High Contrast

Events
Subscribe
Contact RSM

Cybersecurity Maturity Model Certification advisory services

Supporting government contractors throughout their CMMC compliance journey

Contact our CMMC team

Defense contractors and the entire government contracting supply chain are facing complex cybersecurity regulatory expectations, made increasingly complicated by external threat actors attempting to gain unauthorized access to controlled unclassified information (CUI) and other federally regulated sensitive data. In response to the increased need for adequate protection, the Department of Defense (DOD) released the Cybersecurity Maturity Model Certification (CMMC) to enhance and enforce cybersecurity expectations across the defense industrial base (DIB).

RSM offers an array of services designed to help government contractors at any stage of their CMMC compliance journey. Our advisory services are tailored to each organization seeking certification (OSC) to assist with defining, implementing and maintaining their compliant environment.

Explore our 4 critical stages of a CMMC compliance journey

Line Illustration of policy papers

Advise

Preparing you for the CMMC journey and how to achieve compliance

Line Illustration of a mobile phone and laptop

Implement

Protecting CUI and other federally regulated data to meet CMMC requirements

Line Illustration of people talking

Manage

Supporting and maintaining your CMMC environment to retain certification

Line Illustration of a medal

Certify

RSM is an authorized CMMC Certified Third-Party Assessment Organization (C3PAO)

Preparing for the CMMC journey

We know that achieving and maintaining compliance with the CMMC requirements can be challenging. Our advisory services help contractors identify their compliance obligations and validate the flow of CUI internally and externally while minimizing the scope and rightsizing their cybersecurity program. Related services we offer include:

Data identification
Data identification under magnifying glass illustration

CUI identification and boundary definition

Our team assists organizations with identifying the collection, use, processing and storage of CUI. This includes determining the flow of CUI and guiding OSCs in customizing their authorization boundary or rationalization to reduce overlapping applications.

Readiness
Readiness hourglass illustration

Readiness/gap assessment

In this point-in-time assessment, we identify operational and technological gaps and improvement opportunities across the governance model (e.g., policies and procedures) and assist in creating a plan of action and milestones. The result is a strategic road map to achieve CMMC compliance. Estimated risk ratings of the processes, capabilities and technology in each functional area aid management in developing and submitting scores to the DOD Supplier Performance Risk System.

Program management
Program management bar chart illustration

Cybersecurity program management

RSM will assist OSCs with designing, implementing and managing improvements that optimize and support a client’s CMMC compliance program and cybersecurity posture, including creating customized authorization boundary, designing data flow diagrams, aiding in CUI data identification / labeling, developing a system security plan, and documenting underlying cybersecurity policies and standard operating procedures.

Penetration testing
Penetration testing mobile and laptop illustration

CUI segmentation penetration testing and ‘red team’ assessment

We utilize best-in-class industry methodologies, tools and techniques to assess the maturity of your cybersecurity program and posture, identifying possible attack vectors, vulnerabilities and threats that may pose a significant risk to your organization. Based on our detailed findings, we develop a road map to improve your security program and reduce risk exposure.

Learn more about RSM’s penetration testing services

Data identification under magnifying glass illustration

CUI identification and boundary definition

Our team assists organizations with identifying the collection, use, processing and storage of CUI. This includes determining the flow of CUI and guiding OSCs in customizing their authorization boundary or rationalization to reduce overlapping applications.

Readiness hourglass illustration

Readiness/gap assessment

In this point-in-time assessment, we identify operational and technological gaps and improvement opportunities across the governance model (e.g., policies and procedures) and assist in creating a plan of action and milestones. The result is a strategic road map to achieve CMMC compliance. Estimated risk ratings of the processes, capabilities and technology in each functional area aid management in developing and submitting scores to the DOD Supplier Performance Risk System.

Program management bar chart illustration

Cybersecurity program management

RSM will assist OSCs with designing, implementing and managing improvements that optimize and support a client’s CMMC compliance program and cybersecurity posture, including creating customized authorization boundary, designing data flow diagrams, aiding in CUI data identification / labeling, developing a system security plan, and documenting underlying cybersecurity policies and standard operating procedures.

Penetration testing mobile and laptop illustration

CUI segmentation penetration testing and ‘red team’ assessment

We utilize best-in-class industry methodologies, tools and techniques to assess the maturity of your cybersecurity program and posture, identifying possible attack vectors, vulnerabilities and threats that may pose a significant risk to your organization. Based on our detailed findings, we develop a road map to improve your security program and reduce risk exposure.

Learn more about RSM’s penetration testing services

CMMC implementation and remediation services

Alignment of existing technology with the CMMC requirements can be difficult to implement and maintain, but compliance is required to continue doing business with the federal government and DOD supply chain. RSM offers comprehensive infrastructure transformation and implementation services to help government contractors maintain an effective cybersecurity posture that mitigates the risks of today’s threat landscape.

Our team’s first step in meeting your organization's CMMC requirements is to understand the current boundary of the CUI environment and how CUI flows through the technology environment. We then determine whether to secure the authorization boundary as is or design and implement a separate, secure enclave isolated from the broader enterprise.

Technical review
Technical review examining data illustration

Technical review

RSM performs technical reviews of your in-scope CUI assets to facilitate technical alignment with the requirements of NIST 800-171 (a special publication of the National Institute of Standards and Technology). Through this process, organizations gain a thorough understanding of their technical compliance status and create a plan to address any gaps.

Microsoft
RSM is a Microsoft Solutions Partner for Microsoft Cloud

Microsoft relationship

As a Microsoft Cloud Solution Provider (CSP) and a Microsoft Agreement for Online Services for Government (AOS-G) partner, RSM is one of only a few Microsoft providers that can deploy, implement and manage Azure, Microsoft 365 and Dynamics 365 for Commercial, Government Community Cloud (GCC) and Government Community Cloud High (GCC-H) tenants, allowing our clients access to Microsoft’s shared responsibility model and flow-down controls.

Learn more about our relationship with Microsoft
Secure enclave
Secure enclave documents under lock illustration

CMMC enclave build-out and data migration

RSM assists with the design and implementation of secure enclaves by leveraging various cloud-first technologies, including but not limited to Microsoft GCC and GCC-H. Our Microsoft-certified technical implementation professionals and C3PAO leaders work to design and implement the secure enclave in alignment with the DOD’s fundamental cybersecurity expectations. Once the enclave is stood up and secured, RSM supports the secure migration of CUI from on-premises applications and supporting systems, other cloud tenants, or third-party file storage SaaS applications.

Technical remediation
Third party risk secure data illustration

Technical remediation

Following the identification of our plan of action and milestones (POA&M), RSM will assist with the identification, selection and implementation of technical solutions, including but not limited to, infrastructure enhancements, network segmentation guidance, authorization boundary definitions, cloud security configurations, identity & access management solution deployment aimed at improving the cybersecurity program and POA&M initiative remediation.

Technical review examining data illustration

Technical review

RSM performs technical reviews of your in-scope CUI assets to facilitate technical alignment with the requirements of NIST 800-171 (a special publication of the National Institute of Standards and Technology). Through this process, organizations gain a thorough understanding of their technical compliance status and create a plan to address any gaps.

RSM is a Microsoft Solutions Partner for Microsoft Cloud

Microsoft relationship

As a Microsoft Cloud Solution Provider (CSP) and a Microsoft Agreement for Online Services for Government (AOS-G) partner, RSM is one of only a few Microsoft providers that can deploy, implement and manage Azure, Microsoft 365 and Dynamics 365 for Commercial, Government Community Cloud (GCC) and Government Community Cloud High (GCC-H) tenants, allowing our clients access to Microsoft’s shared responsibility model and flow-down controls.

Learn more about our relationship with Microsoft
Secure enclave documents under lock illustration

CMMC enclave build-out and data migration

RSM assists with the design and implementation of secure enclaves by leveraging various cloud-first technologies, including but not limited to Microsoft GCC and GCC-H. Our Microsoft-certified technical implementation professionals and C3PAO leaders work to design and implement the secure enclave in alignment with the DOD’s fundamental cybersecurity expectations. Once the enclave is stood up and secured, RSM supports the secure migration of CUI from on-premises applications and supporting systems, other cloud tenants, or third-party file storage SaaS applications.

