Cybersecurity Maturity Model Certification

What Services Does Booz Allen Offer?

CMMC Readiness (RPO)

To help organizations prepare for their C3PAO certification visit, we offer a wide array of readiness services. Our highly trained CMMC-AB certified Registered Practitioners have years of assessment experience and deep expertise in regulatory compliance. One size does not fit all, so we tailor engagements to meet the client’s specific needs, challenges, and unique environment.

We often begin with a CMMC readiness review. We examine required CMMC program documentation (e.g., system security plan), verifying required elements (i.e., system boundaries, operating environment, connections, and practice implementation). We use the same CMMC Assessment Guides a C3PAO will use to review your implementation of the practices to ensure all the assessment objectives are accounted for in the SSP. Additionally, we can review the organization’s artifacts (e.g., policies, procedures) that will be used as evidence to demonstrate the successful implementation. Additional readiness assessment services include:

  • Identify areas that need improvement (gap analysis)
  • Provide actionable steps to close gaps identified during the pre-assessment (roadmap)
  • Create a system security plan
  • Review or create a Plan of Action and Milestones
  • Provide Supplier Performance Risk System scoring

Booz Allen knows CMMC readiness is more than just achieving compliance by implementing controls. Defense Industrial Base members need to understand the Defense Federal Acquisition Regulation Supplement requirements, train their workforces, implement supply chain and “flow down” requirements, and mark and disseminate controlled unclassified information in accordance with applicable laws, policy, and contract requirements. Additionally, there are questions on how an organization will maintain its compliance through the development of governance and continuous monitoring programs. We can provide expert advice on these and other issues.

Booz Allen stands above its competitors because of our ability to bring experts to solve the hardest problems related to the CMMC domains. Examples include:

  • Experts in our best-in-class Incident Response Capability ensure your organization’s incident response program is optimized and can fully meet the requirements in CMMC’s Incident Response and Recovery domains.
  • Booz Allen’s Managed Threat Services have the National Security Agency Cyber Incident Response Assistance (NSA CIRA) accreditation and possess deep expertise in the CMMC’s Access Control, Audit & Accountability, System and Information Integrity domains.
  • Our Operational Technology (OT) Solutions team ensures you’re ready when CMMC requirements expand beyond the information technology space and into your OT environments.
  • Booz Allen’s Cloud Solutions experts can ensure that your implementation of the CMMC practices is done correctly in your private or public cloud infrastructure.

Whatever the challenge is, Booz Allen’s RPO capability can take your CMMC program to the next level and make sure you’re ready for your C3PAO assessment.

CMMC Assessment (C3PAO)

Booz Allen has extensive experience providing secure solutions to government and commercial clients. As a C3PAO, we offer the following services: 

  • Pre-Assessment identifies preparedness for an official CMMC assessment. Conducted in the same manner as an official CMMC assessment with a certified provisional assessor (PA), the pre-assessment evaluates each practice and process to determine compliance with CMMC standards and in accordance with the CMMC assessment guides. Once complete, Booz Allen provides a pre-assessment report outlining findings and overall organizational preparedness (prepared/not prepared).
  • CMMC assessment achieves certification. This assessment follows the CMMC-AB Assessment Guide to determine the satisfaction and maturity for each practice and process using the CMMC verification criteria. Booz Allen provides a CMMC assessment report and if there are no deficiencies, we’ll issue the appropriate CMMC certificate to your organization for the specified certification boundary. We’ll also submit a copy of the assessment report and CMMC certificate to DOD.

Booz Allen will be ready to fulfill its C3PAO role to conduct CMMC assessments once final rulemaking is finalized. We have built a team of expert assessors who have all been qualified by CMMC-AB.  In addition to CMMC training, our team has significant assessment experience and qualifications in similar compliance areas (e.g., the Federal Risk and Assessment Management Program, the Federal Information Security Modernization Act, the Department of Defense's Risk Management Framework, National Information Assurance Partnership certification).

While the rulemaking efforts are ongoing, organizations can get ahead now:

  • Voluntarily undergo the new CMMC 2.0 Level 2 certification. DOD plans to offer incentives to companies willing to undergo Level 2 certification.
  • Implement NIST 800-171 standard across the organization. The Pentagon plans to suspend its CMMC pilot efforts and will not include CMMC requirements in any contracts until the rulemaking efforts are completed. However, organizations complying with NIST 800-171 will continue to be evaluated favorably.
  • Define policies and procedures. CMMC 2.0 eliminates many documentation requirements associated with the maturity processes at Level 3 and above in v1.2. However, the policies and procedures will continue to play an important role in NIST 800-171 as well as CMMC 2.0.
  • Self-Attest. Department of Justice (DOJ) announced an intent to hold entities or individuals accountable that knowingly misrepresent their cybersecurity practices.

For more information or questions, contact our C3PAO team at [email protected].

Why Booz Allen?

  • Worked closely with the federal government to establish and refine the new CMMC framework from the beginning
  • Trusted advisor to DOD with our experts working at the Under Secretary of Defense for Acquisition and Sustainment, the Pentagon's CMMC epicenter, to help guide its rollout
  • Fully accredited RPO and provisional C3PAO
  • Proven expertise in all 14 CMMC domains
  • Accomplished leader in consulting and assessing secure and compliant government and private-sector solutions for commercial clouds and information systems
  • Comprehensive services that help businesses comply with CMMC regulations and improve their cybersecurity and safety

To get started on your CMMC journey, contact us.

1 - 2 of 2

Contact Us

Get more information about cybersecurity solutions or to speak with our experts.