Planning Your Path to CMMC 2.0 Compliance

By Eric Noonan • May 10, 2022

The first step to achieving your goal of total alignment with the controls outlined in CMMC 2.0 and NIST 800-171 is to craft a strategy, beginning with completing an assessment, on how you will do it. Before you start, you might want to learn more about why you need to get ready for CMMC 2.0.

There are three major components to CMMC compliance–security, regulatory, and IT requirements. Below are specific controls under each of these categories. If you address these requirements, they can be a force multiplier for your compliance efforts. Proceed thoughtfully as you will face major decisions that if executed incorrectly or at the wrong time, can have significant implications on cost and compliance down the road.
 

Build a plan to implement these controls

Here are our recommendations on where to start your compliance journey. Note that the Supplier Performance Risk System (SPRS) ranges from a positive 110, if you’re fully compliant, to negative 203, if your organization has done nothing in terms of cybersecurity controls implementation.

 

CategoryTypical points allotted in SPRSRequired processes that we recommend be prioritized
Security56 points across 18 requirementsLogging and Monitoring​ – The central collection of security-relevant log sources, along with the operational processes to monitor logs and alerts for security events.
Vulnerability Management – The ability to evaluate the organization’s technology environment to detect and report on infrastructure and application vulnerabilities.
Incident Response​ – The processes that define and operationalize the preparation, detection, triage, containment, and corrective actions as it relates to security events and incident declaration.
Technology 193 points across 67 requirementsIdentity and Access Management​ – The means to manage identity, account creation, and access management.
Patching and Maintenance​ – The ability to manage updates and patching to platforms and systems that exist within the environment.
Asset and Configuration Management​ – Inventorying of assets, and the ability to apply and maintain a secure configuration across technology services.
Regulatory

64 points across 25 requirementsSecurity Assessment​ – The means to regularly assess and monitor the state of controls for an organization or system.
System Security Planning​ – The mechanism to document details about an organization or system and provide narratives for how control requirements are implemented.
Plan of Actions and Milestones – The process to document and manage corrective actions from sources such as assessment output.

 

Moving forward, you have to integrate all these different pieces in a way that makes sense for everybody in your organization–while keeping compliance maintenance in mind. If you complete and implement these controls, you can, in a reasonable amount of time at a reasonable expenditure, get to an SPRS score of 60, which in our experience, is an excellent score.
 

Timeline for completion

The big question is, “When does all this need to be done?”

For over seven years, the answer has been, “It depends.” Sooner feels better than later. Experience with various customers trying to attain compliance fast has told us that moving quickly is always more expensive and sometimes just not possible.

Bottomline is that full compliance includes documented, repeatable, and scalable security solutions. It is also a matter of shared responsibility and a commitment to continuous compliance with monthly, quarterly, and annual validation to ensure alignment with requirements. And always remember that compliance requires the people and processes to make the technology work.

No matter where you are in the process of attaining CMMC compliance, we can help. We are experts in helping you assess your current state and in working with you to chart your path to compliance. Contact us to learn more.

 

CyberSheath Blog

CyberSheath Opens Registration For CMMC CON 2022

RESTON, Va. — June 8, 2022 — Federal contractors have been searching for direction after seeing a flood of messaging about the future of Cybersecurity Maturity Model Certification (CMMC). The nation’s largest CMMC conference has returned to help contractors navigate their course through the evolving compliance landscape.   Hosted by…

5 Reasons to Partner with CyberSheath

The threat landscape is only becoming more complex. Offload the responsibility of navigating cybersecurity issues for your customers by taking advantage of CyberSheath’s new Partner Program.   As a pioneer and industry leader in the managed security service provider space, our new offering helps you achieve rapid results and deliver…

CMMC Compliance Training: How to Earn Your Black Belt

Contractors in the Defense Industrial Base (DIB) are looking for direction as Cybersecurity Maturity Model Certification (CMMC) 2.0 nears. Compliance with CMMC and Defense Federal Acquisition Regulation Supplement (DFARS) is your key to doing business with the Department of Defense (DoD) and we can help you navigate those requirements and…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO

CMMC CON 2022 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.