Third party risk secure data illustration

Technical remediation

Following the identification of our plan of action and milestones (POA&M), RSM will assist with the identification, selection and implementation of technical solutions, including but not limited to, infrastructure enhancements, network segmentation guidance, authorization boundary definitions, cloud security configurations, identity & access management solution deployment aimed at improving the cybersecurity program and POA&M initiative remediation.

Services by an external provider who understands how to protect CUI

RSM offers a range of managed services to support government contractors that handle CUI and data protected under International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR). Our CMMC managed services are designed to meet the DOD cybersecurity expectations (CMMC Level 2), utilizing technologies authorized by the Federal Risk and Authorization Management Program (FedRAMP). We specifically help maintain government contractors’ IT environments with service desk support and issue remediation, 24/7 network monitoring, endpoint detection and management, real-time vulnerability assessments, infrastructure management, and Microsoft 365, Azure and Dynamics 365 GCC/GCC-H management.

Managed IT
Managed IT cloud monitoring laptop and mobile illustration

Managed IT services for government contractors

Managed IT services support and maintain government contractors’ IT environments in compliance with  NIST 800-171. As a managed service provider (MSP), we provide service desk support and issue remediation, 24/7 monitoring, infrastructure management, endpoint management, Azure and Microsoft 365 GCC-H management, and dedicated technology advisory.

Learn more about managed IT services
Managed security
Managed security briefcase with lock illustration

Managed security services (RSM Defense™)

Our proprietary RSM Defense managed security operations center offers 24/7/365 monitoring and near-real-time reaction to threats, providing extended detection and response (XDR), managed detection and response (MDR), and vulnerability services.

Learn more about RSM’s cyber detect and respond solutions
Managed application
Managed application tasks trending forward illustration

Managed application services

Our managed application services team supports Dynamics 365 business applications and Microsoft 365 and Azure in GCC and GCC-H. We support compliance with the requirements and data-handling protocols of the CMMC, FedRAMP, Defense Federal Acquisition Regulations Supplement (DFARS) 252.204-7012, CUI and ITAR.

Learn more about managed application services
Managed compliance
Managed compliance gears progressing forward illustration

Managed compliance services

We offer a holistic risk, compliance and governance solution to assist OSCs with conducting continuous monitoring activities and periodic risk assessments against NIST 800-171 and related security frameworks (e.g., FedRAMP, the Federal Information Security Modernization Act, ISO 27001, etc.). This includes defining and managing efficient risk management and control management practices to help ensure compliance objectives and regulatory needs are achieved and maintained.

Managed IT cloud monitoring laptop and mobile illustration

Managed IT services for government contractors

Managed IT services support and maintain government contractors’ IT environments in compliance with  NIST 800-171. As a managed service provider (MSP), we provide service desk support and issue remediation, 24/7 monitoring, infrastructure management, endpoint management, Azure and Microsoft 365 GCC-H management, and dedicated technology advisory.

Learn more about managed IT services
Managed security briefcase with lock illustration

Managed security services (RSM Defense™)

Our proprietary RSM Defense managed security operations center offers 24/7/365 monitoring and near-real-time reaction to threats, providing extended detection and response (XDR), managed detection and response (MDR), and vulnerability services.

Learn more about RSM’s cyber detect and respond solutions
Managed application tasks trending forward illustration

Managed application services

Our managed application services team supports Dynamics 365 business applications and Microsoft 365 and Azure in GCC and GCC-H. We support compliance with the requirements and data-handling protocols of the CMMC, FedRAMP, Defense Federal Acquisition Regulations Supplement (DFARS) 252.204-7012, CUI and ITAR.

Learn more about managed application services
Managed compliance gears progressing forward illustration

Managed compliance services

We offer a holistic risk, compliance and governance solution to assist OSCs with conducting continuous monitoring activities and periodic risk assessments against NIST 800-171 and related security frameworks (e.g., FedRAMP, the Federal Information Security Modernization Act, ISO 27001, etc.). This includes defining and managing efficient risk management and control management practices to help ensure compliance objectives and regulatory needs are achieved and maintained.

