BeyondTrust delivers Privileged Remote Access and Remote Support solutions that are FedRAMP authorized, enabling government contractors to efficiently align with key requirements of CMMC 2.0.
The Cybersecurity Maturity Model Certification (CMMC) is a program developed by the Department of Defense (DoD) to assess existing DoD cybersecurity requirements. It was created to strengthen cybersecurity across the defense industrial base (DIB) and better safeguard DoD information amid increasingly frequent and complex cyberattacks.
The CMMC Program aligns with the DoD’s existing information security requirements for the DIB. It is designed to enforce the protection of sensitive unclassified information shared by the Department with its contractors and subcontractors. The program provides the DoD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements for nonfederal systems processing controlled unclassified information.
Key features of the CMMC Program:
Tiered Model: CMMC requires companies entrusted with sensitive unclassified DoD information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also outlines the process for requiring protection of information flowed down to subcontractors.
Assessment Requirement: CMMC assessments allow the DoD to verify DIB implementation of existing cybersecurity standards.
Implementation through Contracts: DoD contractors and subcontractors handling sensitive unclassified DoD information must achieve a specific CMMC level as a condition of contract award.
The CMMC Program provides assessments at three levels, each incorporating security requirements from existing regulations and guidelines.
Requirements:
Annual self-assessment and annual affirmation of compliance with the 15 security requirements in FAR clause 52.204-21.
Requirements:
Either a self-assessment or a C3PAO assessment every three years, as specified in the solicitation.
Decided by the type of information processed, transmitted, or stored on the contractor or subcontractor information systems.
Requirements:
Achieve CMMC Status of Final Level 2.
Undergo an assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Provide an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172.
CMMC Status | Source & Number of Security Requirements | Assessment Requirements | Plan of Action & Milestones (POA&M) Requirements | Affirmation Requirements |
|---|---|---|---|---|
| Level 1 (Self) | ||||
Level 1 (Self) | [check] 15 required by FAR clause 52.204-21 | [check]Conducted by Organization Seeking Assessment (OSA) annually | [check] Not permitted | [check] After each assessment |
| Level 2 (Self) | ||||
Level 2 (Self) | [check] 110 NIST SP 800-171 R2 required by DFARS clause 252.204-7012 | [check] Conducted by OSA every 3 years | [check] Permitted as defined in § 170.21(a)(2) and must be closed out within 180 days | [check] after each assessment and annually thereafter |
| Level 2 (C3PAO) | ||||
Level 2 (C3PAO) | [check] 110 NIST SP 800-171 R2 required by DFARS clause 252.204-7012 | [check] Conducted by C3PAO every 3 years | [check] Permitted as defined in § 170.21(a)(2) and must be closed out within 180 days | [check] After each assessment and annually thereafter |
| Level 3 (DIBCAC) | ||||
Level 3 (DIBCAC) | [check] 110 NIST SP 800-171 R2 required by DFARS clause 252.204-7012 | [check] Pre-requisite CMMC Status of Level 2 (C3PAO) for the same CMMC Assessment Scope, for each Level 3 certification assessment | [check] Permitted as defined in § 170.21(a)(3) and must be closed out within 180 days | [check] After each assessment and annually thereafter |
"BeyondTrust Remote Support was the right product for Ariento because it achieved the cyber compliance requirements from the DoD, specific to DFARS and CMMC, in terms of our ability to service our defense contractor customers."
—Chris Rose, Partner & CEO at Ariento
CMMC Domain | Practice | BeyondTrust CMMC Capabilities |
|---|---|---|
Access Control (AC) | AC.L2-3.1.1 / 3.1.5 / 3.1.12 | Enforces least privilege, RBAC, and secure remote access |
Audit & Accountability (AU) | AU.L2-3.3.1 / 3.3.3 | Logs all privileged activity and enables audit review |
System & Communications Protection (SC) | SC.L2-3.13.1 / 3.13.8 | Encrypts and monitors all remote session traffic |
Identification & Authentication (IA) | IA.L2-3.5.2 | Supports per-session MFA and identity verification for all access |
Incident Response (IR) | IR.L2-3.6.1 / 3.6.2 | Enables incident response capabilities, threat detection, logging, and reporting |
Risk Management (RM) | RM.L2-3.11.2 | Integrates with vulnerability scanning and analytics |
Configuration Management (CM) | CM.L2-3.4.6 | Enforces minimal access and functionality policies |
"[Remote Support] makes our support staff's lives a lot easier. Our customers like it as well, and are more satisfied in terms of our responsiveness and ability to meet their service demands quickly."
—Chris Rose, Partner & CEO at Ariento
"On average when we need to connect to a computer, it takes seconds [with Remote Support], whereas before, it would take minutes just to coordinate and get everything scheduled—a lot of back and forth...the main ROI is in time savings."
—Chris Rose, Partner & CEO at Ariento
