With updates and information about the Cybersecurity Maturity Model Certification (CMMC) constantly coming out, it can be difficult to understand where to start. Bravo is committed to helping organizations achieve compliance and providing a break down of the general CMMC timeline.
Why is CMMC Important?
The purpose of the Cybersecurity Maturity Model Certification (CMMC) is to protect United States national security. This is accomplished by protecting federal contract information (FCI) and controlled unclassified information (CUI). In doing so, prime contractors and subcontractors who provide to the Department of Defense (DoD) must assess their cybersecurity posture to ensure security. The CMMC model closely follows some National Institute of Standards and Technology (NIST) requirements as well as Federal Acquisition Regulation (FAR) 52.204-21, which are both already required for many.
Not only is CMMC important for national security, but it is also pushing organizations to be more aware of their cybersecurity posture in general. Any organization is at risk of a cyber attack, so implementing CMMC brings us one step closer to overcoming threats. Every organization working with the DoD will need to achieve CMMC Level 1 at minimum.
When Will CMMC Be Required?
The recent release of CMMC 2.0 in November 2021 has given organizations a better idea of the CMMC timeline. CMMC 2.0 is still in the early stages. As of November, rulemaking will take between 9-24 months. This means that until the rulemaking process is complete, no contracts will require CMMC from contractors or subcontractors. Current contracts will not be affected, but once CMMC is in place, new contracts and renewals will require certification. At this time, having the certification completed is voluntary.
At the moment, the DoD is planning on a five-year phase-in period, beginning January 1, 2026. No matter when CMMC officially rolls out, Level 1 certification will be required for all defense industrial base (DIB) organizations by this time. Currently, the DoD is considering a timeline for achieving certification once contracts are awarded. In the case that an organization does not meet the requirements of the CMMC level at the time a contract is awarded, the DoD will allow a 180-day timeline for Plans of Actions and Milestones (POA&M) to be resolved.
A Guided Roadmap to CMMC
Ultimately, your timeline depends on what level of compliance you are required to achieve, your status with NIST implementation, and the scope/size of your organization. Use this CMMC timeline to keep your organization on track and on task.
Step 1. Consult an Expert
The first step to a successful CMMC journey is to consult an expert, like Bravo. Registered Provider Organizations (RPOs) who specialize in CMMC compliance solutions will guide you through the process and implement remediation where necessary. This can be much more time- and cost-effective than achieving CMMC compliance in-house.
Step 2. Establish a CMMC Team
Pull a task force of employees together to ensure proper time is focused solely on your CMMC journey. While creating a task force, make sure these employees have enough resources to be successful. This might include dedicating extra talent, time, budget, and technology.
Step 3. Identify CMMC Level
Determine what contracts your organization desires. Next, review what level of CMMC those contracts are going to require. Something else to consider is where your organization might be in the future and what contracts you might want to attain.
Step 4. Scope Your Environment
When scoping, it is essential to see where all the FCI and/or CUI you possess is stored. It is also important to determine what people have access to this information. From here, your organization can determine whether to bring everything up to standard or just the specific people and areas FCI and/or CUI is stored.
Step 5. Gap Analysis and Remediation
The next step is to complete a Gap Assessment to understand what needs improvement. If your organization is already NIST and/or DFARS compliant, or is working towards it, you are likely to be in good standing already. The new CMMC model builds off these mandates. The CMMC/NIST Assessment, System Security Plan (SSP), Plan of Actions & Milestones (POAM), and Supplier Performance Risk System (SPRS) score is estimated to take around four to six weeks.
Once the Gap Assessment is completed, your organization will work to remedy any known issues that must be addressed before certification can be awarded. Full remediation can take 10+ weeks depending on the size of an organization and the number of gaps/issues.
Step 6. Create SSP (System Security Plan)
An SSP is a required document to achieve certification. It will be used by an organization to prove the proper security measures are in place to protect FCI and/or CUI and how they will be implemented. The SSP will be used and updated over time, so be sure it is up to standards and suitable for changes. What might be included in your SSP?
- The FCI/CUI your organization handles and why you handle it
- How you store, process, and transmit FCI/CUI
- All the measures in place to protect FCI/CUI
- Any known gaps from gap assessment
- Plans of Actions & Milestones (POA&M) to remedy those gaps
Step 7. Choose C3PAO and Get Certified
If you are aiming for Level 2 certification, you’ll have to choose a Certified Third-Party Assessor Organization (C3PAO) to audit the organization. A list of all C3PAO organizations can be found on the CMMC-AB Marketplace website. For organizations requiring Level 3 certification, you will have to go through a government-led assessment. The audit will consist of reviewing an organization’s SSP and ensuring the proper controls are in place. Any current POA&Ms will also be reviewed, and there is a possibility that new, time-restricted ones can be created.
Choosing Bravo For Your CMMC Needs
Bravo Consulting Group is a Registered Provider Organization (RPO). Over our 14+ years of business, we have accumulated extensive experience helping government agencies achieve compliance. No matter what your CMMC needs are, Bravo has your back every step of the way. We are here to make CMMC easy!
Check out our CMMC 2.0: What You Need to Know blog for more information on the new update. To get any common CMMC questions answered, read our recent Common Questions blog.
If you have any additional questions or are ready to start your CMMC journey, fill out the form below to talk to one of our CMMC experts!