Authorized CMMC Certified Third-Party Assessor Organization (C3PAO)

As a C3PAO, RSM is authorized to perform joint surveillance voluntary assessment (JSVA) services for OSCs on behalf of the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). As the largest C3PAO within the CMMC ecosystem, our team has the depth and breadth of experience to support all of your cybersecurity governance, risk, compliance and transformation needs through both consulting and assessment-related services.

Assessments
Assessments tracking tasks against time illustration

Joint surveillance voluntary assessment (JSVA)

Our JSVA services provide OSCs with a comprehensive review and validation of their overall alignment with the DOD’s cybersecurity regulatory expectations. By analyzing governance documentation, network design schematics, technical control implementation status and overall cybersecurity alignment to the requirements of the CMMC (NIST 800-171), a JSVA aims to identify operational and technological improvement opportunities related to the client’s overall information security posture and ability to adhere to the minimum baseline security requirements.

Examination
Examination monitoring chart on tablet illustration

CMMC examination

As a leading C3PAO, RSM is authorized to conduct the CMMC examination, intended to evaluate the effectiveness of an OSC’s cybersecurity posture based on alignment to the underlying requirements of the CMMC (NIST 800-171). Only C3PAOs are allowed to provide this service, which is governed by The Cyber AB in coordination with the DOD.

Assessments tracking tasks against time illustration

Joint surveillance voluntary assessment (JSVA)

Our JSVA services provide OSCs with a comprehensive review and validation of their overall alignment with the DOD’s cybersecurity regulatory expectations. By analyzing governance documentation, network design schematics, technical control implementation status and overall cybersecurity alignment to the requirements of the CMMC (NIST 800-171), a JSVA aims to identify operational and technological improvement opportunities related to the client’s overall information security posture and ability to adhere to the minimum baseline security requirements.

Examination monitoring chart on tablet illustration

CMMC examination

As a leading C3PAO, RSM is authorized to conduct the CMMC examination, intended to evaluate the effectiveness of an OSC’s cybersecurity posture based on alignment to the underlying requirements of the CMMC (NIST 800-171). Only C3PAOs are allowed to provide this service, which is governed by The Cyber AB in coordination with the DOD.

RSM has been a trusted advisor to the government contracting community for decades

Our commitment to providing innovative solutions and services tailored to help contractors address the unique challenges of this regulated environment has positioned us as a leader in the ecosystem. As the largest certified third-party assessment organization (C3PAO) and an award-winning Microsoft Defense and Intelligence partner, RSM provides readiness, remediation, examination and managed services with an unrivaled team of specialists.

What RSM brings to prospective clients

Authorized CMMC Certified Third-Party Assessor Organization (C3PAO)
CMMC Certification logo
FedRamp authorized logo
United States of America Citizen logo
Service Now Logo
CRN MSP 500 list logo
Managed Service Provider Collective Member

Credentials and certifications

  • Authorized CMMC Certified Third-Party Assessment Organization (C3PAO)
  • Federal Risk and Authorization Management Program (FedRAMP) Third-Party Assessment Organization (3PAO)
  • DOD FedRAMP-authorized IT operations and cybersecurity tools
  • ISO 27001 consulting advisor
  • Payment card industry qualified security assessors (PCI QSAs)
  • HITRUST/HIPAA
  • Certified CMMC Professional(s)
  • Certified CMMC Assessor (CCA)

Microsoft

Case study

Government contractor takes proactive CMMC compliance stance

Read about their CMMC journey

Additional solutions to achieve your organization’s goals

Swipe to view all

Cybersecurity Maturity Model Certification FAQ

Contact our CMMC professionals

Complete this form and an RSM representative will be in touch shortly.

Subscribe to Risk Bulletin

Our cybersecurity, risk and fraud professionals provide regular insights and regulatory compliance updates to help your organization manage risk. 

Sign up today

THE POWER OF BEING UNDERSTOOD

ASSURANCE | TAX | CONSULTING

RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent assurance, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/about for more information regarding RSM US LLP and RSM International.

© 2025 RSM US LLP. All rights reserved.