Cybersecurity Maturity Model Certification (CMMC)

Our professionals can work with your organization to develop a strategic plan for approaching CMMC readiness. Additionally, we can help with the following:

Gap assessment

Deloitte can assist DoD contractors with achieving CMMC compliance by assessing existing processes and controls against the CMMC framework to identify if gaps exist. Additionally, we have a variety of remediation services to help contractors address identified gaps.

CUI discovery

With the complexity of today’s computing landscape, the end-to-end identification of where CUI could reside or where it is transmitted from can quickly become a daunting task. Deloitte can assist DoD contractors with identifying and inventorying relevant portions of the landscape housing or transmitting CUI, creating a targeted roadmap for your compliance program.

SSP and POA&M optimization

Development of a System Security Plan (SSP) that is updated periodically to reflect changes in an organization’s environment is essential to a well-maintained environment. Additionally, having a well-documented and managed Plan of Action and Milestones (POA&M) is critical in order to track and address gaps. Deloitte can assist DoD contractors with the development and documentation of the SSP and POA&M, as well as perform a review and provide feedback and guidance for updating an existing plan.

Aside from the CMMC requirements that contractors must address for their own organization, there is a business imperative to also consider the indirect risk of supply chain disruption due to noncompliance of subcontractors within the supply chain. As subcontractors play a critical role in the supply chain, many companies will need to assess and respond to the risk of subcontractors not being in compliance with their respective CMMC requirements on a given contract. If a vital subcontractor cannot meet the defined CMMC requirements, that subcontractor cannot be used for the respective contract―potentially causing serious supply chain disruptions for the prime contractor.

This risk can be of particular concern, as even the identification of relevant subcontractors and service providers throughout the supply chain can be an extremely complex and challenging task. Leveraging a breadth of experience and technical resources, we can help to identify, map, and profile your supply chain to provide transparency and valuable data points to support the mitigation of supply chain disruption.

Remediation support

We have the knowledge and experience to navigate remediation efforts and can aid you in addressing gaps through the development of remediation roadmaps that provide clearly laid out, time phased plans.

Control design

We can assist with the design and implementation of new controls by providing recommendations and guidance in accordance with the CMMC framework. Additionally, Deloitte can assist with redesign efforts for existing controls.

Policy and procedure development and implementation

In many cases, organizations fail to align their policies and procedures to emerging requirements. In these cases, Deloitte can assist with the development and implementation of policies and procedures that align with the CMMC framework.

Organizations can struggle with the resources, tools and skillsets needed to implement an ongoing cybersecurity program that addresses the various associated cyber risks. Our team of professionals can provide ongoing managed services to assist with these challenges. A few examples of how we can help include the following:

Rapid CMMC Compliance

Our team can swiftly deploy leading-edge compliance technology that can allow data movement and sharing within a compliant ecosystem and accelerates an organization’s ability to deliver new CMMC compliant services, supported by a flexible and robust security program and solutions. Our solution offers scalable on-demand capacity to align with the changing demands of your business.

Managed Identity Services

We offer a digital identity platform that can manage internal and external access within your environment in compliance with CMMC. Alternatively, we can manage your identity platforms bringing our experience in Identity Access Management and CMMC compliance.

Threat management

Deloitte specialists can inform and empower business decisions on managing cyber risk by providing evidence-based analysis of threats. We can help clients build programs to use threat intelligence to adapt and be proactive ahead of the threat.

Threat intelligence

Through data collection from a variety of internal and external sources, we can assist clients as they identify threats to better inform threat detection. Additionally, we can help clients increase the ability to inform of threat detection, security controls, and visibility into the current threat landscape to influence use cases and hunting techniques.

Threat hunting

Our cyber threat hunting team brings extensive experience, discipline, and creativity in executing a demonstrated framework for effective hunting operations across a wide variety of environments. Using advanced tools and techniques, our professionals help organizations uncover cyber threats.

C3PAO

Deloitte is in the process with the AB to become a C3PAO. Stay tuned for updates on this service.

Certification support

Assessments and audits can be time-consuming, and difficult to support amid fulfilling day-to-day business activities―having the appropriate individuals to interface with the certifiers can significantly contribute to the positive outcome of your certification. Deloitte professionals have extensive experience in both performing and supporting assessments and can help with preparing for the certification, engaging with certifiers, and responding to any findings identified.

CMMC is the tipping point for organizations to start thinking holistically about their overall government contract compliance program―enabling sustainable growth for both DoD-specific business operations and the entire organization. Aside from possible cross-program efficiencies, with the increased focus on the importance of cybersecurity, CMMC is more than just a requirement: it’s also a value-add that will differentiate organizations in the eyes of their customers and business partners. We can help organizations think through compliance programs and provide guidance on how to best derive value from optimizing the management of it.

Compliance and control mapping

In today’s environment, organizations must adhere to a variety of compliance requirements and frameworks and are subject to numerous audits and assessments throughout the year. Managing all these things can be extremely time consuming and expensive, but there are ways to streamline―which can help you save both time and money. Through detailed mapping exercises, Deloitte can help identify overlap in order to develop a foundational inventory of frameworks and controls that are needed to address various requirements (e.g., CMMC, SOX, FedRAMP). Not only can this help identify coverage, it can also help identify gaps. And, with the time saved through streamlining overlap, additional time can be spent focusing on addressing those gaps.

Consider the products and solutions delivered into the DIB that may need to be CMMC compliant. Failing to adhere to such requirements could result in significant revenue loss, which is why it is critical to proactively prepare and manage compliance around products and/or services.

Compliance framework

We can help with the development of a broad compliance framework, or optimization of an existing framework, that can be used to help bring products and/or services in compliance with CMMC.

As many organizations are moving toward digitization and a cloud environment, CMMC compliance should be a top-of-mind issue. Incorporating CMMC compliance into the process now can help position organizations to get ahead of compliance issues and help them mitigate business disruption and possible revenue loss due to non-compliance or post-implementation compliance activities. Wherever the organization may be in the process, the Deloitte team can provide valuable insight and assistance on your path to CMMC compliance.