Planning Your Path to CMMC 2.0 Compliance

By Eric Noonan • May 10, 2022

The first step to achieving your goal of total alignment with the controls outlined in CMMC 2.0 and NIST 800-171 is to craft a strategy, beginning with completing an assessment, on how you will do it. Before you start, you might want to learn more about why you need to get ready for CMMC 2.0.

There are three major components to CMMC compliance–security, regulatory, and IT requirements. Below are specific controls under each of these categories. If you address these requirements, they can be a force multiplier for your compliance efforts. Proceed thoughtfully as you will face major decisions that if executed incorrectly or at the wrong time, can have significant implications on cost and compliance down the road.

Build a plan to implement these controls

Here are our recommendations on where to start your compliance journey. Note that the Supplier Performance Risk System (SPRS) ranges from a positive 110, if you’re fully compliant, to negative 203, if your organization has done nothing in terms of cybersecurity controls implementation.


CategoryTypical points allotted in SPRSRequired processes that we recommend be prioritized
Security56 points across 18 requirementsLogging and Monitoring​ – The central collection of security-relevant log sources, along with the operational processes to monitor logs and alerts for security events.
Vulnerability Management – The ability to evaluate the organization’s technology environment to detect and report on infrastructure and application vulnerabilities.
Incident Response​ – The processes that define and operationalize the preparation, detection, triage, containment, and corrective actions as it relates to security events and incident declaration.
Technology 193 points across 67 requirementsIdentity and Access Management​ – The means to manage identity, account creation, and access management.
Patching and Maintenance​ – The ability to manage updates and patching to platforms and systems that exist within the environment.
Asset and Configuration Management​ – Inventorying of assets, and the ability to apply and maintain a secure configuration across technology services.

64 points across 25 requirementsSecurity Assessment​ – The means to regularly assess and monitor the state of controls for an organization or system.
System Security Planning​ – The mechanism to document details about an organization or system and provide narratives for how control requirements are implemented.
Plan of Actions and Milestones – The process to document and manage corrective actions from sources such as assessment output.


Moving forward, you have to integrate all these different pieces in a way that makes sense for everybody in your organization–while keeping compliance maintenance in mind. If you complete and implement these controls, you can, in a reasonable amount of time at a reasonable expenditure, get to an SPRS score of 60, which in our experience, is an excellent score.

Timeline for completion

The big question is, “When does all this need to be done?”

For over seven years, the answer has been, “It depends.” Sooner feels better than later. Experience with various customers trying to attain compliance fast has told us that moving quickly is always more expensive and sometimes just not possible.

Bottomline is that full compliance includes documented, repeatable, and scalable security solutions. It is also a matter of shared responsibility and a commitment to continuous compliance with monthly, quarterly, and annual validation to ensure alignment with requirements. And always remember that compliance requires the people and processes to make the technology work.

No matter where you are in the process of attaining CMMC compliance, we can help. We are experts in helping you assess your current state and in working with you to chart your path to compliance. Contact us to learn more.


CyberSheath Blog

2022 in Review: The CyberSheath Story Expands

This year marked a deluge of messaging about the Cybersecurity Maturity Model Certification (CMMC) and federal contractors were rightfully confused. With our keystone event, CMMC CON, we aimed to set the record straight and offer the best guidance for those in the Defense Industrial Base (DIB).   CMMC CON 2022…

CyberSheath Endorsed by Frost & Sullivan in First Independent Analyst Commentary on CMMC

Independent analyst firms have weighed in with commentary on nearly every discipline of information technology. Security has garnered a large portion of that IT discussion, yet until recently, Cybersecurity Maturity Model Certification (CMMC) compliance has been left out.   Frost & Sullivan changed that by selecting CyberSheath as its preferred…

Be Prepared: CMMC 2.0 Is Coming

Cybersecurity is increasingly important to safeguard your company, your customers, and your partners. We're moving into a global cyber era and we've got to get better at protecting ourselves.   Our adversaries are capitalizing on the lack of security controls in place in the defense industrial base (DIB) and we…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO