Let’s delve into the essentials of CMMC, which stands for Cybersecurity Maturity Model Certification. Developed by the Department of Defense (DoD), CMMC aims to safeguard the Pentagon’s supply chain and standardize compliance across the Defense Industrial Base (DIB). It builds upon the existing NIST 800-171 compliance framework established in 2017.​

CMMC was initially introduced in July 2019 to replace the self-assessment model used by contractors with a unified certification process. In November 2021, CMMC 2.0 was announced to streamline and refine the original program requirements. It is anticipated that CMMC 2.0 will be enforced as law in 2025.​

• Certification Levels of CMMC CMMC defines three certification levels:​
• Foundational (Level 1): Basic cyber hygiene practices to protect Federal Contract Information (FCI).​
• Advanced (Level 2): Intermediate safeguarding of Controlled Unclassified Information (CUI).​
• Expert (Level 3): Comprehensive protection of CUI, requiring a more mature and sophisticated cybersecurity program.​
• Contractors determine their CMMC level based on the sensitivity of the data they handle.​
• 7 essential steps for CMMC assessments​

If you determine that you can self-assess, then you can build a CMMC assessment process based on the assessment operations you already have in place for NIST or similar standards. Here’s how to do that, step-by-step.​

Step 1: Set goals​

Start by determining why you are performing a CMMC assessment. Is it because you are specifically required to do so as a contractor for the DoD? Or are you doing it voluntarily, as a means of assessing your cyber health? In the latter case, you have more control over the assessment process and its outcomes, because you won’t have to report to the DoD.​

Step 2: Determine assessments you have completed​

Identify which assessments your business has already performed, and compare those assessments to CMMC assessment requirements. Again, there is a lot of overlap between requirements like NIST’s and CMMC’s, so you may be able to duplicate large parts of your existing assessments.​

Step 3: Perform gap analysis​

Of course, there is not likely to be complete overlap between existing assessments and CMMC. You’ll need to perform a gap analysis (or hire an outside auditor for this purpose) to determine which additional data you’ll need to collect or processes you’ll have to undertake to perform CMMC assessment.​

Step 4: Create or update the SSP​

NIST defines the System Security Plan, or SSP, as a “formal document that provides an overview of the security requirements for the system and describes the security controls in place or planned for meeting those requirements.” You’ll want to have an SSP in place because it serves as the basis for authorization decisions, while also providing detailed information to support processes and activities in the system development lifecycle. Thus, the SSP serves as the information foundation for your CMMC assessment operation.​

Step 5: Build a plan of action and milestones​

Next, form a plan of action and milestones (POA&M), which is the roadmap you plan to follow after creating your SSP. The POA&M defines a clear course of action to take and goals you plan to meet to ensure that employees and stakeholders know their roles in keeping and advancing compliance goals. Your POA&M should identify the tasks that need to be completed to secure your systems, proposed remediations for risks and which employees will perform which tasks.​

Step 6: Form a remediation plan​

The results of your gap analysis should form the basis for a remediation plan. The purpose of this plan is to allow you to pinpoint compliance risks to remediate, prioritize activities to fix vulnerabilities and determine the associated costs you’ll pay to become CMMC-certified. You can formulate the remediation plan yourself, or outsource it to a Managed Security Service Provider (MSSP).​

Step 7: Maintain compliance and reporting​

Treat CMMC assessment as an ongoing process, not a one-and-done affair. You’ll need to update your plans continuously as your risks change. Changes to your vendors or supply chains may necessitate compliance changes, too. And you’ll want to monitor for risks on an ongoing basis so that you can remediate them immediately, rather than waiting till your next assessment to discover and address problems