Pathway to Achieving CMMC Compliance

Pathway to Achieving CMMC Compliance

What Is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the newest update to the Department of Defense (DoD) mandated security framework for organizations seeking to provide services to the agency. Once fully rolled out, all DoD-contracting organizations must be compliant with the CMMC 2.0 Program, and those that are not may find themselves shut out of DoD business.
CMMC 2.0 was released in November 2021. The gist of the program is that an organization can get certified at one of three levels—from Level 1, Foundational, to Level 3, Expert. Each of the three levels has an increasing number of practices and processes that an organization must implement to be considered in compliance with that level.

Level 1 includes 17 essential practices designed to provide the foundation for a solid security program and allows organizations to perform annual self-assessments to attest to their implementation of the security practices.

Level 2 aligns with the 110 security practices of NIST 800-171. For those organizations that store, process, and/or transmit critical national security information, they will be required to undergo triennial third-party assessments. Those organizations that deal with less sensitive levels of Controlled Unclassified Information (CUI) will be allowed to do annual self-assessments.

Level 3 is reserved for those organizations that store, process, and/or transmit only the most sensitive national security information. This level implements the 110+ practices of NIST 800-172 and requires triennial, government-led assessments.

How Does My Organization Get CMMC 2.0 Certified?

The changes reflected in CMMC 2.0 will be implemented through the rule-making process. The final rule for 32 CFR was published on October 15, 2024, and became effective on December 16, 2024. [1] Companies will be required to comply once the forthcoming rules go into effect. [2] TalaTek recommends interested organizations continue to check the CMMC website for information on the most current information about these rules and their effective dates.

Using NIST SP 800-171 to Prepare for CMMC 2.0

The CMMC 2.0 program aligns its baselines with NIST SP 800-171. A Level 2 CMMC 2.0 certification includes all 110 requirements from NIST 800-171, verbatim [3].
If your organization decides to focus on obtaining a Level 2 CMMC 2.0 certification, having TalaTek perform a NIST 800-171 gap analysis is a great starting point to determine if you are meeting the required practices.

TalaTek’s NIST 800-171 advisory services can accelerate your organization on the pathway to success. We can help you implement NIST 800-171 requirements, create the necessary documentation, and set your organization up for CMMC 2.0 compliance.

TalaTek provides you with the skills and roadmap necessary to expedite 800-171/CMMC 2.0 compliance while saving you the hassle/effort or time and attention [cost] of doing it yourself. We have more than 18 years of hands-on experience with multiple frameworks. By using our tried-and-tested project plans, templates, and scoping methodology strategies, your organization will obtain compliance on time and on budget—with no surprises.

Establishing your organization’s security boundary is a crucial early step that can help you prepare for the gap analysis process.

The TalaTek website has more information on all these services; see these data sheets for details:

NIST 800-171 gap analysis
NIST 800-171 advisory services
NIST 800-171 security boundary

References:

[1] Cybersecurity Maturity Model Certification (CMMC) Program

[2] Chief Information Officer, US Department of Defense CMMC Level 2 Assessments

[3] SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations | CSRC