The Cybersecurity Maturity Model Certification, required for firms in the Department of Defense supply chain that handle Controlled Unclassified Information.
Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense framework that requires contractors and subcontractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) to certify against one of three levels (Foundational, Advanced, Expert). For CPA firms, CMMC becomes relevant if the firm serves defense contractors and accesses FCI or CUI as part of that work. CMMC Level 2 maps to NIST SP 800-171 and requires third-party assessment.
Most CPA firms do not need CMMC. The exception is firms that audit, do tax work for, or provide outsourced finance services to defense contractors and handle CUI in the process. If your firm receives proprietary contract details, technical specifications, or other CUI from clients, you may inherit a CMMC obligation. Check client contracts and DFARS 252.204-7012 flow-down clauses for triggers.
A structured list of all security controls your firm should have in place, mapped to regulatory requirements, with testing status and evidence.
A documented set of policies and procedures describing how your firm protects sensitive client data.
A practical framework that organizes security activities into six functions, useful as a structure for your WISP and risk assessment.
Buy the WISP yourself if you need the document.
Talk to us if you want the platform.
We use cookies to measure site performance and improve your experience. No data is sold to third parties. Privacy Policy