Ask an Expert
Tel: +1-281-673-2800
Find an Office
Email Us

What is CMMC Compliance and How Should You Get Started?

ABS Quality Evaluations

What is CMMC?

Cybersecurity isn’t just a buzzword anymore; it’s a way of life. Sadly, it's all too common to hear of identity theft and data compromise occurring on a daily, if not hourly, basis, whether the victims be acquaintances or large corporations. Information has not only become a hot commodity but a form of currency. Therefore, it goes without saying that cybercriminals will stop at nothing to get it. That means we must work vigilantly to stop them. When it comes to cybersecurity, if the "worm" in question is your information, you need to stay ahead of the "early bird."

CMMC Compliance: Protecting Critical Information

From personal account numbers to sensitive information created and processed in industry and the federal government, we all have an ongoing and vested interest in keeping our secrets safe. With that in mind, imagine all of the critical and private information created and used by our government and the consequences of failing to keep that information secure.

To that end, a new program, Cybersecurity Maturity Model Certification (CMMC), has been launched by the Department of Defense (DOD) to ensure security contractors in the Defense Industrial Base (DIB) can adequately defend information assets against pitfalls created by information security threats, vulnerabilities and bad actors. In essence, the job of CMMC is simple – protect critical information! While some people use terms like Military Grade Security, the ultimate goal is to protect our assets, prepare for information security continuity during adverse situations or disasters and prevent security breaches and data compromise.

So, how do you know if you have an effective security program? Follow the CMMC path to success. After demonstrating the efficacy of your security posture, you will receieve CMMC Certification.

Calling All Department of Defense Contractors

If you do business with the DOD, you are probably aware the CMMC program became a Defense Federal Acquisition Regulation Supplement (DFARS) requirement as of November 30, 2020, in concert with the “DFARS Interim Rule.” In simple terms, the CMMC program mandates cybersecurity requirements for companies that comprise the Defense Industrial Base (DIB). The intent of the program is to bolster the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

The DOD considers the CMMC program a vital component of the DOD’s response to the ever-increasing barrage of cybersecurity threats. CMMC 2.0 requires companies to undergo third-party assessments by approved C3PAOs or, for those companies storing, processing, or using the most sensitive information, to also be assessed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Other companies may be permitted to conduct and report compliance with CMMC requirements through a self-assessment and reporting process.

Why You Need to Be an "Early Adopter" of CMMC 

Regardless of the CMMC level to which you certify, this is a laborious and time-intensive process. We recommend you start now and become an “Early Adopter.” There are several reasons we recommend you get a head start:

  • The process of defining scope takes time. You'll have to ask several questions, including: “Do I have FCI or CUI? Where is it stored or processed? Is information located in email or file stores?”
  • The process of implementing security controls takes time and resources. In some cases, you may need to:
    • Plan capital expenditures over a period of years.
    • Confirm the right expertise to assure security controls we use are implemented correctly.
  • Most companies in the Defense Industrial Database (DIB) will require some form of certification or self-attestation; there will be stiff competition for the limited availability of reliable and trustworthy resources. The line will be long, it's not a good idea to wait.
  • Avoid lost revenue. DOD suppliers that are not in compliance with CMMC requirements will not be able to continue an awarded contract. This could be financially destructive to smaller companies.

Think about it; getting the five-ton elephant off your chest will set you at ease and further put you ahead of your peers in competition for new solicitations.

How Should You Get Started? Establish Your CMMC Compliance Timeline. 

As a maturity model, CMMC allows companies to start with the controls they have in place and build more robust programs by adding more controls and processes. Managing your timeline during this ongoing process will be key to your success as you compete for DOD contracts in the future. 

  1. Nail down what information you have. Start by determining the appropriate CMMC level. Don’t short-change yourself. You may only need Level 1 compliance now, but two years down the road, you may win a contract requiring Level 2 compliance via a third-party assessment.
  2. Conduct a gap assessment to define your current security posture.
  3. Create a System Security Plan (SSP) and Plan of Action and Milestones (POA&M).
  4. Calculate your DOD Assessment Score and update or enter your score in the Supplier Performance Risk System (SPRS).
  5. Implement necessary security controls, policies, processes and procedures.
  6. Conduct a follow-up self-assessment and update your score in SPRS.
  7. Undergo a CMMC Assessment with a CMMC Certified Third Party Assessor Organization (C3PAO).
  8. Address your security findings.
  9. Receive your CMMC certification. The C3PAO will submit your assessment results to the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB).
  10. Stay informed and updated regarding all CMMC program updates.

ABS Quality Evaluations: Your CMMC Experts

ABS Quality Evaluations (ABS-QE), a C3PAO canidate, is ready to conduct your CMMC assessment. As a Licensed Training Provider (LTP), we stand ready to provide guidance and mentoring to help you implement a cybersecurity program targeting the achievement of your certification.

Our services include Consulting (ABS Group), Training, Self-Assessments, Gap Assessments, ISO/IEC 27001, ISO/IEC 20000-1 and ISO 9001 certification. 

Back to top