CMMC Compliance Services
Achieve CMMC compliance to protect sensitive information and enhance your cyber security posture
LRQA experts are certified CMMC Registered Practitioners accredited by the CMMC Accreditation Body
Developed by the U.S. Department of Defense, the Cyber Security Maturity Model Certification (CMMC) is a comprehensive cyber risk management model that measures an organization’s capabilities against five cyber security maturity levels. CMMC compliance is required for companies that are part of the Department of Defense (DoD) supply chain and handle Controlled Unclassified Information (CUI).
Our certified CMMC Registered Practitioners are ready to deliver tailored, actionable guidance and strategies to help you achieve compliance.
Award-winning expertise
Our cyber security team continues to achieve multiple vendor certifications, highly respected industry accreditations and international accolades, demonstrating the breadth, depth and impact of their services.
Our Approach to CMMC Services
Establish a program
We take a methodical approach that breaks down the compliance with CMMC into milestones.
Set objectives
We help identify the maturity level your organization will target. Whichever level your organization opts to target, it is important to set that clear goal upfront.
Leverage existing practices
We assess your aligned practices to NIST 800-171 to leverage the output of prior audits against that framework.
Identify gaps
Identify gaps in your documentation, update it where needed, and notify appropriate parties of relevant changes to policies and procedures.
Our certified CMMC Registered Practitioners are ready to help
We want governance and compliance to be a strategic asset for your organization and that means delivering proactive advice and guidance that is tailored to your organization.
Our experts are certified CMMC Registered Practitioners (RPs) who are accredited by the CMMC Accreditation Body (CMMC AB) to conduct CMMC pre-assessments that fully align with an official CMMC assessment (carried out by a Certified Third-Party Assessment Organizations or C3PAOs).
After taking the time to get to know your organization and understand your priorities, our CMMC experts partner with you through the following phases to help you prepare for your assessment and achieve CMMC compliance:
Gap analysis
We identify where you are doing well and where you need help based on the maturity level that you seek to achieve. This includes a series of interviews and a review of documentation and evidence.
Reporting
We consolidate all our findings into a single gap analysis and practical compliance roadmap report. This includes recommendations on practice improvements and remediation activities in a format consistent with a Plan of Action and Milestones. Our report is suitable for executive leadership and operational team members.
Strategy and remediation
We support project management of the remediation program, consult on the most effective corrective measures to meet requirements and report on the progress to senior management and executive stakeholders. As a world-leading cyber security organization, we also have experts capable of fulfilling any roles where you may need support.
Pre-assessment
We conduct a full-scope CMMC pre-assessment that directly reflects the approach and techniques that the C3PAO will utilize. We then issue a comprehensive report that identifies any CMMC practices and process requirements that are not fully met and offer recommendations on addressing each deficiency.
Audit preparation and management
We oversee the remediation of any remaining deficiencies identified in the pre-assessment. We will track progress, advise on when you are ready for an official assessment and organize evidentiary material so that the C3PAO assessor can find the required information efficiently.
During the audit, we support or manage your response to the audit by attending the assessment kick-off meeting, walking the assessor through the structure of the evidence repository and identifying relevant stakeholders and subject matter experts. We also coordinate the scheduling of assessor interviews and prepare stakeholders to respond to assessor inquiries.
Why work with us?
Specialist expertise
Our cybersecurity experts hold multiple vendor certifications and accreditations as well as highly respected industry accreditations from CREST, the PCI SSC, ISC2, BCI, Chartered Institute of IT, and NCSC CHECK.
Industry leadership
We lead and shape industry on advisory boards and councils including the PCI SSC Global Executive Assessor Roundtable and CREST councils in the Americas, Asia, EMEA and the UK. We are certified by a range of governing bodies including the payment card industry and are approved as a Qualified Security Assessor.
Everywhere you are
Operating in over 55 countries, with more than 250 dedicated cyber security specialists and over 300 highly qualified information security auditors across the world, we can provide a local service with a globally consistent dedication to excellence.
Award winners
We have been recognized for the breadth and depth of our services – including the TEISS Award for Best Penetration Testing Service in 2024, Enterprise Threat Detection and Cloud Security awards at the Security Excellence Awards 2024 and the Stratus Award for Best Managed Cloud Security Service.
FAQs
What is CMMC?
CMMC is a comprehensive cyber risk management model comprised of 17 domains that measure an organization’s capabilities against 5 cyber security maturity levels. It was developed by the U.S. Department of Defense to establish cyber security standards for suppliers who handle Federal Contract Information (FCI) and Controlled Unclassified Information. CMMC builds upon NIST 800-171 and offers a higher level of assurance as it requires organizations to undergo an assessment conducted by a Certified Third-Party Assessment Organization (C3PAO).
What level of maturity does my organization need to achieve?
The nature of the data that a supplier will handle in their work will determine the maturity level that the supplier must certify against. For instance, projects involving only FCI will just require Level 1 certification, while projects involving CUI will require Level 3 certification at a minimum. Levels 4 and 5 certification is to identify organizations that are capable of effectively reducing the risk presented by Advanced Persistent Threats (APTs).
The CMMC Accreditation Body (CMMC AB) is implementing the CMMC program in phases with the current focus on certifying select suppliers against Levels 1 through 3. The number of organizations requiring CMMC certification will increase until 2026 when all suppliers handling FCI and CUI must have the appropriate level of certification.
Who carries out a CMMC assessment?
CMMC assessments are carried out by Certified Third-Party Assessment Organizations or C3PAOs. C3PAOs will conduct the certification assessments and recommend either certifying the organization or denying certification to the CMMAC AB which is responsible for conferring certification.
CMMC Registered Provider Organizations (RPOs), while not conducting official assessments, are accredited by the CMMC AB to conduct CMMC pre-assessments that fully align with an official CMMC assessment. LRQA is an RPO and as such we offer a range of services from gap analyses to pre-assessments and full-scope CMMC implementation support. We can also help to manage your assessment with C3PAOs.
The world leader in CREST accreditations
We are proud to be the only organization in the world with a full suite of accreditations from The Council of Registered Ethical Security Testers (CREST).
Our team of consultants have achieved the highest accreditations for Penetration Testing, Red Teaming, Incident Response services and Threat Intelligence. In addition, we were also the first organization to be CREST accredited for our Security Operation Centre services.