Know which of your third parties have the Log4j vulnerability Read more →

Vendor Risk Management for Federal Agencies

Superior visibility and insight into the cybersecurity of contractors and subcontractors

Get started now
Black Kite is now available on the GSA Marketplace!

What is Cmmc?

A new framework mandated by the federal government to characterize, measure, and reduce the cyber risk in digital supply chains. CMMC compliance will be required for any organization that wants to sell to the U.S. government, or is part of the U.S. government supply chain.

Comprehensive assessment process

Costly (manual)

Needs to scale across entire supply chain

What Does CMMC Mean for DoD Contractors?

Any vendor or contractor in the DoD supply chain will be required to meet CMMC compliance in order to continue working with the DoD. Contractors will require various levels of cybersecurity maturity. Requirements are relative to the supplier’s maturity level in the DoD supply chain depending on the CUI, or Controlled Unclassified Information, present.

CMMC Levels — Where Do You Stand?

The Cybersecurity Maturity Model Certification uses a simplified scoring system to identify an organization’s maturity and readiness, ranging from 1 and advancing to level 5. Each CMMC level builds on the last, with more prominent organizations within the DoD supply chain requiring more security and protection.

Learn how Black Kite can elevate your supply chain management by exposing unidentified risks.

Automating CMMC Compliance

Black Kite spans the entire vendor risk management process for CMMC compliance and Supply Chain Risk Management. Implemented parameters include:

C032: Risk Management Capability, including

  • RM.2.143 Remediate vulnerabilities in accordance with risk assessments
  • RM.3.146 Develop and implement risk mitigation plans
  • RM.5.155 Analyze the effectiveness of security solutions annually to address anticipated risks to the system and the organization based on current and accumulated threat intelligence

C033: Supply Chain Risk Management Capability, including

  • RM.4.148 Develop and update as required in order to manage risks associated with the IT supply chain

CMMC compliance levels are presented based on the correlation between Black Kite’s technical report and requirements from international standards such as ISO27001, NIST 800-53, NIST CSF and NIST-171. Organizations can continuously measure internal compliance, alongside compliance levels of subcontractors.


What to know about the Cybersecurity Maturity Model

Read Blog Post

Parse, Analyze, and Map results to CMMC Controls

Using the UniQuE Parser, upload vendor CMMC policies and process documents to:

  • Understand which CMMC controls are met and which need more work
  • Piece together existing gaps within the organization
  • Compile Request for Information/Proposal (RFI/RFP) information quickly, without having to review documents line-by-line

Execute the same operation for subcontractors, ensuring they meet the requirements under C033: “Manage supply chain risk”.

Example: Black Kite’s CMMC Maturity Level: 97%

The Cybersecurity Maturity Model Certification (CMMC) is a standard for implementing cybersecurity in the Defense Industrial Base (DIB) aimed at measuring the maturity of an organization’s cybersecurity processes toward enhancing the protection of Federal Contract Information (FCI) and Controlled UnclassifiedInformation (CUI). The CMMC framework was developed in cooperation between the United States Department of Defense (DOD), DOD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDCs), and the Defense Industrial Base (DIB) sector.

The mappings between the framework control items are intended to be an informative reference and do not imply or guarantee compliance with any laws or regulations. Users who have aligned their security program to one of these standards should not assume that by so doing they are in full compliance with the corresponding compliance standard.

Filter Level 1 Level 2 Level 3 Level 4 Level 5
Area Result Completed
Access Control 100% 85%
Asset Management 100% 50%
Audit and Accountability 100% 79%
Awareness and Training 100% 94%
Identification and Authentication (IA) 100% 100%
Incident Response 97% 100%
Maintenance 100% 67%
Media Protection 100% 100%
Personnel Security 97% 100%
Physical Protection 100% 67%
Recovery 100% 100%
Risk Management 100% 70%
Security Assessment 100% 100%
Situational Awareness 100% 100%
System and Communications Protection 98% 74%
System and Information Integrity 95% 85%


What is CMMC?

Why was CMMC created?

What is CUI?

What is a CMMC third party assessment organization (C3PAO)?

Who will perform third party assessments?

How will my organization become certified?

Will there be a self-certification process?

I am a sub-contractor on a DOD contract. Do I need CMMC certification?

How will I know what CMMC level is required on a contract?

How often does my organization need to be reassessed?

Ready to get started?