The process of becoming CMMC compliant can be broken down into three essential steps:
- Assess your IT infrastructure
- Remediate based on your assessment
- Get assessment by C3PAO
Let’s walk through each in more detail.
Step 1: Assess Your IT Infrastructure
Typically the first thing you’ll need to do is conduct an assessment of your current IT infrastructure against the control framework that aligns with your desired CMMC Level. This is also called a gap analysis and is the basis for understanding what controls, processes and procedures need to be implemented to achieve compliance. Companies with the right resources will be able to conduct their own self-assessment, while some will need to outsource the assessment to a third-party, such as an CMMC Registered Provider Organization (CMMC RPO). Self-assessment resources can be found here and templates for System Security Plans (SSP) and Plan-of-action and Milestones (POA&M) can be found here and here, respectively.
Step 2: Remediate
The next step is remediation which involves the actual work to implement the controls, processes and procedures that are called out in the assessment. Again, companies with the resources may be able to perform the remediation work themselves, while others might consider utilizing an RPO. Even if a company does have the resources, an RPO will likely be able to do it faster and more efficiently.
Step 3: Get assessed by a C3PAO
For companies that need to meet CMMC Level 2 and 3, the last step to become CMMC compliant is to get an official assessment from a Certified Third-Party Assessor Organization (C3PAO). However, no assessments are currently being performed as the Assessors are being trained. The first assessments are expected to start in 2022.
When To Call In An Expert
If you are having trouble navigating the complexities of your self-assessment and/or developing an SSP and POA&M, it may be time to call in an expert to help. As one of the nation’s top CMMC experts, we’ve helped over 1000 DoD contractors get prepared for CMMC. Please feel free to request a consultation to speak with us about your challenges with CMMC, DFARS and NIST 800-171 and how we can help. Also check out our CMMC compliance guide for more information.