CMMC preparation

New cybersecurity standards required for Department of Defense contractors

New guidelines mandate all DOD suppliers earn CMMC certification beginning in 2025. Learn more about the CMMC and action you need to take.

The Department of Defense (DOD) is transitioning away from self-assessments to a more structured approach relying on the Cybersecurity Maturity Model Certification (CMMC) standard and certified assessments. In 2020, the DOD released the initial version of CMMC. The guidelines mandate that all DOD suppliers – both prime and subcontractors – need CMMC certification by 2025 to participate in contract opportunities.

CMMC preparation action steps

Contractors need to do the following to prepare for CMMC certification:

  • Determine the appropriate maturity level of the CMMC based on the organization’s situation;
  • Identify gaps in current cybersecurity processes and practices relating to the targeted CMMC maturity level;
  • Ensure the necessary cybersecurity practices are performed in accordance with the CMMC requirements;
  • Document the policies and practices required to pursue contracts with higher CMMC maturity level requirements; and
  • Demonstrate planning and management of the activities necessary to implement the cybersecurity practices required for contracts with higher CMMC maturity level requirements.

Signs you may need assistance

Whether an organization is relatively new to this area or an experienced contractor, the various levels of the CMMC present risk to most contractors. An organization may need assistance if any of the following apply:

  • The contractor is unsure of how to comply with the CMMC.
  • The contractor has not established cybersecurity practices that comply with the CMMC's Level 1 maturity.
  • The contractor needs to establish and publish policies and practices for each domain in accordance with moving through the CMMC’s Level 2 maturity.
  • The contractor is interested in showing their commitment to the CMMC by progressing to Level 3 maturity and managing their cybersecurity risk.

AGH designated as a Registered Provider Organization by CMMC Accreditation Body

As a Registered Provider Organization (RPO), as designated by the CMMC Accreditation Body, AGH’s team of Registered Practitioners can assist contractors in preparing for the CMMC assessment. AGH can help identify gaps between a contractor's current processes and practices and those required by the CMMC, along with helping document those processes and practices in accordance with the CMMC. AGH professionals can also help contractors advance their cybersecurity processes and practices in anticipation of bidding on contracts that will require higher CMMC maturity levels.

AGH is currently the only RPO in the State of Kansas. AGH’s cybersecurity professionals have the proven experience and knowledge to help distill complex frameworks into specific actions. Like the DOD, AGH understands the value and importance of small- and medium-size contractors and the unique cybersecurity situations they face.

Get started today to remain a valued DOD contractor

Given the critical nature of this new DOD requirement, contractors should begin evaluating their certification readiness. AGH can help. Preparing for CMMC certification will take time but working with AGH’s experienced professionals will help ensure the process is effective and resources are used efficiently.

Ready to get started? Contact Brian Johnson using the information below.

Brian Johnson

Senior Vice President
Technology Services

Brian joined AGH in 1992. He leads the firm’s technology services practice where he helps clients achieve measurable performance improvements through the delivery of specialized, competency-based information systems management, assurance, and advisory services. He has extensive experience in information security, network engineering, and solution development, with recognized specializations in governance, risk, control, and related consulting services.

Brian is a member of ISACA (previously known as the Information Systems Audit and Control Association), the Kansas Society of Certified Public Accountants (KSCPA), the American Institute of Certified Public Accountants (AICPA), the AICPA’s Information Management and Technology Assurance (IMTA) Section, and the Association for Supply Chain Management (ASCM). He is a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), Certified in Risk and Information Systems Control (CRISC), Certified Data Privacy Solutions Engineer (CDPSE), and Certified in Production and Inventory Management (CPIM).

Brian is also a Certified Public Accountant (CPA) and a graduate of Wichita State University, where he earned Master of Accountancy and Bachelor of Business Administration degrees.

Information security is more than technology, it requires educated staff.
See how we can help identify and mitigate your security vulnerabilities.