-party independent organization, we bring proven methods for performing cybersecurity risk evaluations to discover inadequate system configurations and processes based on trusted national and international standards.Get Started