In a recent memorandum, U.S. Secretary of Defense Pete Hegseth issued an urgent directive to Pentagon leadership, calling for heightened measures to protect the Department of Defense’s (DoD) information technology (IT) capabilities, including cloud services, from foreign adversaries such as China and Russia. The memorandum underscores the growing concerns regarding the vulnerability of the DoD’s supply chain to potential malicious influence by foreign powers, particularly in light of recent revelations surrounding the use of China-based engineers by Microsoft for Pentagon cloud services.

A Summarization of Pete Hegseth’s Directive

Immediate Actions for Secure IT Capabilities

Secretary Hegseth’s memorandum mandates the DoD Chief Information Officer (CIO) to collaborate with key departments including the Under Secretaries of Defense for Acquisition and Sustainment, Intelligence and Security, and Research and Engineering to immediately review and validate all information technology assets within the DoD. This review focuses on ensuring that these systems are secure against any potential supply chain attacks by adversarial nations, particularly China and Russia. The directive emphasizes the necessity of ensuring that the Department does not procure any hardware or software that may be susceptible to foreign influence or pose a risk to mission security.

Fortifying the Defense Industrial Base (DIB)

In a bid to counter these threats, the DoD has been instructed to strengthen existing safeguards within the Defense Industrial Base (DIB) that serves as a critical supplier of goods and services to the military. The Department will take measures to eliminate or mitigate adversarial foreign influence in its products and services, with a focus on preventing the introduction of malicious capabilities by foreign actors. The memorandum further directs the Department to explore any additional steps necessary to address the risks posed by foreign influence.

Several ongoing initiatives are being leveraged to support this effort, including the Cybersecurity Maturity Model Certification (CMMC), the Software Fast Track Program, the Authority to Operate process, and the Federal Risk and Authorization Management Program (FedRAMP). These programs, alongside efforts such as the Secure Software Development Framework, are all aimed at enhancing the security of DoD systems and operations.

Additionally, the Under Secretary of Defense for Intelligence and Security will oversee the review and validation of personnel security practices and insider threat programs within the DIB and cloud service providers. This initiative is critical to ensuring that the personnel handling sensitive military data do not pose any potential security risks.

Tightened Oversight Following ProPublica Investigation

This memorandum follows recent revelations from a ProPublica investigation, which uncovered that Microsoft had been using China-based engineers to support U.S. military systems hosted in its cloud infrastructure. According to the report, these engineers, while monitored by U.S.-based “digital escorts” (U.S. citizens with security clearances), were still granted access to sensitive systems. This arrangement raised significant concerns about the potential for indirect foreign access to the Pentagon’s cloud infrastructure, leading Microsoft to end the practice.

As a direct consequence of these findings, Microsoft decided to cease using China-based engineers for Pentagon cloud services, in order to comply with U.S. security protocols and mitigate any perceived security risks. While Microsoft assured that it would continue adhering to all U.S. regulations, the company has not yet specified how it will address the technical support needs previously met by the now-discontinued use of Chinese engineers.

Future Guidance and Expectations

In response to these concerns, Secretary Hegseth has directed the DoD CIO to issue additional implementing guidance within 15 days to ensure a secure environment for the nation’s warfighters. This move underscores the urgency of protecting U.S. military infrastructure from potential vulnerabilities in an increasingly interconnected world, where adversaries such as China and Russia may seek to exploit weaknesses in the supply chain and cloud services.

The DoD’s actions reflect a growing recognition of the risks posed by foreign influence in military technologies and underscore the Department’s commitment to safeguarding sensitive defense systems from adversarial threats. Through rigorous security protocols, strategic reviews, and proactive measures, the DoD aims to fortify its IT infrastructure, ensuring the safety and security of its operations in an era of rapidly evolving technological threats.

The Department of Defense (DoD) officially submitted the final 48 CFR rule to the Office of Information and Regulatory Affairs (OIRA) for review. This important step paves the way for CMMC requirements to be incorporated into defense contracts as early as October 2025.

What Is the 48 CFR Rule?

The rule covers 48 CFR Parts 204, 212, 217, and 252 and establishes CMMC acquisition policies along with standardized contract language. While 32 CFR Part 170 has been effective since December 2024, the 48 CFR rule is necessary to formally authorize the inclusion of CMMC language in solicitations and contracts.

The final rule’s submission to OIRA marks the second-to-last stage before it becomes official, enabling CMMC to be enforceable in defense contracts. OIRA has 90 days to review and it could take one to three weeks for the final rule to be published in the Federal Register.

