A person on their laptop with a chart graphic in between him and the screen.

Planning Your Path to CMMC 2.0 Compliance

The first step to achieving your goal of total alignment with the controls outlined in CMMC 2.0 and NIST 800-171 is to craft a strategy, beginning with completing an assessment, on how you will do it. Before you start, you might want to learn more about why you need to get ready for CMMC 2.0.

There are three major components to CMMC compliance–security, regulatory, and IT requirements. Below are specific controls under each of these categories. If you address these requirements, they can be a force multiplier for your compliance efforts. Proceed thoughtfully as you will face major decisions that if executed incorrectly or at the wrong time, can have significant implications on cost and compliance down the road.

Build a plan to implement these controls

Here are our recommendations on where to start your compliance journey. Note that the Supplier Performance Risk System (SPRS) ranges from a positive 110, if you’re fully compliant, to negative 203, if your organization has done nothing in terms of cybersecurity controls implementation.


Category Typical points allotted in SPRS Required processes that we recommend be prioritized
Security 56 points across 18 requirements Logging and Monitoring​ – The central collection of security-relevant log sources, along with the operational processes to monitor logs and alerts for security events.
Vulnerability Management – The ability to evaluate the organization’s technology environment to detect and report on infrastructure and application vulnerabilities.
Incident Response​ – The processes that define and operationalize the preparation, detection, triage, containment, and corrective actions as it relates to security events and incident declaration.
Technology  193 points across 67 requirements Identity and Access Management​ – The means to manage identity, account creation, and access management.
Patching and Maintenance​ – The ability to manage updates and patching to platforms and systems that exist within the environment.
Asset and Configuration Management​ – Inventorying of assets, and the ability to apply and maintain a secure configuration across technology services.

64 points across 25 requirements Security Assessment​ – The means to regularly assess and monitor the state of controls for an organization or system.
System Security Planning​ – The mechanism to document details about an organization or system and provide narratives for how control requirements are implemented.
Plan of Actions and Milestones – The process to document and manage corrective actions from sources such as assessment output.


Moving forward, you have to integrate all these different pieces in a way that makes sense for everybody in your organization–while keeping compliance maintenance in mind. If you complete and implement these controls, you can, in a reasonable amount of time at a reasonable expenditure, get to an SPRS score of 60, which in our experience, is an excellent score.

Timeline for completion

The big question is, “When does all this need to be done?”

For over seven years, the answer has been, “It depends.” Sooner feels better than later. Experience with various customers trying to attain compliance fast has told us that moving quickly is always more expensive and sometimes just not possible.

Bottomline is that full compliance includes documented, repeatable, and scalable security solutions. It is also a matter of shared responsibility and a commitment to continuous compliance with monthly, quarterly, and annual validation to ensure alignment with requirements. And always remember that compliance requires the people and processes to make the technology work.

No matter where you are in the process of attaining CMMC compliance, we can help. We are experts in helping you assess your current state and in working with you to chart your path to compliance. Contact us to learn more.


Join us for CMMC CON 2024 on Sept. 25, 2024, at 9am EST for a free, virtual, one-day conference focused on safeguarding against cyberthreats.
This is default text for notification bar