How To Achieve CMMC Certification

This post originally appeared in the PEAK IT Blog in February of 2021

10 Steps to CMMC Certification for DoD Contractors

1. Start with determining which CMMC Level is required for your business operations. This will define the scope of the project.
2. Then inventorying your IT environment including network switches, servers, desktops, and software. Document where your data/contracts/documents are stored, including the cloud.
3. Do a CMMC gap analysis and develop a Plan of Action and Milestones (POA&Ms) and a System Security Plan (SSP). The POAM should include budgetary estimates and timelines for each project and when you will achieve compliance.
4. Implementation will include adopting policies and procedures that provide controls around cybersecurity best practices.
5. Cybersecurity best practices include hardware and software configurations and standards for implementation.
6. Engage a 3rd party to conduct a network vulnerability scan and penetration test.
7. Compliance includes assessing risk and mitigation plans.
8. Implement a Security Awareness Training program for all the staff and document training.
9. Advanced cybersecurity operations needs to become part of your company culture and part of daily operations.
10. Include cybersecurity operations in your ongoing quality improvement processes like Plan, Do, Check, Act or other programs.

Organizations that maintain Federal Contract Information (FCI) are required to certify at Level 1 or Level 2.

Organizations that contain Controlled Unclassified Information (CUI) are required to certify at Level 3. This requirement is being phased in over 5 years from 2021-2026 and will impact 300,000 sub-contractors.

Manufacturing companies located in Oregon, Washington, Idaho and Northern California may need to fast-track CMMC readiness for Certification Audit to support DoD contract award requirements. If you have CUI and need to implement NIST 800-171 to achieve CMMC 2.0 L3 Certification, to protect your business contracts, we can help. We start with a comprehensive Gap Assessment, develop a customized project plan including policies and procedures. Implementation will get you ready for your CMMC L3 Certification Audit and ongoing compliance. Contact Us for a no-obligation discovery call.