John Verry -
Lean on Our Proven Process to Achieve CMMC Certification
- Project Kickoff
- Getting out of the gate right is critical to your project's success. At the Project Kickoff Meeting you will meet your team, reconfirm objectives (e.g., your timeline, your goals), iron out logistics, initiate data requests, and schedule the work effort.
- CMMC Scoping and Control Maturity Assessment
- It can be a challenge to understand where CUI controls are required, and which systems need to be protected. To simplify this challenge, we review relevant artifacts (e.g., existing policies, network diagrams) and conduct scoping interviews to ensure we understand how CUI flows to, within, and from your organization. At the same time, we are also garnering an understanding of other information security requirements, known risks, and the maturity of your CMMC relevant controls. This is essential to establishing the scope of your CMMC System Security Plan (SSP).
- Risk Assessment → Risk Treatment Plan
- A Risk Assessment is a foundational element to a cybersecurity program as it establishes which, and to what magnitude, information security controls need to be implemented. Establishing a repeatable methodology for conducting a Risk Assessment, no less than annually, is a CMMC requirement. Integrating the results from the Control Maturity Assessment, we are able to identify your control implementation gaps that are leaving you at an "unacceptable" level of risk and craft a Risk Treatment Plan (RTP) to move you to your target state.
- Develop System Security Plan (SSP)
- CMMC requires that you develop an SSP that "provides an overview of the security requirements of the system, describes the controls in place for meeting those requirements, and delineates responsibilities and expected behavior of all individuals who access the system." As we execute your risk treatment plan, we will be doing so in a manner that directly supports the development of your SSP.
- “Soak" the Environment
- A CMMC CA-3 (Certified Assessor) will be looking for 2 forms of objective evidence that each of the 130 practices and 51 processes is operated in a "persistent and habitual" manner. So, operating the System Security Plan for ~ 6 months to ensure you have that evidence available is a key step in the prep process.
- CMMC Information Security Management System Internal Assessment
- Ensuring you have what you need for a successful CMMC certification formal assessment is best done by validating your readiness via a CISMS assessment. During the "audit" we will employ a CA-3 or a Provisional Assessor on our team that was not part of the consulting process to conduct a readiness assessment to the same standard as your C3PAO will. Wherever possible, we will ensure the same evidence we used to validate compliance will be leveraged by the C3PAO in their assessment. As necessary, PPS will provide Plans of Actions and Milestones (POAMs) to drive closure from your CISMS internal assessment to ensure your certification assessment is a success.
- Once your cybersecurity program implemented, documented, routinely performed, and at a managed state, your program is CMMC L3 security assessment ready. PPS will provide support during your assessment to minimize the likelihood that the assessment will result in any “NOT MET” assessment findings. As necessary, PPS will provide Plans of Actions and Milestones (POAMs) to drive closure from the formal assessment and ensure you achieve your target CMMC Level.
- Govern and Evolve (part of our Partner, Turnkey, and Maintain service offerings)
- We will celebrate our mutual success -- but then it's back to work. Your SSP defines what we need to do to remain CMMC compliant. Further, new contracts, updates to the CMMC, new technology, emerging threats, etc. all necessitate we evolve your cybersecurity program to stay ahead of the bad guys... lumping the CMMC assessors into that category for now :>).