AG Grace, Inc’s Registered Practitioners have been in the security risk assessment  and audit industry for many years, in addition to being certified registered practitioners through CMMC-AB, they hold Certified Information System Auditor (CISA),  Certified Information System Security Professional Certifications (CISSP), Certified Risk and Information Systems Control (CRISC)  and Cyber Security Audit Certifications (CSA).  

They are trained in the CMMC Basic Methodology, are bound by the CMMC Professional Code of Conduct and can provide targeted CMMC awareness.  

They are ready to help you prepare for the CMMC- ML-1 through ML-5.  

If you are a FEDERAL CONTRACTOR then you know that….

Federal agencies routinely generate, use, store, and share information that, while not classified, still requires some level of protection from unauthorized access and release. Protection may be required for privacy, law enforcement, contractual protections, or other reasons.

The Controlled Unclassified Information (CUI) Program is a unified effort between Executive Branch agencies to standardize these protections and practices across departments and agencies. The National Institutes of Standards and Technology (NIST) released SP 800-171r2 and provides federal agencies with a set of recommended security requirements for protecting CUI when such information is resident in nonfederal systems and organizations.

The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations.

52.201-21 Basic Safeguarding of Covered Contractor Information Systems – If you are a federal government contractor and you process, store or transmit federal contract information you are required to protect and safeguard that information. 

Federal Contract Information (FCI) means any information not intended for public release that is provided by or generated for the government under a contract to develop or deliver a product or service to the Government but not including information provided by the government to the public (such as on public websites) or simple transactional information, such as necessary to process payments. 


What is CMMC?  A unified cybersecurity standard for future DoD Acquisitions that consists of 17 Domains that have been taken from the Federal Information Processing Standards (FIPS) Publication 200 and the security control families from NIST SP 800-171 rev2, it also includes the 3 additional domains and includes 5 processes across five levels to measure process maturity levels.

The CMMC model framework organizes processes and cyber security best practices into a set of domains

The CMMC levels and the associated sets of processes and practices across domains are cumulative.  In order for an organization to achieve a specific CMMC level it must also demonstrate achievement of the preceding lower levels.   As a result the CMMC levels can also be characterized by their focus.

Level 1 –  Safeguard Federal Contract Information (FCI)

Level 2 –  Serve as a Transition step in cybersecurity maturity progression to protect CUI

Level 3 –  Protect Controlled Unclassified Information (CUI)

Level 4-5 – Protect CUI and reduce risk of Advanced Persistent Threats (APTs)

Cybersecurity Models help organizations

  • Provide services for their customers without interruption;
  • Protect sensitive customer and proprietary information; and
  • Comply with laws and regulations that govern their operations.
  • Provides a structure for organizations to baseline current capabilities in cybersecurity workforce planning, establishing a foundation for consistent evaluation
  • Management tool for leadership in identifying opportunities for growth and evolution

Why do you need a cybersecurity maturity model?

So that you can evaluate your Organizations current level of cyber hygiene via your processes, practices, methods and goals to achieve a secure environment in order to business with the DoD and to eliminate risk factors that can affect Cost, Schedule and Performance.

What type of Data do you process?    FCI, CUI or Both?

Which CMMC Maturity Level is Right for your Organization?