The C3 CMMC Readiness Program
Leverages Microsoft 365 GCC High to Meet Cybersecurity Maturity Model Certification Requirements.
Learn more about the C3 CMMC Readiness Program.
Complete the form below to get started.
Note: We take your information-security seriously and won’t ever share it with others.
One critical part of any compliance strategy is Microsoft 365 GCC High.
To get the most out of GCC High and understand your road to compliance, turn to
C3 Integrated Solutions.
C3 Integrated Solutions.
The U.S. is under constant attack from a wide variety of malicious actors: it is estimated that over $60 Billion is lost annually to cyber theft. Much of that loss is via our government contracting community, which threatens not just our economic health, but our national security.
If you do business with the Department of Defense (DoD) it’s time to prepare for the Cybersecurity Maturity Model Certification (CMMC) framework. You WILL need to become certified even if you’re already operating in the DoD supply chain, or if you wish to win new DoD contracts.
CMMC is designed to secure our nation’s Defense Industrial Base (DIB) through a series of controls, processes, and certifications. CMMC transitions the DIB from the current, self-attestation model for cyber compliance to a third-party audit-based accreditation. This new requirement is being integrated into DoD contracts through a revision to DFARS 252.204-7012 and will go into effect in late 2020. Every company that does busines with the DoD, either directly or directly will need to comply with CMMC.
What is Different About CMMC?
In prior years, DoD contractors could self-attest for DFARS 252.204-7012 compliance when requested by contracting authorities. This request was typically made after the contract was awarded. Now, CMMC will force the compliance requirement BEFORE award, or at award-time. Contractors will be evaluated based upon the implementation of actual technical controls in addition to their documentation and policies. Contracts will NOT be awarded if you are not CMMC compliant.
While many companies are understandably concerned about this potential loss of revenue, a great positive to the new certification will be the elimination of ambiguity. DoD contractors have struggled to understand how the DoD would enforce compliance; CMMC allows contractors to become certified and lean on those third-party assessments to protect them from potential Civil False Claims Act (FCA) actions related to their compliance with DFARS 7012 and NIST 800-171.
While COVID-19 may have slowed the rollout of CMMC slightly, IT professionals should not expect any major delays. Every indication is that CMMC is on pace to be active by the end of 2020.
Book MY Cybersecurity review
What is Required for Level 3 Compliance?
The CMMC framework includes five levels of security requirements. Each level is a mix of practices and processes that measure both technical activities as well as the maturity of a company’s policies and governance. If you store, process, or transit Controlled Unclassified Information (CUI), you will be required to achieve at least Level 3 compliance.
What is GCC High?
Microsoft 365 GCC High is the version of Microsoft 365 that is designed specifically for the DIB. It is built on a foundation of security, privacy, and compliance in the Azure Government Cloud. With Microsoft 365 GCC High, contractors can meet the following requirements:
- FedRAMP Moderate (FedRAMP High in process)
- NIST 800-171
- DFARS 252-204.7012 including clauses (c) through (g)
- Complete data, applications, and hardware residency in the
- United States
- Physical separation within the United States operated by personnel who are US citizens and passed a rigorous background check.
- Attestation to ITAR requirements
The C3 CMMC Readiness Program
C3 has developed a methodical approach to securing your environment and positioning it for CMMC compliance. Building upon the Microsoft Cloud and GCC High, as well as select complementary services, C3 delivers the technologies necessary to enable the processes required by CMMC. This approach is modular, allowing our clients to pick the services they need to complete their compliance journey. We provide a practical strategy that allows you to implement services incrementally, at your pace, while maintaining capability and security each step of the way.
Preparing for your CMMC audit requires a review of your cybersecurity posture and determining the level of investment required to become compliant. We can help you understand how CMMC works as well as what solutions you need to meet your targeted level of compliance.
Book MY Cybersecurity review
Why C3?
Just as contractors have dedicated staff and resources to prepare for ISO, CMMI, and DCMA audits, DoD contractors will need to have adequate technology support for CMMC. The DoD has suggested that businesses will need to dedicate significant staffing resources (greater than or equal to four information security specialists) to cybersecurity compliance and continuous improvement. Unfortunately, the overwhelming majority of government contractors under 1,000 employees do not have the teams in place to support this need or capability. And while some firms could build an internal team, many are choosing to partner with an external firm with the expertise to manage the environment and security process for them.
C3 Integrated Solutions is dedicated to securing our nation's military infrastructure by protecting the cyber resources of the DIB. As a leading provider of Microsoft Government Cloud solutions including Microsoft 365 GCC, GCC High and Azure Government, we specialize in helping clients achieve DFARS 252.204-7012 and NIST 800-171 compliance through a suite of solutions designed to meet these requirements. This positions our clients to be ready for the upcoming Cybersecurity Maturity Model Certification audits later this year. Our approach provides personal service on your terms.
How Do I Prepare for CMMC?
- If you haven't already, get an SSP and POA&M in place. This was and will continue to be the starting place.
- Make sure your existing environment complies with NIST-171 or build a new environment to this level of compliance. To achieve that basic level of compliance, we suggest that your first step be moving to Microsoft 365 GCC High.
- Consider the cost of enhanced support and security requirements for your business: will you need to add additional staff? If so, how many? You may be better off outsourcing your security, compliance, and information system management to a Managed Service Provider like C3.
- Reach out to the C3 team. C3 has been tracking the progress of CMMC for over a year, from its pre-release status through the release of CMMC 1.02 and its continued evolution as we approach an official go-no-go date of release.
C3 works with government contractors across the country to help them stay safe against all types of threats. We can help you understand CMMC and create a plan to reach compliance.
Schedule a meeting with one of our cybersecurity experts today!
Book MY Cybersecurity review