Therefore, we expect to see CMMC requirements in contracts starting in late October 2025.

What Is the Significance?

CMMC requirements remain unchanged—they were established by 32 CFR Part 170. However, the 48 CFR rule:

• Adds the DFARS 252.204-7021 clause to contracts
• Grants contracting officers the authority to include CMMC language in solicitations
• Initiates the four-phase rollout of the CMMC program

The Four Phases:

Why You Need to Act Now

If your organization plans to bid on or receive DoD contracts after October 2025, obtaining CMMC Level 2 certification could be mandatory. 

Key points to keep in mind:

• CMMC Level 2, verified through C3PAO assessments, can be required starting in Phase 1 (i.e., in 2025), since contracting officers have discretion regarding certification requirements.
• Waivers probably won’t happen, as they are pre-determined at the acquisition level and are not typically granted to subcontractors or late bidders.
• The time between solicitation release and contract award—known as the Procurement Administrative Lead Time (PALT)—is usually short (around 32 days), leaving little room to begin CMMC compliance after a solicitation is issued.

Next Steps…

CMMC compliance takes time. Most organizations need 9 to 12 months to fully implement NIST SP 800-171 controls, validate compliance, and successfully pass a C3PAO assessment.

If your organization handles Controlled Unclassified Information (CUI), is a prime contractor or subcontractor within the defense industrial base, and plans to bid on contracts in 2026 or sooner, then you should already be in the CMMC assessment and implementation phase.

SysArc is has helped DoD contractors like FN America, Honeycomb Company of America, and 2 Circle prepare for CMMC. To learn how we may help your organization prepare for CMMC, get a free consultation.

The Problem

2 Circle Inc., a growing government contractor, had an ambitious roadmap for scaling its business and expanding its presence in the defense and federal sectors. However, the company’s leadership quickly recognized a critical obstacle: their existing Managed Service Provider (MSP) lacked the capabilities necessary to support that vision.

The challenges were twofold:

1. CMMC Compliance Roadblocks: The current MSP had no expertise in implementing the NIST 800-171 controls required for Cybersecurity Maturity Model Certification (CMMC). Without a clear path to compliance, 2 Circle Inc. faced a fragmented and risky process—outsourcing to yet another provider who would still need to coordinate with their inadequate MSP. Additionally, the existing MSP lacked a Security Operations Center (SOC), another essential element for CMMC compliance.
2. Inexperience with Government Contractors: Government contracting is not like other industries. It requires specialized IT strategies, cybersecurity frameworks, and the ability to scale quickly in response to new contract wins. The incumbent MSP didn’t understand these nuances, putting 2 Circle Inc. at risk of non-compliance and operational bottlenecks at a crucial time in their growth.

The leadership at 2 Circle knew they needed more than just IT support—they needed a strategic partner who could guide them through CMMC compliance and help them scale securely.

The Solution

2 Circle Inc. partnered with SysArc Inc., a Washington, DC area based provider of managed IT and cybersecurity services tailored specifically for government contractors.

SysArc’s Unique Value Proposition
With decades of experience supporting government contractors, SysArc brings together comprehensive IT support and robust cybersecurity services under one roof. Their in-house Security Operations Center (SOC) ensures clients meet compliance requirements without relying on third-party vendors. This “one-stop-shop” approach allows SysArc to manage everything from everyday IT needs to high-stakes compliance initiatives like CMMC.

Tailored Implementation for 2 Circle Inc.
SysArc delivered a comprehensive solution that aligned with both 2 Circle’s operational and regulatory requirements:

• Seamless Migration to Microsoft GCC (GovCon): SysArc migrated 2 Circle’s IT infrastructure from Microsoft 365 Commercial to Microsoft GCC, enabling compliance with Controlled Unclassified Information (CUI) requirements.
• CMMC-Ready Infrastructure: Leveraging pre-configured tools and processes developed specifically for government contractors, SysArc provided 2 Circle with a ready-made framework to meet NIST 800-171 controls.
• SOC Implementation: SysArc deployed its 24/7 Security Operations Center to continuously monitor 2 Circle’s network, a critical requirement for CMMC certification.
• Streamlined IT Provisioning: As 2 Circle scaled its workforce, SysArc’s mature onboarding systems ensured efficient, secure, and remote provisioning for a distributed team.

