This post originally appeared in the PEAK IT Blog in February of 2021
10 Steps to CMMC Certification for DoD Contractors
- Start with determining which CMMC Level is required for your business operations. This will define the scope of the project.
- Then inventorying your IT environment including network switches, servers, desktops, and software. Document where your data/contracts/documents are stored, including the cloud.
- Do a CMMC gap analysis and develop a Plan of Action and Milestones (POA&Ms) and a System Security Plan (SSP). The POAM should include budgetary estimates and timelines for each project and when you will achieve compliance.
- Implementation will include adopting policies and procedures that provide controls around cybersecurity best practices.
- Cybersecurity best practices include hardware and software configurations and standards for implementation.
- Engage a 3rd party to conduct a network vulnerability scan and penetration test.
- Compliance includes assessing risk and mitigation plans.
- Implement a Security Awareness Training program for all the staff and document training.
- Advanced cybersecurity operations needs to become part of your company culture and part of daily operations.
- Include cybersecurity operations in your ongoing quality improvement processes like Plan, Do, Check, Act or other programs.
Organizations that maintain Federal Contract Information (FCI) are required to certify at Level 1 or Level 2.
Organizations that contain Controlled Unclassified Information (CUI) are required to certify at Level 3. This requirement is being phased in over 5 years from 2021-2026 and will impact 300,000 sub-contractors.
Manufacturing companies located in Oregon, Washington, Idaho and Northern California may need to fast-track CMMC readiness for Certification Audit to support DoD contract award requirements. If you have CUI and need to implement NIST 800-171 to achieve CMMC 2.0 L3 Certification, to protect your business contracts, we can help. We start with a comprehensive Gap Assessment, develop a customized project plan including policies and procedures. Implementation will get you ready for your CMMC L3 Certification Audit and ongoing compliance. Contact Us for a no-obligation discovery call.