Preparing for CMMC (Cybersecurity Maturity Model Certification) requires implementing the practices detailed in the NIST publications NIST SP 800-171 and NIST SP 800-172. Organizations that work on Federal contracts will be aware of these requirements. The Department of Defense (DoD) has an additional certification procedure to verify NIST SP 800 compliance — the CMMC third-party accreditation.
While every organization that wishes to attain CMMC accreditation needs to meet the same requirements, all start from a unique position. What needs doing will be heavily influenced by the current IT infrastructure and how many of the practices in the two NIST SP 800 publications are already adopted. Critical Insight’s consultants can assist your business with NIST SP 800-17n compliance and CMMC 2.0 certification prep. We have the experts with the experience needed to determine your current cybersecurity position. Together, we can then identify what you need to do, develop a plan to get there and work with you over time to ensure you remain compliant and ready to bid for and win DoD contracts.
The flow diagram below outlines the steps that Critical Insight team follows when working with an organization on CMMC accreditation. The DoD mandates that a separate and certified assessor performs the final Certified CMMC Assessment step to ensure no conflict-of-interest issues arise.
Experience from working with multiple organizations on CMMC compliance shows that the items listed under Data Flow Analysis and Scope Assessment Boundary in the flow diagram are the most time-consuming. The Gap Assessment gets undertaken when these data-gathering and analysis stages are complete. Significant outputs emerge from the process: a Systems Security Plan (SSP) and a Plan of Actions & Milestones (POA&M). These inform and guide the gap assessment process to highlight any CMMC practices not implemented within the organization.
The Remediate Risks section of the CMMC Compliance Process flow is where any gaps highlighted are addressed. The time to plug the gaps will depend on their complexity, the budget available to spend on any new solutions required, and the timeline the organization wants to adhere to when achieving CMMC accreditation.