The Result

Thanks to their forward-thinking leadership and SysArc’s strategic guidance, 2 Circle Inc. achieved transformative outcomes:

• CMMC Readiness: 2 Circle successfully implemented the NIST 800-171 controls necessary for CMMC compliance. The company is now prepared for its official audit—ensuring continued eligibility for government contracts and setting the foundation for long-term growth.
• Rapid Workforce Expansion: With SysArc’s support, 2 Circle scaled from 100 to over 250 users, smoothly integrating new employees without operational disruptions.
• Industry Leadership & Competitive Advantage: By prioritizing cybersecurity and compliance, 2 Circle positioned itself as a trusted leader in the government contracting space. This reputation not only protects their current business but also enhances their potential to win future contracts.

Conclusion
For 2 Circle Inc., the decision to partner with SysArc was more than an IT upgrade—it was a strategic move that enabled the company to meet its growth goals, achieve compliance, and secure its future in the government contracting arena. Together, SysArc and 2 Circle turned a complex challenge into a powerful competitive advantage.

 

Partnering with SysArc to Achieve Full CMMC Compliance

The Problem

Honeycomb Company of America, Inc., a supplier to the U.S. Department of Defense (DoD), faced a critical challenge: achieving compliance with the Cybersecurity Maturity Model Certification (CMMC) before the upcoming 2025 audits by the CMMC Accreditation Board. The company’s internal IT manager was equipped with deep institutional knowledge but lacked the bandwidth and specialized expertise to meet the rigorous requirements of NIST 800-171 alone.

With a one-person IT department, the manager was caught between two competing priorities—keeping day-to-day operations like help desk support running smoothly, and dedicating the massive effort required to prepare for a CMMC audit. Either the organization’s IT support would suffer, or CMMC compliance wouldn’t get done. The stakes were high: without certification, Honeycomb risked losing existing DoD contracts and missing out on future opportunities.

Recognizing that internal resources alone couldn’t handle the scope of the task, the IT manager turned to SysArc, a Managed IT Service Provider (MSP) with deep expertise in CMMC compliance and a track record of supporting defense contractors.

The Solution

SysArc began the engagement with a comprehensive Gap Assessment, evaluating Honeycomb’s current IT maturity against the stringent requirements of NIST 800-171. The results revealed significant gaps that would require either substantial internal staffing or a strategic partnership with a specialized MSP. Honeycomb chose to partner with SysArc.

To address the compliance gaps, SysArc deployed a suite of tailored solutions:

• Continuous Network Monitoring – SysArc implemented its Security Information and Event Management (SIEM) tool along with its Security Operations Center (SOC), enabling 24/7 monitoring—an essential component of CMMC compliance.
  
• Secure Data Handling – The team established robust data flow and access controls to ensure that Controlled Unclassified Information (CUI) was handled, stored, and transmitted securely, with access strictly limited to authorized personnel.
  
• Enhanced Authentication – A secure password management system was introduced, along with enforced multi-factor authentication across all devices to protect against unauthorized access.
  
• Help Desk Support – SysArc deployed its full-service help desk, giving Honeycomb’s employees reliable access to expert IT support and freeing the internal IT manager to focus on strategic initiatives.
  

Thanks to SysArc’s “templatized” CMMC-compliant infrastructure, processes, and toolsets—developed specifically for defense contractors—Honeycomb was able to rapidly and cost-effectively achieve compliance without disrupting daily operations.

The Results

With SysArc’s support, Honeycomb Company of America passed the Joint Surveillance Voluntary Assessment Program (JSVAP) with a perfect score of 110, effectively demonstrating full CMMC compliance. This crucial milestone ensures Honeycomb’s continued eligibility for DoD contracts and positions them strongly for future business growth.

The partnership delivered results that went far beyond compliance:

• The IT manager emerged as a strategic leader, having successfully positioned the company for long-term success with DoD partnerships.
  
• Cost savings were realized by leveraging SysArc’s team of CMMC specialists for less than the cost of adding a full-time employee.
  
• Cybersecurity was dramatically improved, protecting sensitive company data from cyber threats with top-tier defenses.
  
• Operational efficiency increased, as the IT manager was freed to focus on growth, innovation, and strategic initiatives rather than being bogged down by daily IT support or complex compliance tasks.
  
• SysArc complemented—not replaced—the IT manager’s role, becoming an extension of the internal team and a long-term strategic partner.
  

Conclusion
SysArc’s partnership with Honeycomb Company of America illustrates the power of expert-led collaboration between a forward thinking IT manager and a well-equipped MSP. With the right support, even lean internal IT teams can achieve full CMMC compliance—on time, on budget, and without compromising daily operations.

