Tackle CMMC 2.0 Compliance Now with a Simple Framework

While Cybersecurity Maturity Model Certification (CMMC) 2.0 is still technically within the rulemaking process, and the finalization of that process isn’t expected in late 2023 or early 2024, it is already beyond time for organizations seeking future certification to begin the process. CMMC 2.0 compliance won’t be achieved simply or quickly. In fact, for most small and mid-sized businesses the average time for CMMC certification is expected to take from 21-27 months. 

It’s imperative that companies in the Defensive Industrial Base (DIB) and Department of Defense contractors begin to map out how to achieve certification; ideally, this process is already well underway. Being late to certification will mean lost contracts and missed opportunities. Being ready will translate to winning business. At Inversion6, we’re here to help you win. 

It’s not too late to get started. Today we’re outlining a simple framework to make CMMC 2.0 compliance attainable.  

Eliminate Reactive: Talk to one of our experts to begin adding tailored security solutions paired with innovative technologies to safeguard your business.  

CMMC 2.0 Compliance, A Quick Refresher 

You can find details on the evolution of CMMC, including what changed from version 1.0 to 2.0, in our related blog here. It’s important to remember, however, that CMMC 2.0 compliance rests on four key tenets: 

• All members of the DIB are subject to DFARS rules, which require meeting NIST 800-171 

• NIST 800-171 is completely aligned with Level 2 of CMMC 2.0 

• All DoD contractors will have to ensure all subcontractors are CMMC compliant, depending on the type of information they process 

• CMMC 2.0 compliance will be phased into DoD contracts beginning in 2025 

Need more information about the CMMC process? We run down every step in the certification process here.  

A Simple Framework for CMMC 2.0 Compliance 

While intimidating at first, achieving certification is possible with a dedicated effort and a proven process. A traditional and simple framework — Plan, Do, Check, and Act (PDCA) — can help companies progress in an organized manner through the labyrinth of steps needed to eventually earn compliance.  

Let’s go over each stage in more detail. 

PLAN 

This is where objectives are established and targets set, and path to reach them mapped out. For CMMC, this is where Identifying key aspects of your plan are finalized. 

Determine your current exposure — How do you line up against DFARS? Is CMMC compliance a part of existing contracts? Do you work with Controlled Unclassified Information (CUI)? Which customers or suppliers are affected? 

Commit to a CMMC level — Based on your current and desired business, which CMMC level of compliance (1, 2 or 3) should you strive for? This is your end goal. 

Conduct NIST Risk & Security Assessment — This is not a simple gap assessment and it’s strongly advised to use a CMMC registered practitioner (RP) to conduct it. This helps you identify any CUI data flow through all your users, systems, software and cloud services. Your RP will help you understand your initial compliance report and your first Supplier Performance Risk System (SPRS) score. 

Check Business Buy-In — By now, you should have a high-level understanding of what is needed to pursue your compliance goal. Socialize with key stakeholders, estimate the costs of completion and measure if the appetite is still there.  

DO 

Now it’s time to get to work and Remediate the issues found during the identification stage. 

Align your security program with NIST — NIST acts as a true north for CMMC 2.0 compliance, which means your policies should be based on that framework. In addition, there may also be a need to implement CUI-specific training, identify authorized individuals who can work with CUI, and develop a Government, Risk & Compliance Committee to maintain oversight. 

Develop Plans of Action & Milestones (POA&Ms) — POA&Ms are the steps that address your deficiencies found in the planning stage. They should remediate security vulnerabilities, weaknesses, or deficiencies, and define the who, what, when, and how of your process. 

Execute POA&Ms — This is the meat-and-potatoes portion of the certification process. While your POA&Ms should be realistic, they can also be iterative. This step requires a dedication of focus, time and effort.  

CHECK 

You’ve put in the work, now it’s time to Verify the results.  

Perform a DoD Third Party Self-Assessment — The self-assessment helps validate the controls you’ve created during the ‘Do’ stage, and generates another SPRS score. The use of an objective, trained, and experienced third party is crucial here as they avoid any internal biases and will bring an auditor’s perspective. 

Build the SSP — A System Security Plan is the comprehensive document that outlines the security controls and safeguards implemented in your environment. Your SSP needs to detail everything you’ve done and is the key element of your application for CMMC 2.0 compliance. Auditors will start with your SSP. It helps establish and maintain sufficient evidence for your SPRS score. 

Regenerate SPRS Score — During this stage you will update your SPRS score — first created during the planning stage. If you’ve reached the 110 threshold, you’re ready. If not, return to the planning stage to identify what has slipped through the cracks. 

ACT 

At this stage, it’s time for Assessment and achieve certification. 

Select and Schedule C3PAO — The Certified Third-Party Assessment Organization (C3PAO) you choose will be an important partner in your certification journey. These organizations are authorized by The Cyber AB (formerly CMMC-AB) to conduct and deliver CMMC assessments. They will conduct the audit that determines your success and you should spend time to find the C3PAO that fits with your organization best. You can’t take forever, however, as you can expect a queue for C3PAO’s — especially as established deadlines near.  

Get the C3PAO Assessment — This is the culmination of months of work. The assessment is a detailed review of your SSP and Evidence; Have created the policies and controls needed to reach the desired level of certification, and is their proof of their implementation? 

Monitor and Prepare for Reassessment — If you’ve done the work, received the right guidance, and prepared well, you should have achieved CMMC 2.0 compliance with certification. But it’s critical to understand that CMMC compliance is not a one-and-done effort. Monitoring your controls, tracking risk factors, and more is a critical element of compliance and will be factored in when it’s time for a formal reassessment. 

Go With The Pros: Discover why going with a registered CMMC practitioner is critical to your CMMC 2.0 compliance efforts. 

Conquer CMMC 2.0 Compliance with Inversion6 

Coming to grips with CMMC can be difficult for smaller organizations trying to navigate complicated demands and changing standards. Inversion6 has tirelessly applied our experience to solving these kinds of challenges for businesses across many industries. As a registered practitioner certified by The Cyber AB, we have the skills and expertise needed to help you quickly adjust to, meet, and obtain CMMC 2.0 compliance and certification.  

For more than 30 years, Inversion6 has created comprehensive, effective and manageable cybersecurity solutions that include a Security Operations Center (SOC),  managed detection & response (MDR),  autonomous penetration testing, and more.  

Schedule a consultation today to discover how we help your organization find solid footing amidst a rapidly changing compliance landscape.