• Home
  • IT Risk Management & Compliance
    • CMMC Assessment & Preparation
    • NIST SP 800-171 / DFARS Compliance
    • FISMA Compliance
    • GDPR Compliance
  • Managed Cyber Security
  • Managed IT Services
  • Who We Are
    • Careers
  • Resources
    • CMMC 2.0 Updates Guide
    • CMMC News
    • CMMC Guide for DoD Contractors
    • NIST 800-171 Guide
    • DFARS Interim Rule Guide
    • DFARS Compliance Guide
    • FISMA Compliance Guide
  • Blog
  • Help Desk
  • Free Consultation
  • Contact Us

Support: 800-699-0925 Sales: 800-481-1984

SysArc

IT Company

  • Services
    • IT Risk Management & Compliance
      • CMMC Assessment & Preparation
      • NIST SP 800-171 / DFARS Compliance Solution
      • NIST 800-53 Compliance Solution
      • FISMA Compliance Solution
      • GDPR Compliance Solution
    • Microsoft GCC/GCC High Migration Services
    • Managed Cyber Security
    • Managed IT Services
    • Managed IT Services for Government Contractors
    • SOC Services
  • Who We Are
    • Careers
  • Resources
    • Latest CMMC News
    • CMMC Guide for DoD Contractors
    • NIST 800-171 Guide
    • DFARS Interim Rule Guide
    • DFARS Compliance Guide
    • FISMA Compliance Guide
  • Case Studies
    • FN America
    • Honeycomb Company of America, Inc.
  • Blog
  • Help Desk
  • Free Consultation

CMMC 2.0: Expectations and Timelines | Webinar with Exostar

June 22, 2022 by SysArc

SysArc recently contributed to an Exostar panel discussion entitled “CMMC 2.0: Expectations and Timelines” featuring SysArc CEO, Tim Brennan and Exostar’s Vice President of Strategy, Vijay Takanti. Streamed live on June 21st, 2022 — This webinar was recorded and is available to watch below.

In this webinar we discuss the following:

  • What obligations DIB contractors and subcontractors are still under today via DFARS 252.204-7012 (and DIBCAC Assessments at DoD discretion)
  • What is expected to happen once CMMC 2.0 is open to public comment, likely in March 2023 (and what that means in terms of compliance planning)
  • What we have heard Primes expect of their suppliers regarding assessment status and reporting
  • Challenges suppliers face today to maintain both compliance and business efficiency

Need Help with CMMC? SysArc Can Help

We are a Managed Security Service Provider (MSSP) that specializes in helping DIB suppliers protect their information systems and comply with the cybersecurity regulations from the Department of Defense. We’ve consulted over 1000 companies and helped them navigate the complexities of DFARS, CMMC, and NIST 800-171. 

To learn more about preparing for CMMC and how SysArc can help, please visit our CMMC guide here. If you’d like to speak with our team about your compliance needs, please feel free to give us a call or schedule a CMMC consultation. 

Filed Under: CMMC, DFARS

NIST 800-171 & CMMC 2.0 Non-Compliance: What’s the Risk? | Webinar with Exostar

May 3, 2022 by SysArc

SysArc recently contributed to an Exostar panel discussion entitled “NIST 800-171 & CMMC 2.0 Non-Compliance: What’s the Risk?” featuring SysArc CEO, Tim Brennan and GDIT CISO, Michael Baker. Streamed live on April 27th, 2022 — This webinar was recorded and is available to watch below.

In this webinar we discuss the following:

    • Threat Landscape: Cyber threats that exist today for DIB suppliers and why we all should be concerned.
    • Getting Prepared: SSPs, POA&Ms, SPRS scores and what DIB suppliers need to be doing now to be ready and compliant for upcoming compliance audits. 
    • DIBCAC Assessments: DCMA continues to conduct random DIBCAC assessments on suppliers to enforce DFARS 7019 & 7020.
    • Common Questions from DIB Suppliers:
      • What is Controlled Unclassified Information (CUI)?
      • Regarding CMMC Level 2, who will need a third-party assessment and who will need a self-assessment?
      • We are a small company, are the requirements scalable?
      • Has a firm timeline been set for the requirements to be validated by Tier 1 manufacturers and who is responsible for enforcing compliance?
      • What happens if I haven’t submitted an SPRS score yet?
      • Will my Prime check to see if I’m compliant
      • As a small business with few employees we use POA&Ms to create processes to be compliant with NIST. Is this an acceptable long-term solution?

