How to Prepare for a CMMC 2.0 Assessment

Of course, everyone is now talking about CMMC 2.0 and what it means to become compliant. With the final rule published, it has never been more urgent to start the compliance journey you need to keep earning the DoD contracts that your business relies on. There are a lot of steps involved in the compliance journey, but the most important part is the assessment. 

The assessment is, hopefully, the last step in the process to certification. It can take months, maybe even a year, to get to that point and with the new CMMC 2.0 rules, finding the third-party review entity might also be a challenge as you’ll have to wait in line to get that done, too.  

What do you need to do to prepare for your assessment? More importantly, what do you need to do to prepare and pass your assessment? Let’s dive into that here. 

How to Know if CMMC Applies to You: 

1. Check your contracts for DFARS clauses: Look for DFARS 252.204-7012, 252.204-7019, 252.204.7020, or 252.204-7021. If you see these, your business is required to meet CMMC standards. 
2. Determine your CMMC maturity level: 
3. If you handle Federal Contract Information (FCI), you’ll need to meet Level 1. 
4. If you handle Controlled Unclassified Information (CUI), Level 2 or higher is required. 
5. Consult with your contracting officer: Still unsure? Reach out to your DoD contracting officer for clarity. 

If you find that your contracts have those clauses, then you do need to achieve compliance. Not doing so could cause your business to lose existing contracts, and to be unable to land new DoD contracts. Plus, if you misrepresent your self-assessment score, you will be in violation of the False Claims Act, which comes with heavy fines and penalties. 

So, you need to take this seriously, especially if your business relies on DoD contracts. 

Is CMMC Compliance Right for Your Business? Key Questions to Consider 

Now that you’ve identified whether your contracts include the relevant DFARS clauses, it’s time to evaluate if pursuing CMMC compliance is the best decision for your business. Here are some critical questions to help you assess the potential impact and worth of becoming CMMC certified: 

1. Do you have or anticipate having controlled unclassified information (CUI)? CMMC Level 2 is designed to protect CUI, so if your business deals with this type of information, compliance is non-negotiable. 
2. How much of your revenue depends on DoD contracts? If a significant portion of your business comes from DoD contracts, compliance is crucial for maintaining your revenue stream. If DoD contracts are a smaller piece of your business, you may decide that the cost of certification isn’t justified. 
3. Does the return on investment (ROI) justify the cost of certification? Achieving CMMC certification requires time, money, and resources. Consider whether the ROI from current or future DoD contracts justifies the expense and effort required for certification. 
4. Will your competitors comply, or will they opt out? Assess your competitors’ strategies. If they plan to comply, they could gain a competitive edge by securing DoD contracts that might otherwise go to you. If they’re opting out, there may be less competition in this space, opening up opportunities for your business. 

Asking these questions can help you weigh the costs and benefits of pursuing CMMC compliance and decide if it’s the right path for your business. 

Your Must-Haves and To-Do List for CMMC Compliance 

After doing your internal research and asking the tough questions, you’re ready to move forward with CMMC compliance. This checklist will help guide you through the essential steps to prepare for your assessment.  

• Consult with your Prime or Contracting Officer 

Check with your Prime Contractor or Contracting Officer to clarify key details, such as the relevant DFARS clauses, the number of DoD contracts you hold, and any upcoming projects tied to the DoD. 

• Determine your current compliance status with NIST 800-171r2 

If you already have DoD contracts, you should be compliant with NIST 800-171. Review your current compliance status and compare it to the latest requirements to see where you stand—you might be closer to compliance than you think. 

• Conduct a NIST 800-171r2 Self-Assessment  

Identify any gaps in your current cybersecurity posture through a self-assessment. This will reveal areas where you need to improve to meet CMMC standards. 

• Develop Plan of Actions and Milestones (POA&Ms) 

Break down the steps needed to close compliance gaps. A well-structured POAM will help keep your CMMC efforts on track and moving forward. 

• Develop a System Security Plan (SSP) 

Document your System Security Plan, taking inventory of your CUI data flow, individuals, systems and software. Identifying security measures in place. Assign responsibilities to team members and train them as necessary on these systems. 

• Calculate Your NIST Score and Submit to SPRS 

Calculate your current NIST 800-171 r2 score based on your self-assessment and in accordance with the NIST 800-171a (Assessment Guide). Submit this score to the Supplier Performance Risk System (SPRS). This will provide a clear view of any remaining gaps. 

• Submit to Contracting Agency 

Once you’ve addressed your compliance gaps, schedule a third-party assessment with an accredited C3PAO (CMMC Third Party Assessment Organization). They will conduct your formal assessment and submit the results to the DoD. 

Key Factors and Timelines for CMMC Compliance Completion

Here are some important things to keep in mind. These key factors and timelines will give you a good idea of how soon you need to start getting CMMC 2.0 compliant. These include:  

• It can take 6-18+ months to fully implement CMMC compliance 

• It may take up to 120 hours to develop security program documentation. 

• Compliance requires executive sign-off, not just an IT project. 

• Take time to fully understand what auditors are looking for. They want to see socialization and evidence of maturity and sustainment! 

• CMMC maturity level 2 compliance will require all 110 NIST SP 800-171 controls to be implemented  

• Assess your third-party IT/Cloud providers for readiness (FedRAMP Moderate or FedRamp Moderate Equivalent) 

• CMMC audits are pass/fail—plan carefully to avoid mistakes. 

• With 40+ C3PAOs approved, scheduling delays are possible, so plan ahead to avoid being at the back of the line. 

Some CMMC 2.0 Assessment Things to Avoid 

Since the assessments are pass/fail, you don’t want to waste time having to do them multiple times. So, make sure you avoid these mistakes and be prepared.    

• Incomplete Documentation: No documentation means no assessment. Ensure all required materials are fully prepared and organized in advance. 

• Only allowable POAMs: Only certain controls can be not implemented when the assessors come onsite. Make sure your self-assessment is complete.  

• Last-Minute Audit Preparation: Don’t scramble at the last minute. Confirm your audit readiness well before the assessment to avoid a “fire drill” scenario. 

Conclusion: Preparation is Key to CMMC 2.0 Compliance 

With CMMC 2.0 quickly approaching and set to impact businesses in the Defense Industrial Base (DIB), time is of the essence. However, rushing into compliance without proper planning can cause more harm than good. It’s crucial to fully understand the process, carefully plan your approach, and ensure you’re fully prepared before scheduling your assessment. 

Fortunately, Exostar has the CMMC Ready Suite which provides you with tools you need to become compliant through every step of the process. Learn more about it and then reach out to us for a demo and to discuss how our solution can help you achieve CMMC 2.0 compliance.