Planning Your Path to CMMC 2.0 Compliance

By Eric Noonan • May 10, 2022

The first step to achieving your goal of total alignment with the controls outlined in CMMC 2.0 and NIST 800-171 is to craft a strategy, beginning with completing an assessment, on how you will do it. Before you start, you might want to learn more about why you need to get ready for CMMC 2.0.

There are three major components to CMMC compliance–security, regulatory, and IT requirements. Below are specific controls under each of these categories. If you address these requirements, they can be a force multiplier for your compliance efforts. Proceed thoughtfully as you will face major decisions that if executed incorrectly or at the wrong time, can have significant implications on cost and compliance down the road.

Build a plan to implement these controls

Here are our recommendations on where to start your compliance journey. Note that the Supplier Performance Risk System (SPRS) ranges from a positive 110, if you’re fully compliant, to negative 203, if your organization has done nothing in terms of cybersecurity controls implementation.


CategoryTypical points allotted in SPRSRequired processes that we recommend be prioritized
Security56 points across 18 requirementsLogging and Monitoring​ – The central collection of security-relevant log sources, along with the operational processes to monitor logs and alerts for security events.
Vulnerability Management – The ability to evaluate the organization’s technology environment to detect and report on infrastructure and application vulnerabilities.
Incident Response​ – The processes that define and operationalize the preparation, detection, triage, containment, and corrective actions as it relates to security events and incident declaration.
Technology 193 points across 67 requirementsIdentity and Access Management​ – The means to manage identity, account creation, and access management.
Patching and Maintenance​ – The ability to manage updates and patching to platforms and systems that exist within the environment.
Asset and Configuration Management​ – Inventorying of assets, and the ability to apply and maintain a secure configuration across technology services.

64 points across 25 requirementsSecurity Assessment​ – The means to regularly assess and monitor the state of controls for an organization or system.
System Security Planning​ – The mechanism to document details about an organization or system and provide narratives for how control requirements are implemented.
Plan of Actions and Milestones – The process to document and manage corrective actions from sources such as assessment output.


Moving forward, you have to integrate all these different pieces in a way that makes sense for everybody in your organization–while keeping compliance maintenance in mind. If you complete and implement these controls, you can, in a reasonable amount of time at a reasonable expenditure, get to an SPRS score of 60, which in our experience, is an excellent score.

Timeline for completion

The big question is, “When does all this need to be done?”

For over seven years, the answer has been, “It depends.” Sooner feels better than later. Experience with various customers trying to attain compliance fast has told us that moving quickly is always more expensive and sometimes just not possible.

Bottomline is that full compliance includes documented, repeatable, and scalable security solutions. It is also a matter of shared responsibility and a commitment to continuous compliance with monthly, quarterly, and annual validation to ensure alignment with requirements. And always remember that compliance requires the people and processes to make the technology work.

No matter where you are in the process of attaining CMMC compliance, we can help. We are experts in helping you assess your current state and in working with you to chart your path to compliance. Contact us to learn more.


CyberSheath Blog

How to Safeguard Your Company from Phishing

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none…

3 Tools to Help Defend Your IT Infrastructure from Threats

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks.  CyberSheath can help. We offer services to build on all the great work you have already done…

DNS Filtering for Additional Protection of IT Systems

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.   What is DNS filtering and why do you need it? Domain name server…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO