Lessons Gained on the Path Towards CMMC Compliance

Organizations who operate or want to operate with Department of Defense (DoD) information are required to have the Cybersecurity Maturity Model Certification (CMMC). CMMC certifies that an organization has the appropriate level of cybersecurity infrastructure, policies, and procedures in place to handle and secure controlled data.

For the past several months, DTS has been working towards a CMMC Level 3 Compliance. As part of the process to migrate to a secured Government Cloud environment, implement and enforce policies and procedures that align with CMMC requirements, we’ve come up with a few lessons gained to help others easily navigate this process.

Here are a few lessons we gained from this migration process:

Understand the impact that these changes will have on your organization’s business processes and day-to-day activities.

  • Business processes may need to be updated to meet cybersecurity requirements for CMMC compliance, and it is important to evaluate what will be affected. A few examples include:
    • Accessing company resources and applications will be restricted and limited.
    • Connecting external storage devices like USB flash drives will be blocked, and exceptions will need to be built into your IT cybersecurity policies for special cases.
    • Mobile devices that are used to access company data will be constrained.
  • Applications and software that teams rely on and utilize daily may no longer be supported in a CMMC compliant IT infrastructure and environment.
    • List out all the applications and software that are currently in use and how they are being used.
    • Get an insight on what applications will be supported post migration, audit, and/or certification.
    • If an application is not supported, start considering alternatives and workarounds to minimize the impact to day-to-day activities.

Regularly communicate with the third-party vendor that’s assisting you with your migration and/or CMMC audit and certification.

  • Do not assume anything. You may have to drive the conversation to set clear expectations from the beginning.
  • Share your insights on business processes and applications. The third-party vendor should be able to provide input on alternatives and best practice recommendations.
  • Get a clear picture of how things will work and look like post migration and CMMC compliance.

Pilot the new policy, infrastructure, and procedures on a smaller scale before implementing it across the entire organization.

  • Slow-roll the implementation, if needed. It’s not necessary to turn on policies and procedures all at once. Implement them in phases, especially if the changes are significant.
  • Create and provide training and documentation with step-by-step instructions on how to apply end-user configurations for end-users to refer to.

Another item to account for is the possible increase in IT expenditures.

  • An organization’s IT recurring costs may be higher post-CMMC compliance.
  • There may be added costs to securing applications and devices (e.g., multi-factor authentication, encryption, etc.).

CMMC 2.0 was recently released with key updates and a path forward that will affect many organizations. As with any compliance program, it is necessary to stay current with updates and changes to compliance requirements. Here are a couple of resources to get more information on CMMC.