The Path to Obtaining & Maintaining - CMMC 2.0 Compliance
CMMC – Cybersecurity Maturity Model Certification
The CMMC is critical to maintaining government DoD contracts. You must invest in your people, the processes and the technology to meet the DoD, Department of Defense standards. CMMC 2.0 is based on 3 Levels of Certification. We will guide you and help determine which level is acceptable based on your access to technical/ classified specifications. You will be ready for any CMMC audit.
Our roadmap is summarized below.
1. Discovery – Understand and learn about your operations and goals.
2. Assessment – Review a series of questions to evaluate the controls of CMMC based on your desired level of compliance.
3. Gap Analysis – Explore the differences between your current state and the desired state of CMMC Compliance.
4. Remediation Recommendations - Create a prioritized list of which gaps to remediate or close to obtain your desired level of compliance.
5. Remediation Plan – Establish a plan to execute your prioritized remediation list.
6. Implementation – Execute the Remediation plan.
Phase 1. DISCOVERY - Business level conversations including:
A. Cost Benefit Analysis – for each of the CMMC Levels of compliance – Level 1 may be enough.
B. Cybersecurity – History and culture of your organizational cybersecurity practices.
C. Your Computer Network Infrastructure.
D. Your documented downstream contractors.
This discovery Process may be 1 or 2 meetings of 1 to 2 hours. There will be homework for you to gather network documentation. We will discover what CMMC Level you need, and when you need it.
Phase 2. Assessment – A detailed series of questions that will evaluate appropriate controls.
A. To cover people, Process and technology as it relates to your handling of CUI- Controlled Unclassified Information, and any associated activities.
B. Consisting of 2 to 3 meetings of 2 hours each, to collect all of the appropriate data.
C. Success depends on your team’s preparedness in gathering your records and information.
Phase 3. Gap Analysis – To show the difference between your current state and - The future state with CMMC Compliance. This varies based on your starting point and whether the required goal is Level One or Level Two or Level Three.
A. This establishes a baseline and we can map out the journey to being CMMC compliant.
B. The Gap Analysis is ready 2 weeks after completing Phase Two Assessment and Data Collection.
Phase 4. Recommendations – Each Gap identified in the Gap Analysis must be remediated or closed, to obtain compliance. There are options to close each Gap. Our CISO, Certified Information Security Officer, will determine the best method based on everything we learned up to this point. (Your infrastructure and culture, etc.)
A. We develop the proper Remediation Steps.
B. We deliver 2 weeks after completing the Phase 3 Gap Analysis.
C. We have an open conversation about the timeline, and the budget and the remediation plan.
Phase 5. Remediation – Now with the previous phase recommendations and priorities and an understanding of the budget, large steps forward can be made for CMMC compliance. Companies can decide if 4 months or 24 months or somewhere in between will meet their needs. 1 week delivery.
Phase 6 – Implementation - If and when you decide it is “all systems go” then we move forward with the Remediation plan immediately, and the agreed to timeline. We will have regular meetings, live or virtual.
Key to success: Senior level involvement to ensure support, when necessary.
Options on speed from 4 months to 24 months depending on Level One, Two or Three. And depending on the pre-existing current status of Cybersecurity safeguards and policies.
This process is commonly 20% on-site and 80% virtual.
The work is predominantly done by Certified CMMC Professionals.
David Guiliani JMR Services LLC DaveG@JMRservices.net 201-600-8269