top of page
Search

The CMMC Final Rule is Here - Where do I start?


Now that the CMMC Final Rule has been published, you might be thinking, "now that the CMMC rule is final, it's time to focus on compliance to keep our business in the game. The problem is, CMMC seems overwhelming, and it's hard to know where to start."


We hear ya!


Taking the first step is always the hardest, so we created a list of questions to ask yourself and your team before starting the process. We also added a list of resources that we think you'll find useful - including links to DoD resources, self-assessment tools, progress-tracking resources, YouTube experts, professional network, document templates, and Certified CMMC Professional / Assessor (CCP / CCA) training.


The first thing is understanding your status, so ask your team the following questions:

  • Do we have an SPRS score? What is it? 

  • Have we conducted any previous assessments?

  • What past compliance programs could provide information for our CMMC assessment? 

  • Do any of your current contracts have DFARS 252.204-7012, 7019, or 7020 in them? 

  • If you are a sub to a Prime, what are their requirements that are flowing down to you? 


Once you have this data, discuss the need to become compliant with your entire executive team and get their full support, especially an executive focal that you'll interact with. If the execs aren't on board, it's going to be painful for everyone. In addition to their backing, you need to discuss budget, for both internal people's time and the external costs such as consultants, licenses, tools, and documentation. 


Once the execs give you approval, it's time to find if there are any detailed compliance documents such as:

  • System security plan

  • Policies / procedures

  • Architecture / Boundary diagram

  • Data Flow diagram identifying all CUI

  • Assets (people, tech, systems) 


As you're collecting this information, you'll want to assemble an internal team, with a strong leader. If you have an MSP or cloud service provider (CSP), you'll need to involve them and share your CMMC compliance plans. You should also decide if you want an external CMMC expert to guide you along the way and simplify things.


Once the team is assembled, it's time to get them up-to-speed with some high level training on the CMMC process and requirements.  


Now it's GO TIME!


At a high level, these are the steps you're going to take throughout the process:

  • Conduct a Gap Analysis

  • Develop your Strategy & Roadmap

  • Implement Compliance Measures

  • Prepare for the CMMC Assessment

  • Participate in Assessment w/ Certified Third-Party Assessment Organization (C3PAO)

  • If necessary: Create a Plan of Actions & Milestones and schedule a reassessment

  • Participate in CMMC Reassessment of POA&Ms


When you pass, it'll be time to celebrate!


Becoming CMMC compliant is a lot of work! But if you have the right team you can do it! 


Remember, this process takes time. Take the first step, reach out to CMMC experts, and get started! 


If you need assistance, we're here to help. We have Certified CMMC Assessors who can help simplify the process and guide you along the entire journey.  



Author:

Mark DeBry, Certified CMMC Assessor, PMP, CISM


We've included some helpful resources as you prepare for your CMMC assessment:


CMMC Program Information 


Compliance Tools


Expert Advice on Youtube


CMMC Community


Documentation Templates


CCA & CCP Training

Commentaires


bottom of page