SysArc, a leading provider of cybersecurity and compliance solutions for the Defense Industrial Base (DIB), has proudly announced that four of its clients—Mantech, FN America, Honeycomb Company of America (HCOA), and Hunatek—have successfully completed their CMMC DIBCAC High Assessments through the Joint Surveillance Voluntary Assessment (JSVA) Program, each receiving an SPRS score of 110.

In a period marked by heightened activity and productivity, SysArc has demonstrated its expertise and dedication to preparing clients for CMMC compliance. This achievement underscores SysArc’s commitment to providing tailored solutions and unwavering support to businesses aiming to protect sensitive information and meet stringent cybersecurity standards.

Mantech

SysArc collaborated with Mantech in the final stages of their assessment, providing expert CMMC Consulting Services. Mantech notably implemented a zero-trust architecture across its environment, a testament to their dedication to cybersecurity. SysArc’s team played a critical role in finalizing the SSP, Policies and providing critical evidence during the Assessment.

FN America

FN America, a U.S. subsidiary of FN Herstal, S.A., worked closely with SysArc over two years to ensure readiness for their assessment. Leveraging SysArc’s CMMC Program Management Consulting Services, FN America successfully navigated the complexities of compliance, as detailed in their case study.

Honeycomb Company of America

For Honeycomb Company of America (HCOA), SysArc developed a comprehensive CMMC Program from the ground up.  As a mature MSP/MSSP focused on the DIB, SysArc manages the IT infrastructure for HCOA and our Compliance and SecOps teams run their Security Program. With SysArc managing their IT infrastructure and running their Security Program, HCOA was well-prepared for the CMMC assessment.    

Hunatek

Similarly, Hunatek benefited from SysArc’s dedicated team of IT, Security, and CMMC experts, who provided a complete outsourced solution to achieve their compliance requirements.

SysArc’s work has earned them high praise within the industry. A Director of CMMC from Redspin, a leading C3PAO, commented, “You are doing a fantastic job, so keep it up. In fact, I think you may be the only RPO that has had more than one client pass JSVA. That is a big deal.”

SysArc’s success is further highlighted by their recent CMMC Mock Assessment for External Service Providers (ESP) conducted by an independent C3PAO, where zero gaps were identified, and a Plan of Actions & Milestones (POA&M) was not required.  SysArc currently has an SPRS score of 110 out of a possible 110 and SysArc’s ability to assist the DIB and/or bid on existing or new DoD contracts remains in place.

All of the hard work and these recent wins for our customers has proven SysArc’s ability to fully support many different sized organizations and approaches with customized solutions to fit their compliance and security requirements knowing that they will successfully achieve CMMC compliance when the time comes.

About SysArc

SysArc is a trusted cybersecurity and compliance partner for the DIB, offering customized solutions to meet the unique needs of each client. With a focus on protecting sensitive information and achieving industry certifications, SysArc delivers expert guidance and support to organizations of all sizes. For more information, visit sysarc.com and experience compliance for yourself.

 

Safeguarding lives on physical and cyber battlefields.

FN America, LLC, is a U.S. subsidiary of FN Herstal, S.A., a global leader in developing and manufacturing high-quality, reliable firearms for military, law enforcement, and commercial customers worldwide. True to its vision to be the firearm industry’s most innovative company, the company makes cybersecurity one of its main priorities. They have been at the forefront of the U.S. Department of Defense’s latest mission to protect America’s defense industrial base from foreign and domestic cyber breaches and attacks with the rollout of the Cybersecurity Maturity Model Certification (CMMC).

“Cyberattacks targeting systems and data throughout the world are constantly increasing in both volume and sophistication. Our purpose is to safeguard the lives of American service members and its allies, and we understand that this purpose extends to the cyber battlefield as well. Therefore, we strive to take the same innovative approach to cybersecurity as we do with our firearms.”

— Jason Britton, IT Director, FN America

The Challenge

In 2016, the Department of Defense (DoD) announced a new cybersecurity requirement for DoD suppliers—DFARS 252-204-7012. This requires all companies who provide products and services to the DoD to implement NIST 800-171 cybersecurity controls within their IT systems.  FN America promptly conducted a self-assessment to determine their compliance gaps and found issues they tried to correct themselves.

FN America’s IT leadership initially over complicated the process and implemented controls that were difficult to understand and implement. Like many other manufacturers, FN America’s shop floor also presented challenges and complexities to secure compared to development or service floors—sensitive information was often left exposed on unattended computers, and new procedures disrupted their productivity.

