Implement

CMMC 2.0 implementation begins after completion of your initial assessment, System Security Plan (SSP), and Plan of Action and Milestones (POAMs). You’ve identified your issues and completed your plans to fix them. Now, it’s time to execute those plans.

Remediating your gaps

A key component of NIST SP 800-171 compliance is development of a Plan of Action and Milestones (POAM), which serves as your roadmap for CMMC 2.0 implementation — outlining your plan of action and timeframe, organized into milestones to track progress, for remediating each unmet requirement among the 110 NIST SP 800-171 security requirements in your organization.

The implementation phase following your initial assessment is typically the most resource-intensive phase in the compliance process, requiring new or updated policies, as well as technical controls and technologies to be implemented, configured, and maintained. Some activities are point-in-time remediation efforts, while others are ongoing administrative and operational processes, such as documentation, monitoring, and training.

As remediation progresses, your System Security Plan (SSP) should be updated to reflect how security requirements are implemented. Once remediation is complete and all applicable requirements are met, the SSP must accurately reflect the current system environment and its security controls.

Documentation is critical

As you go through the necessary steps to execute and close out each gap, it’s critically important to validate and document completion with appropriate objective evidence to support your implementation of NIST SP 800-171 requirements during a C3PAO assessment. This evidence may include system configurations, records, logs, screenshots, and other artifacts demonstrating that controls are implemented and operating as intended.

Proper documentation is key to a smooth CMMC 2.0 implementation and certification process.

Assessment and Implementation are ongoing requirements

CMMC 2.0 implementation is not an end point. NIST SP 800-171 requirements call for ongoing assessment and maintenance of security measures to reflect changes in the organization, such as new systems, processes, mergers and acquisitions, or emerging threats and vulnerabilities.

CMMC Level 2 certification is valid for three years. During that period, organizations must perform an annual self-assessment and affirm compliance. At the end of the three-year period, a new C3PAO assessment is required for recertification.

Your suppliers must be CMMC-compliant also

DFARS and CMMC 2.0 flow-down requirements make DOD contractors responsible not only for their own compliance but also for flowing down applicable cybersecurity requirements to their subcontractors. This can be a significant challenge for critical members of the defense industrial base (DIB)—especially smaller companies that may lack the resources to comply—which, in some cases, may impact their ability to participate in DOD contracts.

Managing the task

Managing CMMC 2.0 implementation internally can be an intensive, full-time effort for personnel who already have significant day-to-day responsibilities. Many organizations determine that portions of the effort are best supported by experienced third-party providers—not only to reduce strain on internal staff and support a smoother certification process, but also to help maintain compliance on an ongoing basis.

For efficiency, organizations often engage the same provider for readiness assessment and implementation support; however, the official certification assessment must be conducted independently by a C3PAO.

CyberSheath: solving the whole problem

CyberSheath offers CMMC gap remediation as part of its managed services offering. We are fully certified and highly experienced in NIST SP 800-171, DFARS, and CMMC compliance spanning the full gamut of requirements, from the initial assessment through C3PAO assessment support and all three facets — security, IT, and regulatory compliance — of ongoing program management.

FAQs

What is involved in CMMC 2.0 remediation?

CMMC 2.0 implementation and remediation involves identifying systems and processes that handle Controlled Unclassified Information (CUI), implementing the required cybersecurity requirements (such as the 110 security requirements in NIST SP 800-171 for Level 2), and documenting them in a System Security Plan (SSP) and related policies. Organizations must identify gaps, remediate deficiencies, and track progress through a Plan of Action and Milestones (POAM), if needed.

Certification requires either self-assessment or a C3PAO assessment, followed by annual affirmations and ongoing monitoring to ensure controls remain effective and compliance is sustained throughout the three-year certification period.

What security controls must be implemented for CMMC Level 2?

CMMC 2.0 compliance is based on meeting 110 reoutlined in NIST SP 800-171, organized into 14 domains that include system access control, audit and accountability, training, security assessment, system and communications protection, and a number of others.

Every solution begins with a conversation.

Contact our experts today for a no-obligation discussion of CMMC 2.0 compliance, what's required, what you may need, and what we can do to provide it. We've helped hundreds of DOD contractors. We can help you.