Achieving CMMC standard compliance
Organizations that seek to achieve CMMC compliance typically follow a phased approach, which includes:
- Understanding the scope. The first step in a CMMC compliance journey begins with understanding the type of CUI and FCI the organization is handling, as well as all of the locations, assets (systems), and personnel that contain or access CUI/FCI data that would be considered in scope for a certification.
- Considering CMMC architecture and strategy. If access to CUI/FCI data is not a pervasive requirement within the organization, the organization can create a strategy to segregate the CMMC-related data in order to minimize the scope for the review and certification process.
- Performing a self-assessment. Many organizations prefer to perform a precertification gap analysis, particularly if they are targeting Level 3 maturity or higher. This self-assessment can provide an understanding of the gaps that will need to be remediated in order to achieve the desired level of certification.
- Closing the gaps. Depending on the number and complexity of the gaps noted in the initial assessment, organizations should develop a plan of action to address the identified gaps prior to pursuing certification. Timelines for remediation will vary depending on the nature of the gaps identified as well as on resources available to assist.
- Taking the official test. Once all gaps are remediated, the organization is ready for the certification assessment. The CMMC-AB Marketplace includes an inventory of the firms that are approved to perform a CMMC certification assessment.
The future of the CMMC standard
Currently, details regarding the CMMC standard are still being finalized, including the designation of registered provider organizations and C3PAOs in the CMMC-AB Marketplace. Reportedly, the DoD is planning to issue only 15 contracts this year that will require any level of CMMC certification.
The DIB consists of hundreds of thousands of organizations that will require some of level of certification over the next five years. Some of those institutions might end up needing multiple certifications for different networks, systems, or segments. As such, many more accredited assessors that are capable of evaluating organizational practices related to the CMMC standards will be needed.
It’s unclear if and when the CMMC will expand to additional entities, but certified assessors who can assist with the CMMC program are in high demand. While these details are being finalized, it’s important that organizations that will need to be CMMC compliant in the future take the opportunity now to perform assessments in order to be prepared for certification.