The Solution

When CMMC was first announced in 2019, FN America decided to rethink their approach to implementing NIST 800-171 in order to avoid their previous pitfalls of incorrectly interpreting the standard with the goal of becoming  one of the first companies to be CMMC certified. After a thorough search of the market for NIST 800-171/CMMC experts, they partnered with SysArc in early 2020 to provide CMMC Advisory Services including Program Management of their CMMC Project.  As a first step, SysArc provided a comprehensive NIST 800-171 gap assessment that identified FN America’s compliance gaps.  From there, SysArc assisted with the SSP, POAM items, Policies & Procedures and Assessment preparation.  

The Result

FN America’s early and consistent collaboration with the compliance experts at SysArc allowed them to secure their CMMC certification through the Joint Surveillance Voluntary Assessment Program (JSVAP), positioning them ahead of their competitors. Fewer than 100 companies worldwide have successfully navigated this process and achieved certification, making FN America a leader in their industry.

“FN America was successful in their compliance journey because they received a solid  commitment of support from their overseas parent company, FN Herstal, and they were diligent about working through all of the requirements, no matter how challenging.”

— Bernhard Bock, SysArc CISO and CMMC Program Manager

Since completing certification and starting their program with SysArc, FN America is not only compliant with their customers’ requirements, but are more secure and have reduced their risk of a serious breach. Through this process, they have become more committed to continuous improvement with an ongoing effort to maintain high-security standards and compliance moving forward. By improving the security of sensitive information, FN America can now better serve the war fighter and are doing their part to protect the DIB supply chain from bad actors.

Do you need help preparing for CMMC?

We’ve helped over 1,500 DoD contractors throughout the U.S. navigate the complexities of DFARS, NIST 800-171, and now CMMC. Through our many experiences, we’ve fine-tuned several solutions that enable our clients to prepare to achieve compliance faster and at a lower cost compared to other solutions that have been popping up in the market recently. If you need help preparing for CMMC, give us a call or request a consultation today.

As we recently reported, The Department of Defense (DoD) has outlined its four (4) phase approach for the inclusion of Cybersecurity Maturity Model Certification (CMMC) Program requirements in solicitations and contracts.

The first phase, which is expected to begin in the 1st quarter of 2025, will require all companies who engage with the DoD to include their CMMC Level 1 or Level 2 Self-Assessments. The DoD also states that they reserve the right to enforce these requirements before this date and/or require companies to complete a CMMC Level 2 Certification Assessment instead of a Self-Assessment. The Certification Assessment is an assessment conducted by CMMC enforcement officials themselves.

The bottomline is that companies will need to have completed an assessment, either by themselves or by a certified third-party, like SysArc, by Q1 of 2025 in order to be considered for contract awards.

Why You Should Act Now

Because the CMMC assessment and readiness process can take 12 to 18 months (depending on system complexity) to complete, it is crucial that DoD contractors act as soon as possible if they have not already started the process. Companies who have already prepared may have a significant competitive advantage in the contract award process.

How to Prepare

There are two routes companies can take to prepare:

1. Use In-House Resources: Companies with internal IT resources may be able to complete the CMMC Self Assessment themselves. The DoD has provided both CMMC Level 1 and Level 2 Self Assessment Guides that can aid in the process. Those can be found here.
2. Hire a CMMC RPO: For those companies who lack the time and resources, a CMMC Registered Provider Organization (RPO), like SysArc, can perform a readiness assessment or a mock assessment for you and guide you through the process of preparing for all phases of the CMMC rollout. If this option sounds best for your organization, request a consultation here.  

How We Can Help

As a CMMC RPO, SysArc has helped over 1,500 DoD contractors navigate the complexities of CMMC since 2017. We can conduct a CMMC readiness assessment or mock assessment and develop a roadmap for you to achieve CMMC certification so you can continue to do business with the DoD without delay. Our years of experience in supporting DoD contractor IT systems has made us a leader in the space, able to offer CMMC preparation faster and for less cost than other options on the market. Request a free consultation here.

The Department of Defense (DoD) has outlined its four (4) phase approach for the inclusion of Cybersecurity Maturity Model Certification (CMMC) Program requirements in solicitations and contracts. The first phase is expected to begin in the 1st quarter of 2025, after The Office of Information and Regulatory Affairs (OIRA) approval, and conclude with the fourth phase expected around September 2027.

Please note: These dates reflect our expectations based on the information provided by the DoD. Therefore, these dates may change. We will update our site as soon as new information becomes available.

