Pathway to Achieving CMMC ComplianceWhat Is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is the newest Department of Defense (DoD) mandated security framework for organizations seeking to provide services to the agency. Once fully rolled out, all DoD-contracting organizations must be compliant with CMMC standards and those that are not may find themselves shut out of DoD business.
The CMMC v1.0 was released in late January 2020. The gist of the program is that an organization can get certified at one of five levels—from Level 1, Basic Cyber Hygiene, to Level 5, Advanced/Progressive. Each of the five levels has an increasing number of practices and processes that an organization must implement to be considered in compliance with that level.
To achieve certification, an organization will need to select a Level from 1–5 and have its certification validated by an independent assessor that will be known as a CMMC Third-Party Assessment Organization (C3PAO).
The CMMC release will be a phased rollout with all new DoD contracts containing a CMMC requirement by fiscal year 2026. Although this date is a few years off, TalaTek recommends organizations should start preparing now.
How Does My Organization Get CMMC Certified?
The short answer: You can’t. Currently, no independent auditors have been licensed/accredited to provide assessment services within the CMMC framework, although guidelines for auditors are in the works.
But just because there is currently no way to obtain a CMMC certification doesn’t mean your organization can’t start to prepare so you’ll be ready when it’s possible to apply for it.
Using NIST SP 800-171 to Prepare for CMMC
The CMMC program borrows heavily from NIST SP 800-171. A Level 3 CMMC certification includes all 110 requirements from NIST 800-171, verbatim. In addition, Level 3 includes 20 practices and 3 processes borrowed from other security frameworks (e.g., FAR Clause 52.204-21, NIST 800-53 Rev. 4, NIST CSF v1.1). Levels 4 and 5 include additional practices and processes that have been incorporated from those same security sources.
If your organization decides to focus on obtaining a Level 3 CMMC certification, having TalaTek perform a NIST 800-171 gap analysis is a great starting point to determine if you are meeting 110 out of the 130 required practices.
TalaTek’s NIST 800-171/CMMC Advisory Services can accelerate your organization on the pathway to success. We can help you implement NIST 800-171 requirements, create the necessary documentation, and set yourself up for CMMC compliance.
TalaTek provides you with the skills and roadmap necessary to expedite 800-171 compliance while saving you the hassle/effort or time and attention [cost] of doing it yourself. We have more than 16 years of hands-on experience with multiple frameworks. By using our tried-and-tested project plans, templates, and scoping methodology strategies, your organization will obtain compliance on time and on budget—with no surprises.
Establishing your organization’s security boundary is a crucial early step that can help you prepare for the gap analysis process. View PDF
Click on the links above to learn more about TalaTek’s NIST 800-171 gap analysis and advisory services.
NIST SP 800-171 Gap Analysis
TalaTek’s NIST SP 800-171 gap analysis is an in-depth review of your organization’s capabilities and practices, designed to provide you with assurance that you are meeting those requirements. It can also help you determine if your organization is ready to obtain Cybersecurity Maturity Model Certification (CMMC)..
NIST SP 800-171 Advisory Services
NIST SP 800-171 Security Boundary
The Terrible Truth: It is shockingly easy to waste time and resources on security. That’s why properly scoping your security boundary is critical to ensuring that your organization expends time and resources implementing the right requirements on the appropriate components within a well-defined boundary, not more and not less.