Call now for cybersecurity help: 888-646-1616
Holly Sagstetter

CMMC Compliance: Focus on the 7 Proven Phases

April 14, 2021

Do you need help with CMMC compliance?

Guess what - so do tons of other US Government contractors.

In fact, over the next few years, 300,000 businesses will be required to dramatically improve their IT and cybersecurity due to CMMC.

We’re receiving requests every day from companies who need help with CMMC compliance. And we typically share information about the phases of CMMC certification, which we’ll outline below. It helps to look at what a CMMC project looks like and to understand what you’re signing up for.


Brief overview of CMMC

The US Department of Defense (DoD) will require all vendors to have a cybersecurity maturity audit. Based on this audit, they will be assigned a rating from CMMC Level 1 to Level 5.

Starting in 2021, DoD Requests for Proposals (RFPs) will state “you must be CMMC level X.” This is a game changer. If your company isn’t compliant by award time, you will lose the business.


What is CMMC compliance?

In 2017, US Government contractors were supposed to comply with NIST 800-171, which contained 100+ specific things to prevent cyberattacks and protect confidential government data.

Unfortunately, too many vendors used the ‘self assessment’ method and didn’t actually follow NIST 800-171. So the CMMC was created to add enforcement. There will be no self assessment option for CMMC compliance. You will be audited by a third party and assigned a CMMC level.


Is CMMC the same as NIST 800-171?

No, but they’re similar. In November 2020, the DoD came out with the Interim Rule. This requires companies to perform a NIST 800-171 self assessment, fill out some documentation, and upload a score into the DoD’s SPRS system.


Which CMMC Level do I need to achieve?

This will all depend on your specific organization. See below for more information on the 5 maturity levels.

CMMC Maturity Levels

If you handle CUI, you will be required to get assessed at Level 3.


7 Phases of CMMC Compliance

Here are the typical phases of a NIST 800-171 / CMMC project:

1. Find the CUI

We help clients follow a structured process to find “Controlled Unclassified Information” (or CUI), which is the focus of CMMC. You can find the ever-changing list of CUI here: https://www.archives.gov/cui/registry/category-list

2. Gap Assessment

This needs to be done twice -- once for the 110 NIST 800-171 requirements and once for the 130 CMMC requirements to identify where the company is or is not compliant. You’ll need to review your current policies and procedures against NIST/CMMC controls.

3. Plan of Action & Milestones (POAM)

A DoD-required project plan that outlines your action plan to fix your gaps. The POAM will outline all of the action items and timeline to achieve NIST or CMMC compliance.

4. System Security Plan (SSP)

A detailed security policy that identifies all of the ways you’ll keep CUI safe and what’s expected from employees. This needs to be done once for NIST 800-171, and then updated for CMMC. The SSP will list hardware, software, security measures, auditing processes, incident response protocols and more.

5. Employee Training

This includes one-time and on-going training for employees. We set up our clients with one-time cybersecurity training, monthly cybersecurity training videos and quarterly phishing simulation exercises.

6. POAM Implementation

This is by far the longest part of the project. You’ll need to implement all of the IT and cybersecurity fixes required to address all identified gaps. You made the POAM, and now you need to follow through.

7. Evidence gathering

CMMC compliance requires detailed evidence to prove that your SSP is fully implemented. This should be in place for 6 months before an audit.


How much will CMMC compliance cost?

This depends on how well you’ve stayed on top of IT and cybersecurity improvements. There are three components to a typical CMMC project:

● IT projects: Here’s a good rule of thumb -- review all of the IT and security recommendations you received from your IT firm over the last few years. That’s a pretty good estimate for what you’ll need to spend.

● Physical security projects: assume that your building will need to be locked down. The goal is to prevent casual snooping (either by insiders or outsiders) of CUI.

● Cybersecurity projects: this also depends on the current maturity of your organization. Very small CMMC companies may only need to spend a few thousand dollars to get started and then a few hundred dollars a month. Mid-sized companies are looking at tens of thousands of dollars, and large companies can expect hundreds of thousands of dollars.

As you can see by the numbers involved here, it’s important to have an early conversation to determine whether a CMMC project is worth it for your future business.


How to ensure a successful CMMC compliance project?

In our experience, the key to success is executive client engagement.  They're going to need to make a LOT of changes to pass an audit, and executive buy-in makes a world of difference.


How can Adelia Risk help with CMMC compliance?

Are you looking for help with CMMC Maturity Level 3?

Do you want to work with a firm where you get personal, expert attention?

Are you trying to figure out how to spend enough to be compliant without overspending?

If this sounds like you, we can help.

We've helped clients with cybersecurity since 2010 and with NIST 800-171/CMMC since 2017.

We offer a tried-and-true, repeatable process to find your gaps, build a plan, and work with you to get where you need to go.

Our CISO, Josh Ablett, is a CMMC-AB Registered Practitioner.

Schedule your free consultation or contact us via email.

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright 2021 Adelia Associates, LLC | All Rights Reserved | Sitemap