CMMC Compliance: Where to Start and Steps to Take

September 20, 2023

Navigating the Path to Compliance

Cybersecurity Maturity Model Certification (CMMC) compliance is an intricate security framework mandated for US Department of Defense (DoD) manufacturing supply chain organizations. This stringent framework safeguards Controlled Unclassified Information (CUI), encompassing any information created or possessed by the government or another entity on the government’s behalf. While not classified, CUI demands protection against unauthorized access, use, disclosure, alteration, or harm. 

Initially announced in 2019 as a five-tier framework, CMMC 1.0 took effect in November 2020. However, the DoD announced the revamped CMMC 2.0 in November 2021 as a three-tier framework. If this follows the original CMMC rollout schedule, all DoD contracts must meet the CMMC 2.0 standards by late 2025. The DoD’s website shows the Department is in the CMMC 2.0 rulemaking process. 

What are the Levels of CMMC Compliance?

Level 1 – Foundational

At Level 1, the focus is on safeguarding Federal Contract Information (FCI). This level necessitates the implementation of basic cybersecurity practices, such as antivirus software and access controls. Organizations must conduct annual security assessments, with the option for self-assessment.

Level 2 – Advanced

At Level 2, the focus expands and includes added controls for protecting Controlled Unclassified Information (CUI). This level demands a more mature cybersecurity foundation. Organizations must establish, document, and implement cybersecurity practices and policies. They should also develop processes to detect and respond to common cyber threats effectively.

A comprehensive third-party assessment is required every three years for organizations where CUI is critical to national security. If CUI’s role in national security is less prominent, organizations can choose between an annual self-assessment or hiring a third party for assessment.

Level 3 – Expert

At Level 3, cybersecurity reaches a higher level of maturity, building upon the Level 2 foundation. Organizations must adopt a comprehensive and proactive stance to safeguard Controlled Unclassified Information (CUI), including implementing and managing an extensive suite of security controls and processes.

Level 3 strongly emphasizes fostering excellent cyber hygiene practices across the organization. Regular reviews and enhancements of security measures are essential. Compliance at this stage carries significant national security implications and mandates a third-party assessment every three years, closely overseen by government authorities.

Where Do I Start?

Identify Your Required CMMC Level

The level of CMMC certification differs based on your work with the DoD and the sensitivity of the CUI you manage. The CMMC self-assessment tool is a valuable resource to help you assess the appropriate level of compliance for your circumstances.

Identify your CMMC Scope

The scope of your CMMC assessment encompasses all systems and data repositories responsible for storing, processing, or transmitting CUI. Identifying all the systems and information within your organization falling under this scope is vital in ensuring compliance with CMMC standards.

Perform a Gap Assessment

A gap assessment involves the evaluation of your organization’s existing cybersecurity measures concerning CMMC requirements. The assessment process is a valuable exercise that pinpoints areas within your cybersecurity framework that need improvement to achieve full CMMC compliance.

Develop a Plan of Action

Based on your gap assessment, the next step involves developing a comprehensive action plan. The plan should specify precise tasks, establish realistic timelines, and allocate the necessary resources to address areas needing improvement.

Implement Your Plan of Action

Once you have developed your plan of action, you need to start implementing it. You may change your organization’s security policies and procedures, implement new security controls, or train your employees on cybersecurity best practices.

Undergo a CMMC Assessment

When you are confident your organization is CMMC compliant, the final step is undergoing an assessment conducted by a Certified Third-Party Assessment Organization (C3PAO). The C3PAO will evaluate your organization’s cybersecurity practices in alignment with the CMMC requirements and, upon meeting all criteria, issue certification.

When Should I Start This Process? 

Beginning your compliance efforts as soon as possible is essential for two reasons. First, the process outlined above can take a lot of time, depending on your organization’s current cybersecurity maturity and the level of compliance you must obtain. Second, your organization must absorb all costs associated with assessing gaps, performing remediations, generating required documentation, and potentially paying a third-party assessor for certification. These costs may need to be spaced out to make them palatable for your organization’s budget. 

Your CMMC Partner

Would you like to know more about becoming CMMC compliant or moving to the next level? Dewpoint’s security experts will help you identify your security goals and build a path toward achieving them. Schedule a time to chat with one of our cybersecurity experts today.

Download Dewpoint’s CMMC Guide and Compliance Checklist

Contact Us