    Need Help with CMMC? SysArc Can Help

    We are a Managed Security Service Provider (MSSP) that specializes in helping DIB suppliers protect their information systems and comply with the cybersecurity regulations from the Department of Defense. We’ve consulted over 1000 companies and helped them navigate the complexities of DFARS, CMMC, and NIST 800-171. 

    To learn more about preparing for CMMC and how SysArc can help, please visit our CMMC guide here. If you’d like to speak with our team about your compliance needs, please feel free to give us a call or schedule a CMMC consultation. 

Filed Under: CMMC

DCMA Continues Random DIBCAC Assessments on Suppliers to Enforce DFARS 7019 & 7020

May 3, 2022 by SysArc

DCMA LogoAs a Managed Security Service Provider (MSSP) for Department of Defense (DoD) contractors throughout the United States it is one of our missions to keep Defense Industrial Base (DIB) companies updated on DFARS requirements and the rollout of CMMC. This is so they can meet the DoD’s cybersecurity requirements and continue to offer their products and services to the department without any delays or surprises.

With that said, it is critical for DIB companies to understand that the Defense Contract Management Agency (DCMA) is currently conducting random DIBCAC assessments on company’s IT systems to enforce DFARS 7019 and 7020. For contractors who have either failed to start implementation of cybersecurity requirements or have put them on hold, we advise to have them completed immediately.  

What is the DCMA?

The DCMA provides contract administration services for the Department of Defense (DoD) and is an essential part of the acquisition process. The agency manages 250,000 contracts, valued at more than $3.5 trillion. DCMA makes sure DoD, other federal agencies, and partner nation customers get the equipment they need, delivered on time, at projected cost, and meeting all performance requirements.1

What is DIBCAC?

DCMA oversees the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). DIBCAC is a team of technology professionals that perform two primary missions:

  1. Assess DIB Supplier Cybersecurity: Assess DIB companies to ensure they are meeting contractually required cybersecurity standards. The team ensures contractors have the ability to protect controlled unclassified information for government contracts they are awarded.
  2. Establish & Expand CMMC Assessment Capabilities: The DIBCAC is also a member of the government team establishing the Cybersecurity Maturity Model Certification (CMMC) program to expand cyber assessment capabilities throughout the defense industrial base. 

Source: https://www.dcma.mil/News/Article-View/Article/2981222/tech-team-wins-cybersecurity-award/

What are DIBCAC Assessments?

DIBCAC assessments are essentially audits of DoD contractor systems to ensure they have implemented the security controls of NIST 800-171 as required by DFARS 7019 & 7020.

According to John Ellis, the Technical Directorate’s Software Division director at DCMA, the following are problems that they are seeing regularly with the audits they have completed so far:

  • Lack of Multi Factor Authentication (MFA)
  • Poorly written or non-existent policies
  • Lack of FIPS 140-2 validation for encryption solutions
  • Poorly designed/implemented network segmentation

If a DoD contractor fails to pass a DIBCAC assessment, they may be ineligible to provide their products and services to the DoD. Because these assessments are currently being conducted, it is essential that suppliers are prepared now. 

Where to Get Help & How to Prepare

The laws and requirements of DFARS and CMMC can be daunting for many DoD contractors  — especially those that lack the resources and knowledge to implement security controls themselves. As a DFARS and CMMC consultant, we help DoD suppliers navigate the complexities of the DoD’s cybersecurity policies and have a team of cybersecurity professionals to implement security controls on their behalf.

To learn more about how to prepare for CMMC, visit our CMMC preparation guide. Also, feel free to give us a call or request on consultation. Whether you’re a small or large company, we’re happy to discuss your unique situation and help you find the best path to preparing for a DIBCAC assessment.   

Filed Under: CMMC

What’s The Difference Between CMMC 1.0 and 2.0?

April 8, 2022 by SysArc

Summary of Key Updates from CMMC 1.0 to 2.0

Below is a summary of the key changes you need to be aware of when understanding the difference between CMMC versions 1.0 and 2.0. For an in-depth guide into CMMC 2.0 changes, see here.

  1. Only 3 CMMC Levels: CMMC Levels 2 and 4 from the original CMMC framework have been eliminated, leaving only 3 current CMMC Levels. These Levels are detailed below.
  2. Level 1: Now only requires an annual self-assessment and affirmation by company leadership. No changes to the 17 basic cyber hygiene practices required.
  3. Level 2: The “old” CMMC Level 3 now becomes Level 2. 20 controls have been eliminated from the original framework’s Level 3 requirements, leaving contractors only having to implement the 110 controls from NIST 800-171. The DoD will identify “prioritized acquisitions” that must undergo an independent third-party assessment against the new Level 2 requirements. All other organizations will only need to perform a self-assessment and affirmation by company leadership.
  4. Level 3: This level will replace CMMC Levels 4 and 5 from the original framework. While details are still being worked out, it is expected that this level will include controls from NIST SP 800-172 and assessments will be government-led.

