Cybersecurity Maturity Model Certification (CMMC)

Baker Tilly is a candidate CMMC Third-Party Assessor Organization (C3PAO), ready to help you achieve CMMC readiness or official assessment objectives.

    The impact of CMMC

    With the goal of protecting federal contract information (FCI) and controlled unclassified information (CUI) within the Department of Defense (DoD) contracting community, Cybersecurity Maturity Model Certification (CMMC) became a requirement for participation in some DoD request for information (RFIs) and request for proposals (RFPs) in 2020, ultimately expanding to include DoD procurement by fiscal year 2026 (FY2026). DoD contractors cannot afford to stand still as CMMC will apply to both prime and subcontractors.

    CMMC services

    By drawing on Baker Tilly's extensive cybersecurity, government contracting and technology risk experience, our CMMC services are designed to support organizations that are required to obtain their CMMC certification in order to big for and do business with the DoD.

    CMMC scope and level determination support

    Based on current CMMC guidance, we can help your organization think through the level and the scope for your CMMC requirement that stems from the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021. This could include evaluating if the commercial item exception applies and/or recommending how to best define your scope, and support your representations that CUI does not exist outside of that boundary. Additionally, we can help you determine when or how to use the enclave concept for separate scope.

    DoD assessment

    As you prepare for CMMC, you also need to comply with the DoD assessment requirements associated with DFARS 252.204-7019 and 7020. Baker Tilly can help you conduct your basic assessment against the National Institute of Standards and Technology (NIST) 800-171 requirements or prepare for a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment. Lastly, we can provide advice about how to load your scores to the DoD’s Supplier Performance Risk System (SPRS).

    CMMC gap assessment

    Using our extensive understanding of cybersecurity, NIST SP 800-171 and the requirements of the CMMC model, we help map your existing controls to the CMMC model, identify gaps between your controls and the CMMC model and provide recommendations for remediating those control gaps. This can be in a mock assessment or more advisory structure to suit your needs.

    CMMC remediation and documentation support

    If needed, our specialists can work with you to build a plan and close your existing gaps. We can help formalize your processes and controls, and document your compliance.

    CMMC business impact and readiness support

    CMMC will have impacts on your supply chain, bid and proposal and project-specific IT systems. Specifically, DFARS 252.204-7019 through 7020 includes requirements for flow down and validation of SPRS scores and CMMC levels. Leveraging our expertise and years of experience supporting contractors, we can help you think about and develop strategy to respond to issues such as risk assessment of teaming partners. This will ensure they are ready for CMMC so you can successfully bid, flow-down clause management, estimate cost implications and respond to RFP and RFI CMMC requirements.

    Cost allowability

    The DoD indicated they understand contractors will incur incremental costs to establish good cyber hygiene and compliance with new requirements. Our specialists will help you navigate within the appropriate frameworks of cost allowability and allocability.

    Entry or expanding your government contracting business

    If you are contemplating entering or expanding your government contracting business, we can help you determine gaps with CMMC (or to achieve a higher level of CMMC) and other DFARS, FAR and CAS requirements, as well as support your implementation of those process. We can also help you think about a strategy to increase your opportunities via GSA schedules or other programs.

    Certification assessments

    We are committed to supporting organizations with their official certification assessments. As an accredited C3PAO, Baker Tilly will complete assessments for certification for CMMC Maturity Levels 1 – 3. Principal and CMMC Services Leader Matt Gilbert was one of the first-certified provisional assessors and participant in the CMMC-AB working groups.

    “We are committed to helping government contractors meet all of their compliance requirements from CMMC, to the increasing supply chain risk management obligations under section 889 as well as the whole host of complex regulatory compliance, audit and other government oversight burdens.”
    Matt Gilbert, CMMC Leader

    Delivering CMMC readiness services remotely

    Our cybersecurity practice uses a variety of technology tools to streamline our service delivery model and make document sharing and requests seamless. Our specialists are well versed in methods for facilitating video conferences, teleconference calls and live, online document-sharing sessions to perform CMMC readiness services as efficiently as if we were live on-site. You can expect the same quality service, all while minimizing travel expenses and space constraints that can accompany on-site work.

    Baker Tilly is your partner in building a sustainable CMMC program

    • Access to more than 100 industry-fluent cybersecurity specialists
    • Access to government contracting expertise, including fluency with federal frameworks and regulations
    • Depth of experience in managing cybersecurity compliance-based programs