7-Steps to CMMC Compliance

STEP 1

CUI Scoping

A successful CMMC compliance program begins with identifying the CUI you handle. Segregate it from your other information, and minimizing its footprint to reduce your cost of compliance. So KLC offers our CUI Scoping Service and our proprietary CUI Datalifecycle approach to help minimize your CMMC compliance cost. We typically do this within 30-45 days. ▶ CUI SCOPING PACKAGE

STEP 2

NIST 800-171 Self-Assessment

Typically, a defense industrial base companies’ cybersecurity maturity posture is well below CMMC compliance level. It’s important to realize they lack internal resources to perform an accurate NIST 800-171 self-assessment. This self-assessment serves as the critical foundation to your CMMC compliance program. Non-compliance puts you at risk of losing DoD contract renewals and new opportunities. Therefore, KLC Consulting works with you to either prepare your NIST 800-171 self-assessment or review and confirm the accuracy of your assessment. ▶ SPRS DoD PACKAGE

STEP 3

Submit to SPRS

If you feel challenged by the DoD’s SPRS web portal, we walk you through the submission process. You’re required to submit your summary-level assessment score and POA&M information timeline to remediate deficiencies and achieve a perfect score of 110. You’ll be able to confidently report “In Compliance” with DFARS 252.204-7019 and -7020.

STEP 4

Remediate POAM

(Plan Of Action & Milestones) KLC architects cost-effective NIST 800-171 and CMMC compliance solutions. CMMC Compliance programs typically span 9-12 months. Our CMMC consulting services are designed to meet you where you’re at and bring you to “CMMC Assessment Ready” with as much or as little help as you need. KLC Consulting’s services range from guiding your own internal effort all the way to our professionals providing hands-on remediation. ▶ CMMC CONSULTING SERVICES

STEP 5

Verify Readiness

With the fate of DoD contract renewals and new opportunities hanging in the balance, the last thing a DIB company needs is to engage a C3PAO to perform a CMMC assessment and fail with unexpected gaps. The POA&M remediation period for CMMC is up to 180 days. You don’t want to lose 3 to 6 months in time, plus the additional expense to remediate and reassess deficiencies. KLC evaluates your state of CMMC readiness by simulating an independent C3PAO assessment. ▶ VERIFY READINESS SERVICE

STEP 6

Engage a C3PAO

CMMC 2.0 requires triennial C3PAO Assessments for companies who handle “Critical National Security information” (Level 2) and allows for annual self-assessment for select programs. If we’ve performed consulting services to bring you to “Assessment Readiness,” we can’t also perform your C3PAO assessment due to conflict of interest concerns. However, KLC can refer you to other reputable C3PAO firms to perform your independent assessment. We’ll serve as your liaison and assist you every step of the way.

STEP 7

Maintain & Renew CMMC

Congratulations on your certification! Compliance isn’t a one-time endeavor; however, it requires a 3-year cycle of renewal. Changes to your IT environment and company mergers & acquisitions affect your CMMC recertification. KLC guides your IT change management process and monitors CMMC updates to maintain your compliance status. We also perform the periodic Incident Response Plan tests and vulnerability/penetration tests required for CMMC. Let’s prepare for the next CMMC reassessment to preserve your ability to meet the cybersecurity requirements of DoD contract renewals and new awards.