Diagram of the difference between cmmc 1.0 and 2.0

For more information about CMMC compliance and how to comply with CMMC 2.0, please read our CMMC Compliance Guide. If you have any questions about getting your organization in compliance, please don’t hesitate to give us a call or schedule a consultation.

Filed Under: CMMC

Who Needs to be CMMC Compliant?

April 4, 2022 by SysArc

DoD contractor handling CUI who will need to be cmmc compliant

All DoD contractors, like this machine shop, will need to achieve at least one level of CMMC Compliance. If they handle CUI, they’ll need to meet requirement for at least Level 2.

Every organization within the Department of Defense (DoD) supply chain—including prime contractors and subcontractors—will be required to achieve at least one of the levels of CMMC compliance. According to the DoD, the CMMC compliance regulations will impact over 300,000 organizations.

Does My Organization Need CMMC Compliance?

If your organization is one of the following, you will need to achieve CMMC compliance in order to hold and be awarded contracts by the DoD:

  • DoD prime contractors
  • DoD subcontractors
  • Any supplier within the DoD supply chain

Levels of Compliance

Depending on the amount and type of sensitive information your organization transmits, you’ll have to achieve one of 3 levels of CMMC compliance.

The DoD contract specifies which level of compliance an individual contractor must meet. For example, prime contractors may have to achieve Level 3 compliance while subcontractors may only be required to achieve Level 1.

Using the CMMC standards, organizations will be issued a score indicating the organization’s level of compliance. Each level requires you to comply with the previous level’s standards as well. The three levels are:

  • Level 1 Foundational: Basic Cyber Hygiene. Level 1 focuses on basic cyber hygiene requirements. There are 17 practices that need to be implemented from FAR 52.204.21.
  • Level 2 Advanced: DIB companies who send, receive and store controlled unclassified information fall into this category. There are 110 controls that must be implemented from NIST SP 800-171.
  • Level 3 Expert: This level is for DIB companies who send, receive and store information from the Defense Industry’s high-risk programs. While details are still being worked out, it is expected that this level will include controls from NIST SP 800-172.

CMMC 2.0 Levels

The CMMC Accreditation Body (CMMC-AB) is working to ensure that third-party assessments are available for contractors, subcontractors, and suppliers at each of the CMMC levels. In the meantime, organizations should consider working with a CMMC compliance consultant to prepare for their official audits because RPOs have gone through formal training, signed a code of ethics, and are more qualified and experienced than consultants that have not.

If you are interested in learning more about CMMC and the process for becoming compliant, please read our CMMC Compliance Guide. If you have any questions, don’t hesitate to give us a call or schedule a free consultation. Our team will be happy to help your organization navigate the complexities of compliance.

Filed Under: CMMC

How do I Become CMMC Compliant?

March 1, 2022 by SysArc

The process of becoming CMMC compliant can be broken down into three essential steps:

  1. Assess your IT infrastructure
  2. Remediate based on your assessment
  3. Get assessment by C3PAO

Let’s walk through each in more detail.

Step 1: Assess Your IT Infrastructure

IT professionals conducting a CMMC auditTypically the first thing you’ll need to do is conduct an assessment of your current IT infrastructure against the control framework that aligns with your desired CMMC Level. This is also called a gap analysis and is the basis for understanding what controls, processes and procedures need to be implemented to achieve compliance. Companies with the right resources will be able to conduct their own self-assessment, while some will need to outsource the assessment to a third-party, such as an CMMC Registered Provider Organization (CMMC RPO). Self-assessment resources can be found here and templates for System Security Plans (SSP) and Plan-of-action and Milestones (POA&M) can be found here and here, respectively.

Step 2: Remediate

The next step is remediation which involves the actual work to implement the controls, processes and procedures that are called out in the assessment. Again, companies with the resources may be able to perform the remediation work themselves, while others might consider utilizing an RPO. Even if a company does have the resources, an RPO will likely be able to do it faster and more efficiently.

Step 3: Get assessed by a C3PAO

For companies that need to meet CMMC Level 2 and 3, the last step to become CMMC compliant is to get an official assessment from a Certified Third-Party Assessor Organization (C3PAO). However, no assessments are currently being performed as the Assessors are being trained. The first assessments are expected to start in 2022.

