Don't have an in-house team? We've got you covered!
Your path to CMMC certification can be daunting, especially for companies who do not have sophisticated CIO/CISO internal organizations. WhiteHawk, as a Cyber Risk prioritization and mitigation online platform, is welcoming the transition to the Cybersecurity Maturity Model Certification (CMMC) because it is the great equalizer. CMMC is enabling all companies and enterprises to have a path to cyber resilience that is tiered to their body of work and level of cyber sophistication.
CMMC 2.0 Change Notice
WhiteHawk is aware of the ongoing changes to CMMC and is working on updating our reports as all the requirements are codified through rulemaking by the Department of Defense. The rulemaking process and timelines can take 9-24 months, after which CMMC 2.0 will become a contract requirement. The CMMC data we share is still valid as the CMMC 2.0 categories/domains remain unchanged from CMMC 1.0. Once the rulemaking process is complete, WhiteHawk will update its CMMC reports to reflect all CMMC 2.0 changes accordingly. Please visit CMMC FAQ for more information.
Who needs to achieve CMMC?
Any organization that plans to conduct business with the DoD will be required to undergo an audit by an authorized CMMC C3PAO auditor before bidding, winning, and participating on a contract or subcontracting to a prime. All DOD contractors or suppliers will need to achieve at a minimum CMMC Level 1, if they want to continue to do business with the DoD.
How does an organization become certified?
A non-profit, independent organization called the CMMC Accreditation Body (CMMC-AB) will accredit CMMC Third-Party Assessment Organizations (C3PAOs) and individual auditors. The CMMC-AB will establish a CMMC marketplace with a list of approved C3PAOs from which DIB companies will choose an approved auditing organization.
How does the CMMC framework function?
CMMC has five different certification levels, that reflect the maturity and reliability of a government contractor’s infrastructure to protect both sensitive and proprietary government information. The five levels build upon each other’s technical and policy requirements, including the requirements from the previous level.