CMMC 2.0: What Changed and the Pre-Assessment Process

November 2, 2023

Inadvertent Publishing of CMMC 2.1

In July 2023, draft versions of the Cybersecurity Maturity Model Certification (CMMC) 2.1 were inadvertently made public. They were intended for the Office of Information and Regulatory Affairs (OIRA) as part of the process to integrate CMMC into the 32 Code of Federal Regulations (CFR). The Department of Defense (DoD) Chief Information Officer (CIO) office swiftly retracted these documents, emphasizing they hadn’t been formally issued.

In our articles about CMMC, we have covered the 1.0 and 2.0 models. Even though the details of CMMC aren’t finalized, organizations must approach CMMC proactively, ensuring that every aspect of the organization’s technology environment is geared toward compliance and security. For many, the journey to CMMC compliance may take six months or longer.  

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a unifying framework designed to fortify the cybersecurity posture of the Defense Industrial Base (DIB). It is a fusion of various cybersecurity standards and provides a certification framework to assess an organization’s maturity level in safeguarding sensitive information. With three maturity levels, it allows organizations to exhibit their cybersecurity readiness.

You can see all our CMMC articles here.

What changed from CMMC 1.0 to 2.0?

Under CMMC 2.0, there are three compliance levels instead of five. Read more about the new levels.

What is a pre-assessment, and how does it work?

Registered Practitioner Organizations (RPOs) and CMMC Third-Party Assessment Organizations (C3PAOs) play a critical role in the CMMC compliance process. Engaging with an RPO or C3PAO for a pre-assessment, sometimes called a “gap analysis” or “readiness assessment,” is an important step for organizations to gauge their readiness for the official CMMC assessment. Here’s an overview of how pre-assessment works:

Engagement and Scope Definition

The organization collaborates with the chosen assessor to define the scope of the assessment, determine the targeted CMMC level, and set timelines.

Documentation Review

The assessor thoroughly reviews all documentation related to cybersecurity practices and policies. This includes policy documents, Standard Operating Procedures (SOPs), System Security Plans (SSP), Incident Response Plans (IRP) [download a template to help you get started], and any other documentation showcasing the organization’s cybersecurity posture.

If you’re a Michigan-based company, consider a fixed-rate gap analysis as your first step toward CMMC compliance.

System and Network Analysis

The assessor will examine the organization’s network infrastructure, configurations, and security controls. They will review network diagrams, firewall configurations, and access control measures.

Staff Interviews and Workflows

They’ll evaluate the practical implementation of security practices by interviewing key personnel and observing specific workflows. They might ask questions about incident response, daily security routines, and how various cybersecurity scenarios are handled.

Control Testing

The assessor will test specific security controls to ensure they operate as intended. This can involve penetration testing, vulnerability scanning, or other technical evaluations.

Identify Gaps

The primary objective of the pre-assessment is to identify gaps between the organization’s current practices and the requirements of the targeted CMMC level. The RPO or C3PAO will highlight these gaps and provide insights into the severity and implications of each.

Remediation Recommendations

Based on the gaps identified, the assessor will provide remediation recommendations. Recommendations can involve technical solutions (like introducing new tools or changing configurations) and procedural changes (like revising policies or introducing further training).

Report Delivery

At the end of the pre-assessment, the organization will receive a detailed report outlining findings, gaps, and recommended actions.

Follow-Up and Support

A pre-assessment is not required for CMMC certification, but it’s highly recommended. Organizations with a clear picture of their readiness can proactively and efficiently address gaps. Dewpoint offers remediation services to help you implement recommendations and drive towards compliance.

Download Dewpoint’s CMMC Guide and Compliance Checklist

Schedule a time to chat with our security experts today.

Dewpoint, an award-winning, Michigan-based technology firm, has been helping businesses prepare for, stay ahead of, and respond to IT challenges for over 26 years. From IT security to infrastructure management to automation, cloud migration, and beyond, Dewpoint has long been a trusted technology resource for businesses. 

Contact Us