Between 2020 and 2026 every new contract procurement from the U.S. Department of Defense (DoD) will require prime contractors and the subcontractors throughout their supply chains to be independently certifi ed at one of fi ve Cybersecurity Maturity Model Certifi cation (CMMC) levels as a condition of bidding.

The CMMC is intended to address the national security risk from what the DoD considers inadequate security of Con-trolled Unclassifi ed Information (CUI) that is in place — especially at smaller companies — throughout the defense industrial base (DIB), whether or not they are U.S. based. Currently available tools and processes have not served the industry well enough.

Compliance is binary — organizations either pass 100% of the controls at the CMMC level assigned by their defense contracts or they are prohibited from participating.

NATIONAL SECURITY

HOW WE HELP

• Current state assessment of NIST 800-171 under DFARS

• Managing SSP and POAM to completion

• CMMC audit pre-assessment and maturity review

• Remediation support and pre-certifi cation validation

• Ongoing maturity reviews and stress testing

SOLUTIONS

While CMMC enforcement may not offi cially begin for your organization and your contracts immediately, it can reasonably take several years of security transformation to achieve confi dence with your level of maturity, while preparing for your formal certifi cation. Spreading the cost of remediation over several years is prudent because preparation and compliance might entail new hiring, technology investments, advanced training programs, and a shift in security culture. Throughout the CMMC process your organization and all defense suppliers remain obligated under the DFARS Clause 252.204-7012 to continue self-attesting their compliance with NIST 800-171.

All DIB contractors and their supply chain partners should take immediate steps to understand their cybersecurity posture, identify and close their compliance gaps, and validate that they will be ready to successfully undergo third-party CMMC certifi cation when their DoD contracts require CMMC compliance. Prime contractors should insist on tools that provide credible visibility into the compli-ance preparedness of their critical supply chain partners.

CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) SOLUTIONS

HARD FACTS…HARD DATES

“ Every company within the DoD supply chain — not just the defense industrial base, but the 300,000 contractors — are going to have to get certifi ed to do work with the Department of Defense..., and then we can really start looking at our supply chain, where our most and greatest vulnerabilities lie...It’s going to take time, it’s going to be painful, and it’s going to cost money.”

— Katie Arrington, CISO, Offi ce of the Undersecretary of Defense for Acquisition, at the October 2019 Intelligence & National Security Summit.

Ankura’s CMMC team includes former chief information security, privacy and compliance offi cers at prime defense contractors, risk management experts, and former law enforcement, intelligence, and national security leaders, who have addressed threats to critical DoD assets, helped develop federal cybersecurity requirements, and understand the security priorities of the U.S. government.

THE ANKURA DIFFERENCE

Ankura’s CMMC experts help DIB clients proactively address their CMMC challenges. We integrate a scalable assess-ment tool to evaluate current NIST 800-171 and CMMC posture, create and accelerate clients’ Plans of Action and Milestones (POAM) to close gaps, and manage program and subcontrator risk and execution.

NATIONAL SECURITY

ABOUT US Ankura is a business advisory and expert services fi rm defi ned by HOW we solve challenges. Whether a client is facing an immediate business challenge, trying to increase the value of their company or protect against future risks, Ankura designs, develops, and executes tailored solutions by assembling the right combination of expertise. We build on this experience with every case, client, and situation, collaborating to create inno-vative, customised solutions, and strategies designed for today’s ever-changing business environment. This gives our clients unparalleled insight and experience across a wide range of economic, governance, and regulatory challenges. At Ankura, we know that collaboration drives results.

© 2020 Ankura Consulting Group, LLC

We off er DIB prime and subcontractors a unique, purpose-built solution to assess and improve the status of core compliance obligations with NIST 800-171 and the impending CMMC requirements. Our team leverages this assessment platform to:

ALAN LEVESQUEalan.levesque@ankura.com +1.203.745.9057 Mobile

STEPHEN P. GILMERsteve.gilmer@ankura.com +1.248.832.3808 Mobile

WAQAS SHAHIDwaqas.shahid@ankura.com +1.571.338.1870 Mobile

SCOTT CORZINEscott.corzine@ankura.com +1.917.930.5300 Mobile

MUST ATTEST TO DFARS 202.254-7012 INCLUDING NIST 800 -171

BASIC SAFEGUARDING OF FCI

TRANSITION STEP TO PROTECT CUI

INCREASING PROTECTION OF CUI

REDUCING RISK OF APTs

DOCUMENTED

INTERMEDIATE CYBER HYGIENE

LEVEL 2MANAGED

GOOD CYBER HYGIENE

LEVEL 3REVIEWED

PROACTIVE

LEVEL 4

PERFORMED

BASIC CYBER HYGIENE

LEVEL 1OPTIMIZING

ADVANCED/PROGRESSIVE

LEVEL 5

MORE THAN 99% OF ALL DOD CONTRACTS*

*Per Katie Arrington, CISO, Offi ce of the Undersecretary of Defense for Acquisition

FEWER THAN 1% OF ALL DOD CONTRACTS*

• Manage and integrate the workfl ow of DFARS and CMMC gap assessments

• Collect artifacts that validate fi ndings and observations

• Design actionable remediation programs within budget

• Benchmark cybersecurity pos-ture against others

• Develop remediation options, recommendations, and project plans

• Create technical, compliance, and risk management oversight reports

• Provide visibility to prime contractors into the security of their supply chains