The Cybersecurity Maturity Model Certification, better known as CMMC is now in version 2. This framework is meant to protect FCI (Federal Contact Information) and CUI (Controlled Unclassified Information). There are three levels of certification: Levels 1, 2 and 3. Most small to mid-sized organizations, depending upon the data they handle, will likely require Level 1 or Level 2 certification. CMMC is more than just implementing certain technical tools or software packages. It is truly a comprehensive framework that requires new processes, detailed documentation and true understanding of how the target organization processes FCI and CUI.
If you are currently working with an MSP (Managed Service Provider) or general IT provider, but they are not aware of the requirements for CMMC compliance, we can act in an advisory role providing process and documentation expertise. If you need technical assistance, in addition to process and documentation services, SDG can help here as well.
Below are the CMMC services we offer:
Assessment & Gap Analysis
- Evaluate current cybersecurity posture against CMMC 2.0 requirements and identify gaps.
- Prioritize remediation efforts and document findings
Scoping
- Define the assessment boundary and scope of CUI
- Identify which systems, personnel, and locations handle CUI
- Reduce scope where possible to lower compliance burden and cost
System Security Plan (SSP)
- Develop and document the SSP required for CMMC Level 2
- Map existing controls to NIST SP 800-171 practices
Plan of Action & Milestones (POA&M)
- Create a formal POA&M for any unmet requirements
- **Please note, not all unmet requirements can be placed in a POA&M
Policy & Procedure Development
- Write or update information security policies
- Develop procedures and policies aligned to CMMC practices
Technical Remediation Guidance
- Recommend and assist with implementing required security controls
- Technical items include, but are not limited to MFA, encryption, endpoint protection, audit logging, network segmentation and access control implementation
CMMC Level 2 Certification Prep
- Prepare organization for a C3PAO (Certified Third Party Assessment Organization) assessment
- Conduct mock assessments to identify remaining gaps
Evidence Collection & Documentation
- Organize and prepare evidence packages for assessors
- Ensure documentation meets CMMC assessment guide requirements
Employee Training
- Deliver security awareness training required by CMMC
- Train staff on CUI handling, identification, and protection
Incident Response Planning
- Develop and test an incident response plan
- Define roles, escalation paths, and reporting procedures
Ongoing Compliance Support
- Continuous monitoring and compliance maintenance
- Annual review of SSP and security controls
- Support for recertification every 3 years