Tag Archives: cmmc 2.0

A New CMMC Compliance Checklist

cmmc 2.0 final and proposed rules a checklist for compliance and preparations

The Cybersecurity Maturity Model Certification (CMMC) has become a critical framework for Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) aiming to work with the U.S. Department of Defense (DoD) and its affiliates. With the upcoming mandate requiring CMMC compliance by October 1, 2026, it’s imperative for organizations in this sector to understand and implement the necessary steps to achieve certification. This blog will guide you through the process of achieving CMMC compliance. It breaks down the critical steps and provides a useful checklist to ensure your organization stays on track.

What is the timeline and target date for CMMC 2.0 implementation?

  • November 2019—CMMC announced.

  • September 2020—CMMC 1.0 program initiated.

  • November 2021—CMMC 2.0 announced.

  • December 26, 2023—proposed rule codifies CMMC 2.0 with adjustments.

  • February 26, 2024—60-day comment period on the proposed rule ends.

After receiving final comments, the DoD will roll out CMMC in four phases over 2.5 years. It is expected that CMMC requirements will begin to appear in contracts by early 2025. However, companies should not wait with their CMMC implementation plans. The foundational standards for CMMC, NIST 800-171, are already required today.

1. Understanding and Implementing Security Processes 

Begin with establishing robust information security processes. Developing a system security plan and conducting self-assessments against the NIST 800-171 standards are foundational steps. These assessments help identify your current cybersecurity posture and form the basis for improvements.

2. Continuous Improvement and Submission 

Improvement is a continuous journey. After assessing your security processes, create an action plan to address any gaps, aiming for a maximum score of 110. Submitting this score to the DoD’s Supplier Performance Risk System (SPRS) is crucial for moving forward in the compliance process.

3. Scope Identification 

Identify the specific scope within your organization that requires compliance. This could range from the entire enterprise to specific units or programs, depending on the nature of your DoD interactions.

4. Preliminary Gap Analysis 

Although optional, a preliminary gap assessment is advisable. It provides a clear view of where your security measures stand against CMMC requirements and helps pinpoint areas for improvement.

5. Choosing a C3PAO 

Selecting a CMMC Third Party Assessor Organization (C3PAO) is a key step. A C3PAO will conduct the formal assessment of your cybersecurity practices against CMMC standards.

6. Undergoing the CMMC Assessment 

The assessment process is thorough, covering pre-assessment planning, the assessment itself, and post-assessment activities, including quality assurance reviews and any necessary remediation to meet CMMC standards. The DoD has also published new information regarding these assessments. Findings can automate this assessment journey for you, simplifying the process

7. Achieving Certification 

Upon successful assessment and remediation (if required), your organization will receive its CMMC certification, valid for three years, signifying compliance and eligibility to work within the DoD supply chain.

Levels of CMMC Compliance 

CMMC outlines three levels of certification, each with its own set of requirements:

  • Level 1 (Foundational): Involves basic cybersecurity controls for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

  • Level 2 (Advanced): Requires adherence to 110 controls for protecting information critical to national security.

  • Level 3 (Expert): Demands compliance with additional controls for top-tier cybersecurity resilience and is assessed via government-led reviews.

CMMC Compliance Checklist: 

A comprehensive checklist can streamline your path to compliance. It includes:

  • Determining your required CMMC level based on the data you handle.

  • Designating a compliance leader within your organization.

  • Limiting the scope of CUI to essential areas and personnel.

  • Selecting technologies that meet CMMC’s stringent security requirements.

  • Developing a detailed System Security Plan (SSP) and Plan of Action and Milestones (POA&M).

  • Performing a self-assessment against NIST 800-171A standards.

  • Addressing any identified security gaps.

  • Optionally, seeking a final review from an RPO or C3PAO before the formal assessment.

Making CMMC Compliance Manageable 

Transitioning to CMMC compliance might seem daunting, but leveraging existing frameworks and certifications that align with CMMC can simplify the process. Incorporating practices from the NIST Cybersecurity Framework (NIST CSF) and other recognized standards can facilitate a smoother certification journey.

Securing Trust

Achieving CMMC compliance is not just about fulfilling a regulatory requirement; it’s about demonstrating your commitment to cybersecurity resilience. By following these steps and utilizing the provided checklist, MSPs and MSSPs can navigate the path to compliance confidently. This effort will not only prepare your organization for the mandatory compliance deadline but also position it as a trusted partner in the defense supply chain, ready to tackle the cybersecurity challenges of today and tomorrow. For more information about CMMC, check out our blog about why CMMC will be good for your business.

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today

Let's Tackle Compliance Together

Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account

Please fill your details below and click "Next" to create your account:


$10 / Month
$10 / Month
$25 / Month
Integrated Apps
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today

Thank you for signing up!