When To Call In An Expert

If you are having trouble navigating the complexities of your self-assessment and/or developing an SSP and POA&M, it may be time to call in an expert to help. As one of the nation’s top CMMC experts, we’ve helped over 1000 DoD contractors get prepared for CMMC. Please feel free to request a consultation to speak with us about your challenges with CMMC, DFARS and NIST 800-171 and how we can help. Also check out our CMMC compliance guide for more information.

Filed Under: CMMC

Webinar: CMMC 2.0, NIST 800-171 & Current Threat Landscape

February 25, 2022 by SysArc

We recently presented in a webinar entitled, “CMMC 2.0, NIST 800-171 & Current Threat Landscape,” with the Small and Emerging Contracting Advisory Forum (SECAF).

In this webinar we discuss the following:

  • Important changes with the release CMMC 2.0 and what this means for you
  • DFARS 7012 and NIST 800-171
  • The current theat landscape for the DIB
  • Frequently Asked Questions from the community

Watch the webinar here:

Filed Under: CMMC

What is a CMMC assessment?

February 22, 2022 by SysArc

DFARS NIST SP 800-171 Self Assessment Handbook

DFARS NIST SP 800-171 Self Assessment Handbook Download

A CMMC assessment is the process in which a company’s IT network is assessed against the cybersecurity controls required for each specific level of CMMC compliance. The control frameworks for each level are as follows:

  • Level 1 Foundational: FAR 52.204.21
  • Level 2 Advanced: NIST SP 800-171
  • Level 3 Expert: NIST SP 800-172

When it comes to the subject of CMMC, the word “assessment” gets thrown around a lot. There are a few different versions of the CMMC assessment and it’s important to understand what each one is and the purpose it serves:

  1. Self-Assessment: These are assessments that are performed in-house by employees within the organization. The National Institute of Standards and Technology (NIST) has provided a self-assessment handbook for NIST 800-171 for companies that want to self assess. That can be downloaded here. There is no self-assessment handbook for FAR 52.204.21 or NIST 800-172.
  2. Assessment by a Registered Provider Organization (RPO): These RPOs are third-party consultants that conduct their own assessments of a company’s network so that they can help prepare the organization for an official assessment by a C3PAO. Technically, any Managed Service Provider (MSP) can perform CMMC assessments, however, we recommend that you choose an RPO since they’ve been audited by the CMMC-AB and are qualified to perform the task.
  3. Assessment by a Certified Third-Party Assessor Organization (C3PAO): These are the official assessments that are conducted during the certification process.

If you have additional questions about CMMC, check out our CMMC Compliance Guide, or give us contact us for a free consultation and to learn about how SysArc can help your company navigate the complexities of complying with DFARS, NIST 800-171 and CMMC.

Filed Under: CMMC

Who Provides CMMC Certification?

February 18, 2022 by SysArc

CMMC-AB LogoThe CMMC Accreditation Body (CMMC-AB) is the only authorized entity to choose third-party assessors (C3PAOs) who can give certification for CMMC.

Registered Provider Organizations (RPOs), like SysArc, can provide excellent tools and services to help the organization reach compliance standards, but they do not generally provide official assessments or certifications.

How the CMMC-AB Chooses Third-Party Assessors

The CMMC-AB is responsible for role alignment between the CMMC, the CMMC Assessment Body (CMMC-AB), and the CMMC Certification Body (CMMC-CB). The role alignment identifies which companies are performing what tasks within the CMMC process.

The assessment body evaluates all organizations that want to provide certification to ensure they are following the appropriate standards and there is no conflict of interest. The certification body then audits organizations that provide CMMC assessments and ensures they are correctly following assessment process guidelines.

Any person or organization wishing to provide CMMC certification must be approved by the CMMC-AB through this application process.

How to Schedule an Official Certification Assessment

The CMMC certification process is divided into two phases: the self-assessment or an assessment by a third-party consultant, and the official assessment. The self-assessment can be completed at any time, while organizations must wait until sometime in 2022 for their official assessment appointment since assessors are still in training.

One of the key steps in becoming a CMMC certified organization involves preparing for your official assessment during this period. Organizations Seeking Certification (OSCs) can prepare by working with a reliable CMMC Consultant to work towards compliance now.

If you are a DoD contractor and are wanting to learn more about how to prepare your organization for DFARS and CMMC, read our CMMC Compliance Guide or contact us for more information about how SysArc can help you meet DFARS requirements and prepare for CMMC.

Filed Under: CMMC

What Is the Difference Between DFARS and CMMC?

November 19, 2021 by SysArc

To understand the difference between DFARS and CMMC, it is helpful to know why the Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC) in the first place.

