Dox First to Achieve RPO Status in Rochester

CMMC Accreditation Body Recognizes Dox

The Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) has announced Dox as the first IT and cybersecurity company in Rochester, New York, to achieve Registered Provider Organization (RPO) status. This is a major coup for the business that started as a small mom and pop launched from a garage in 1982.

As a CMMC RPO, Dox is recognized as having registered practitioners on staff who have received the required basic CMMC-AB training and adhere to the CMMC-AB Code of Professional Conduct.

What that means for manufacturers and other businesses working with the United States Department of Defense (DoD) is that Dox can provide advice, consulting, and recommendations to move them toward CMMC certification, which is now required for all DoD contracts. Additionally, DoD contracts require a flow-down model in which subcontractors must also achieve CMMC certification.

A New Regulation

The Cybersecurity Maturity Model Certification (CMMC) is the latest effort by the U.S. government and DoD to adequately secure proprietary government data. Government data being utilized and/or developed by vendors with contracts or subcontracts through the U.S. DoD and the National Aeronautics and Space Administration (NASA) requires some of the best cybersecurity available. This is why CMMC certification is now required for businesses and manufacturers working with the U.S. DoD.

Several drafts of the CMMC were publically released and public comment was requested. The DoD took into account public feedback and issued CMMC v1.0 on Jan. 31, 2020. While DFARS 252.204-7012 and NIST SP 800-171 are government regulations that require certain cybersecurity efforts by vendors, the requirements of DFARS 7012 and NIST 800-171 could be completed following the award of a contract and utilize a self-assessment and attestation process. The relatively new CMMC certification requires that certain cybersecurity policies, procedures, and controls be implemented prior to the award of a contract as certified by a Certified Third-Party Assessment Organization (C3PAO).

CMMC Certification

The Office of the Undersecretary of Defense (OUSD) recognizes that security is foundational to the Defense Industrial Base (DIB) and the implementation of CMMC certification is meant to enhance the protection of controlled unclassified information (CUI) within the supply chain.

The CMMC-AB has reviewed and combined cybersecurity standards and best practices from a variety of organizations to implement the CMMC certification requirements. The accreditation body has mapped 260 controls and processes across five maturity levels that range from basic cyber hygiene to advanced certification.

“For each CMMC level, the associated controls and process, when implemented, will reduce risk against a specific set of cyber threats,” according to the Office of the Under Secretary of Defense for Acquisition & Sustainment website. The CMMC effort builds upon existing regulations including DFARS 252.204-7012 with the goal of CMMC certification to be “cost-effective and affordable for small businesses to implement at the lower CMMC levels.”

Primary & Secondary Contractors

In addition to the requirement of CMMC certification being achieved by the primary contractor, the OUSD also requires flow down of the requirements to all subcontractors regardless of their size or function for DoD contracts.

There are five levels of certification for CMMC. The government will determine which level is required for each contract being administered. The required CMMC level will be contained in the sections L and M of the requests for proposals (RFP) making cybersecurity an “allowable cost” in DoD contacts. The higher the level of CMMC certification a business achieves, the more contracts it will be eligible to bid for.

Government contractors and subcontractors are now expected to achieve CMMC certification to apply for new DoD contracts. Vendors will see cybersecurity requirements included as part of the new requests for information (RFI). This is typically one of the first steps in awarding new defense contracts so industries such as aerospace and manufacturing need to move toward CMMC accreditation as quickly as possible to be eligible for new DoD contracts. Businesses working with DoD contracts will be required to be certified at the designated CMMC level or will risk losing future contracts.

Registered Provider Organization

As a CMMC Registered Provider Organization (RPO), Dox provides consulting services for the CMMC model but does not conduct certified assessments. Dox employs staff trained in basic CMMC methodology. Registered practitioners on the Dox staff provide non-certified consultative services and are bound by a professional code of conduct developed and implemented by the CMMC-AB.

As an RPO, Dox provides valuable CMMC assessment preparation services and can refer clients to a C3PAO for assessment in order to achieve certification. Dox practitioners have passed an organizational background check. The CMMC-AB Registered Seal tells companies seeking CMMC certification that Dox practitioners have a basic understanding of the CMMC requirements including the requirements to achieve CMMC accreditation.

With the CMMC-AB still working through the process for certification, the pass-fail system, and re-assessment, it behooves organizations seeking CMMC accreditation to begin the process by working with an RPO such as Dox. This will allow potential DoD and NASA contractors and subcontractors the opportunity to get their proverbial ducks in a row before spending the money on the certification process with a C3PAO until the organization is truly prepared.

For more information about the CMMC requirements, consulting services, and accreditation, contact Dox now at (585) 473-7766. Let Dox help your company move toward CMMC certification today!