You are faced with the challenge of CMMC 2.0 implementation; however, the spring 2022 program changes puts you into a quandary of what to do, how to do it, and when you must do it. You can read our simplified guide to CMMC changes here. The CMMC2 program release changed the tiering, stripped auditing requirements, and changed the timelines. Program changes left organizations scrambling to update programs and timelines to meet the adjusted requirements.
Your reaction needs to be straight forward, put your emotions in check and press forward. Consider the following approach to becoming CMMC2 compliant.
- Review CMMMC2 contract requirements. Verify the expected maturity level; 1 – Foundational, 2 – Advanced, 3 – Expert. Validate your audit requirements; Level 1 – none, Level 2 – it depends, Level 3 – required. Identify key compliancy deadline, get started on your program right away. Confirm your maturity level and audit requirements with the procurement office, seek updated contract documentation confirming requirements.
- Choose a CMMC2 preparation partner. An effective preparation vendor will guide you through an entire CMMC2 program lifecycle. This includes determining program requirements, implementation guidelines, program creation, audit preparation, and full audit support. Effective partners significantly reduce program success risks while supporting your organization’s timelines.
- Conduct a self-assessment. This will range from a subset of NIST SP 800-171 all the way to the NIST SP 800-171 110+ practices based on your level. The Department of Defense plans to release actual requirements by May 2023; do not wait until then because the program will include immediate implementation requirements.
- Create a System Security Plan (SSP). This plan is the basis for NIST SP800-171 compliance. “The system security plan describes: the system boundary; operational environment; how security requirements are implemented; and the relationships with or connections to other systems…” The SSP can integrated into your existing cybersecurity programs, it must include all requirements defined by your level 1-3 requirements.
- Create Plans of Action & Milestones (POA&Ms). This documents why you are unable to satisfy requirements, the steps addressing the shortcomings, and the plan implementation dates.
- Certification. Contact a certifying agency early in your CMMC2 program creation if your contract stipulates audit requirements. You need a significant lead time to schedule audits due to the shortage of certified auditors. We recommend setting up a relationship immediately ensuring the scope, timing, and program costs are identified up front.
- User Training. It is not enough to create a program; you must educate all users on new CMMC2 cybersecurity and workflow requirements. Avoid hour-long annual sessions resulting in little retention, instead consider a drip program including monthly micro lessons. Create a role-based program focusing on interaction with CMMC2 classified data.
- Ongoing Internal Testing. Organizations not subject to external audits should create a self-assessment program. An effective self-assessment program reviews all SSP requirements then evaluates listed items on a periodic schedule. The frequency and test depth are based on risk and compliance requirements.
- Nov 2021 Press Release Strategic Direction for Cybersecurity Maturity Model Certification (CMMC) Program