What is CMMC? The CMMC proposed rule will require any contractor working within the Defense Industrial Base (DIB) that handles controlled unclassified information (CUI) to undergo a third-party assessment to ensure certain security measures are taken to stop sensitive data from falling into the wrong hands. The CMMC model consists of three "maturity levels" that build upon the previous one with NIST SP 800-171 being its foundation.
The CMMC program is intended to be implemented in four phases:
The CMMC Final Rule becomes effective on December 16, 2024, at which point C3PAO assessments can begin. This rule empowers the DoD to incorporate CMMC into contracts once the 48 CFR Acquisition Rule is finalized, expected in early 2025. Contractors must be ready to demonstrate CMMC compliance starting from Q1 2025.
CMMC Timeline
.png?width=600&height=267&name=CMMC%20Timeline%20(1800%20x%20800%20px).png)
While many may be tempted to think that CMMC is still several years away from full implementation, that doesn't mean organizations should wait to pursue compliance. As a reminder, the CMMC rule is the DoD's way of assessing compliance to the controls outline in NIST 800-171 framework contractors have been required to adhere to since 2017.
Getting Started
Every organization has to start somewhere, and contractors that are just beginning their journey to CMMC compliance have a long road ahead of them. Begin by scoping out your organization.
- Where does CUI currently exist?
- Who is responsible for creating or storing CUI?
- What practices do you already have in place to protect sensitive data?
Your organization should then conduct a gap assessment to determine where your vulnerabilities lie and what remediation needs to be done. Ensure that you are documenting all of your processes by creating a Plan of action and milestones (POAM) and a Systems Security Plan (SSP). These will be required documents for your audit. Begin remediation and implement the required controls for your organization's maturity level. Many contractors will seek out help from a certified MSP like
CorpInfoTech!
For a more detailed CMMC Compliance Checklist, click here!
CorpInfoTech - A Trusted MSP
Partnering with an externally verified MSP is crucial for contractors seeking help in achieving and maintaining CMMC compliance. While many MSPs are able to claim that they are certified via a "self-assessment", their processes will still be in scope of your organizations audit. This means that if your service provider fails to comply with CMMC standards, you will be left facing the consequences.
CorpInfoTech passed our CMMC Level 2 Assessment with perfect 110 score. We are among the first MSPs to pass our CMMC Level 2 Assessment.. By partnering with CorpInfoTech, your organization will automatically inherit 200+ out of the 320 objectives required by CMMC. These controls come pre-certified and will reduce implementation time and provide greater assurance in your ability to pass a third-party audit.
CorpInfoTech passed our CMMC Level 2 Assessment with perfect 110 score. We are among the first MSPs to pass our CMMC Level 2 Assessment.
