Now that the CMMC Final Rule has been published, you might be thinking, "now that the CMMC rule is final, it's time to focus on compliance to keep our business in the game. The problem is, CMMC seems overwhelming, and it's hard to know where to start."
We hear ya!
Taking the first step is always the hardest, so we created a list of questions to ask yourself and your team before starting the process. We also added a list of resources that we think you'll find useful - including links to DoD resources, self-assessment tools, progress-tracking resources, YouTube experts, professional network, document templates, and Certified CMMC Professional / Assessor (CCP / CCA) training.
The first thing is understanding your status, so ask your team the following questions:
Do we have an SPRS score? What is it?
Have we conducted any previous assessments?
What past compliance programs could provide information for our CMMC assessment?
Do any of your current contracts have DFARS 252.204-7012, 7019, or 7020 in them?
If you are a sub to a Prime, what are their requirements that are flowing down to you?
Once you have this data, discuss the need to become compliant with your entire executive team and get their full support, especially an executive focal that you'll interact with. If the execs aren't on board, it's going to be painful for everyone. In addition to their backing, you need to discuss budget, for both internal people's time and the external costs such as consultants, licenses, tools, and documentation.
Once the execs give you approval, it's time to find if there are any detailed compliance documents such as:
System security plan
Policies / procedures
Architecture / Boundary diagram
Data Flow diagram identifying all CUI
Assets (people, tech, systems)
As you're collecting this information, you'll want to assemble an internal team, with a strong leader. If you have an MSP or cloud service provider (CSP), you'll need to involve them and share your CMMC compliance plans. You should also decide if you want an external CMMC expert to guide you along the way and simplify things.
Once the team is assembled, it's time to get them up-to-speed with some high level training on the CMMC process and requirements.
Now it's GO TIME!
At a high level, these are the steps you're going to take throughout the process:
Conduct a Gap Analysis
Develop your Strategy & Roadmap
Implement Compliance Measures
Prepare for the CMMC Assessment
Participate in Assessment w/ Certified Third-Party Assessment Organization (C3PAO)
If necessary: Create a Plan of Actions & Milestones and schedule a reassessment
Participate in CMMC Reassessment of POA&Ms
When you pass, it'll be time to celebrate!
Becoming CMMC compliant is a lot of work! But if you have the right team you can do it!
Remember, this process takes time. Take the first step, reach out to CMMC experts, and get started!
If you need assistance, we're here to help. We have Certified CMMC Assessors who can help simplify the process and guide you along the entire journey.
Author:
Mark DeBry, Certified CMMC Assessor, PMP, CISM
We've included some helpful resources as you prepare for your CMMC assessment:
CMMC Program Information
DIB Cyber Portal: https://dibnet.dod.mil/dibnet/
Project Spectrum: https://www.projectspectrum.io
APEX Accelerator: https://www.apexaccelerators.us
Cyber AB: https://www.cyberab.org
Compliance Tools
NIST 800-171a spreadsheet: https://csrc.nist.gov/pubs/sp/800/171/a/final
MS Product Placement for CMMC 2: https://www.microsoft.com/en-us/download/details.aspx?id=102536&lc=1033&msockid=2bbff73cadd360e50077e3a8a9d36266
FutureFeed: https://futurefeed.co/
CMMC Proof: https://www.aspirecyber.com/cmmc-proof
CMMC Bagel (free): https://github.com/SecurityBagel/CMMC-Bagel
Expert Advice on Youtube
CMMC Community
CMMC Professionals Network: https://www.linkedin.com/company/cmmc-professionals-network-cpn/
Documentation Templates
ComplianceIT: https://www.compliancyit.io/cmmcitdoctoolkit/
Compliance Forge: https://complianceforge.com/product/nist-800-171-compliance-program/
Keiri Compliance Documentation: https://www.kieri.com/kcd/
CCA & CCP Training
Wise Technical Innovation (CCP/CCA): https://www.wtinetworks.com/category/online-packs
Commentaires