DoD SealThe DoD created CMMC as a “verification component” of the Defense Federal Acquisition Regulation Supplement (DFARS) law. What does “verification component” mean? When DFARS 7012 was originally passed, DoD contractors only needed to state that they implemented the cybersecurity controls of DFARS. Basically, implementation was based on trust. This resulted in a poor adoption rate within the Defense Industrial Base, which pushed the DoD to clamp down and create a verification mechanism to ensure DoD suppliers were in fact compliant with DFARS. While CMMC is still being rolled out, this verification mechanism will come in the form of 3rd party audits from CMMC Third-Party Assessor Organizations (C3PAOs).

In short, DFARS is the legal text for the cybersecurity requirements that all DoD suppliers must follow, and CMMC will be the verification mechanism for ensuring that it’s actually being implemented.

With the new CMMC 2.0 model, not all DoD Contractors will be subject to a 3rd party assessment — only ones that are working on what the DoD calls “prioritized acquisitions.” Some will only be required to perform a self-assessment and affirm their compliance annually. The DoD has not yet announced how it will prioritize acquisitions.

Still, with the Department of Justice (DOJ) announcement that it will start pursuing government contractors who falsify cybersecurity affirmations, it is imperative that contractors have the documentation and evidence to back up their affirmation of compliance, even if they will not be assessed by a C3PAO.

If you are a DoD contractor and are wanting to learn more about how to prepare your organization for DFARS and CMMC, read our CMMC Compliance Guide or contact us for more information about how SysArc can help you meet DFARS requirements and prepare for CMMC.

Filed Under: CMMC

« Previous Page
Next Page »

CMMC/DFARS Compliance Solution for Primes & Subcontractors

We’ve helped over 500 DoD Prime & Subcontractors throughout the U.S. navigate the complexities of DFARS, NIST 800-171, and now CMMC.

Large Prime Contractor Solutions:

  • - Supply Chain Risk Assessments
  • - Business Unit Readiness Assessment
  • - Cyber Compliance Remediation Services

SMB Supplier Solutions:

  • - CMMC Readiness Assessments
  • - Remediation Services
  • - Cyber Compliance as a Service

To speak with our team about your company’s needs or the needs of your suppliers, give us a call or request a consultation online now:

(866) 583-6946
or fill out the form below:

  • This field is for validation purposes and should be left unchanged.

Services

  • Managed Cyber Security
  • IT Risk Management & Compliance
  • Cybersecurity Maturity Model Certification (CMMC) Assessment & Preparation
  • NIST SP 800-171 / DFARS Compliance Solutions for DoD Contractors
  • Managed IT Support
  • Managed Cloud
  • Backup & Disaster Recovery
  • VoIP

12300 Twinbrook Pkwy
Suite 500
Rockville, MD 20852

Sales: 800-481-1984

Customer Support: 800-699-0925 ext. 1

Quick Contact

Contact Us

CMMC RPO Badge

Navigation

  • Home
  • Services
  • Who We Are
  • Help Desk
  • Blog
  • Case Studies
  • Free Consultation
  • Careers
  • Contact Us

Follow Us

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

Featured Posts

Latest Posts

Client Case Study: CMMC Compliance for Honeycomb Company of America, Inc.

Driving Efficiency: How SysArc is Helping Companies Achieve CMMC Compliance

How SysArc Helped FN America Pass the Joint Surveillance Voluntary Assessment Program (JSVAP) with a Score of 110 

SysArc Helps Multinational Companies Build Microsoft GCC High Enclaves for Their U.S. Subsidiaries to Comply with CMMC

XDR: SysArc’s Answer to Modern Cyber Attacks

EDR vs. XDR: Understanding the Key Differences

SysArc © 2025. All Rights Reserved. Powered by Lemonade Stand. | Privacy Policy

Are Your Resources Constrained Prepping for NIST 800-171 and CMMC?

SysArc can reduce the burden on your compliance team by outsourcing some of the steps to our team of experts.


Large and Mid-Size DoD Primes are working with SysArc experts on:

  • • Readiness Assessments
  • • SSP Creation
  • • POAM Remediation
  • • Program Oversight & Management
  • • Policies and Procedures Development
  • • GCC High Migrations
  • • Post M&A Integrations
  • • Network Hardening
  • • MFA Implementation and more

 

As a CMMC RPO with years of experience in DoD supply chain risk management, SysArc is able to solve some of the more challenging compliance problems.

Get Started Now:

Call: (866) 583-6946 Schedule a CMMC/DFARS Consultation