CMMC 2.0, an evolution of the NIST 800-171 framework, introduces more challenging controls, official certification requirements, and higher stakes for organizations required to comply. And with impending updates to the framework and a go-live date nearing, businesses need to understand how to work toward compliance and what internal changes they should expect.
The Apptega Cybersecurity Podcast sat down with David Endicott, risk assessor and CMMC expert at Cyber74, to walk step-by-step through the hurdles federal contractors need to clear to get and, importantly, stay certified under the DoD's forthcoming regulations.
A Lengthy Process Needs the Right Partner
It’s never too early – or, with CMMC potentially landing as soon as next year, too late – to begin working towards compliance as it can often be a lengthy process. The first step, a gap assessment, typically takes 60-90 days, culminating in the creation of a system security plan (SSP). The average timeline to full compliance takes 12-18 months, depending on the resources, personnel, and starting point of the client, according to Endicott.
While technical implementation is often necessary, the most time-consuming aspect of certification lies in developing and adopting policies and procedures.
Most companies do not have employees with the necessary expertise or framework experience to navigate the CMMC certification process alone, making it crucial to find a reliable Registered Provider Organization (RPO) to assist throughout the journey.
When looking for a qualified RPO to help you through the certification process, it’s important to keep the following in mind:
- Seek someone with experience in CMMC or other complex, highly regulated frameworks.
- Avoid those who treat it as a project with fixed timelines and costs. Instead, focus on building a sustainable program.
- Look for RPOs who understand the process of aligning businesses with security control infrastructures.
- Ensure they emphasize the long-term commitment and provide a platform to maintain compliance over time.
- Accept that adapting business processes to fit the framework is necessary.
A Catalyst for Meaningful Change
While many companies view CMMC as a necessary evil, few recognize its potential for transforming business processes in a meaningful way, and as a significant revenue catalyst.
CMMC certification is not a one-and-done process, with recertification required every three years. Maintaining compliance between audits entails fulfilling the built-in ongoing maintenance requirements embedded within CMMC controls, particularly the rigorous documentation standards. Every action, from malware removal to platform changes and additions, must be carefully recorded and documented.
As Endicott suggests, CMMC certification is more than a mere project – it is an ongoing program that demands continuous effort, dedication, and adaptability. Failing to obtain and maintain CMMC compliance puts both contracts and businesses at significant risk. By embracing CMMC as an opportunity for positive change, businesses can get and stay ahead of upcoming regulatory changes.