Phase Timeline: 

• Phase 1 (1st quarter of 2025): Begins on the effective date of the CMMC revision to DFARS 252.204–7021
• Phase 2: Begins six months following the start date of Phase 1
• Phase 3: Begins one calendar year following the start date of Phase 2.
• Phase 4: Full Implementation. Begins one calendar year following the start date of Phase 3.

Each Phase In Detail:

Phase 1 (1st Quarter of 2025):

The DoD plans to incorporate either CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment as a prerequisite for contract award in all relevant DoD solicitations and contracts. Additionally, DoD reserves the right, at its discretion, to include CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment as a condition for exercising an option period on contracts awarded before the effective date. Furthermore, DoD may choose, at its discretion, to replace CMMC Level 2 Self-Assessment with CMMC Level 2 Certification Assessment in applicable DoD solicitations and contracts.

Phase 2 (6 Months After Start of Phase 1):

In addition to the Phase 1 requirements, the DoD plans to incorporate CMMC Level 2 Certification Assessment for all relevant DoD solicitations and contracts, making it a prerequisite for contract award. DoD retains the discretion to defer the inclusion of CMMC Level 2 Certification Assessment to an option period instead of making it a condition for contract award. Moreover, DoD may, at its discretion, introduce CMMC Level 3 Certification Assessment for applicable DoD solicitations and contracts.

Phase 3 (1 Year After Start of Phase 2):

Building upon Phase 1 and 2 prerequisites, the Department of Defense (DoD) aims to mandate CMMC Level 2 Certification Assessment for all relevant DoD solicitations and contracts, both as a requirement for contract award and for the exercise of an option period on contracts awarded before the effective date. Additionally, DoD plans to enforce CMMC Level 3 Certification Assessment for all applicable DoD solicitations and contracts as a prerequisite for contract award. However, DoD reserves the right, at its discretion, to postpone the inclusion of CMMC Level 3 Certification Assessment to an option period rather than making it a condition for contract award.

Phase 4 (1 Year After Start of Phase 3):

This phase is full implementation. As such, the DoD will incorporate CMMC Program requirements into all relevant DoD solicitations and contracts, encompassing option periods for contracts awarded before the commencement of Phase 4.

Get a CMMC Readiness Assessment and Prepare Today

Many DoD contractors lack the resources to conduct their own assessment to effectively prepare for CMMC. That’s why many choose to outsource the task to a qualified CMMC consultant like SysArc. We can conduct a CMMC readiness assessment or mock assessment and develop a roadmap for you to achieve CMMC certification so you can continue to do business with the DoD. SysArc has helped over 1,500 DoD contractors navigate the complexities of CMMC and would love to help you. Request a free consultation here.

According to a Washington Technology article, the White House’s Office of Information and Regulatory Affairs’s (OIRA) agenda says that the Department of Defense (DoD) expects to release its final proposed rules on CMMC in June 2023. Since these rules will be open to the public for comment, we will likely see CMMC operational in 2024. 

With that said, the time to prepare is now.

How to Get Prepared:

The following options are available for DIB suppliers:

1. Meet requirements in-house: DoD contractors or suppliers who have the resources and IT staff available can meet the appropriate CMMC level of cybersecurity in-house. Internal IT departments can use the “Self Assessment Handbook – NIST Handbook 162” provided by the National Institute of Standards and Technology (NIST). This handbook was created by NIST with the intention of assisting U.S. DoD contractors who provide products and services for the Department of Defense. Unfortunately, this handbook only covers NIST SP 800-171 Rev. 1 and there is currently not a Self Assessment Handbook for NIST SP 800-171 Rev. 2. NIST has also made available a System Security Plan (SSP) template, and a template — two required documents for compliance.
2. Get assistance from a CMMC RPO: If the contractor does not have the in-house expertise to meet the requirements of NIST SP 800-171, DoD contractors have the option of working with  a third-party CMMC consultant, like SysArc, who offers CMMC compliance services. There are many qualified and experienced Managed Security Service Providers (MSSP) in the U.S. who specialize in compliance services and monitored cyber security for DoD contractors who need to implement NIST cybersecurity controls. A qualified MSSP will be able to perform this assessment and perform any remediation work necessary to pass a CMMC Audit. Look for MSSPs who have obtained CMMC RPO status AND have qualified and experienced CMMC experts on staff.  An updated list of verified RPOs by the CMMC Accreditation Body can be found here.

For more information on SysArc’s solutions for CMMC compliance, consider requesting a consultation here. Our team is happy to learn about your business and walk you through our process and associated costs to prepare for CMMC.