Defense contractors and those that will fall under the NIST 800-171 umbrella are aware of the consequences should they not be compliant with CMMC 2.0 by 2026. For those of you just joining us, not only will you be unable to win new contract awards if you aren’t compliant, but existing awarded contracts will also be issued a stop work order.  And I can bet you they are going to ask you to return funds mid-quarter.

CMMC 2.0 Checklist

We hate to see it, but we know it’s coming. So, here’s a quick checklist of what we know so far, so you can be ahead of the game. For those of you in the DIB (meaning you’re a cleared company) not only will you be required to be at Level 2, but that means you also have to make sure you hit the check marks for Level 1 as well. As tedious as it sounds, that really adds an extra layer of “ugh” to your checklist. Here is the NIST 800-171 checklist that you will need to get CMCC certified.

Identify relevant data (includes CUI & PII)

Categorize your data

Establish baseline controls

Test Your Baseline Controls. It can be found in the NIST SP 800-171A publication – SP 800-171A, Assessing Security Requirements for CUI | CSRC

Conduct ongoing risk assessment

Write a systems security plan based on controls. This one is going to require some serious brain power. If you don’t have one or lack confidence in your current one, hire a CISSP or CISO to do it.

Create the rollout plan. If you don’t have a program manager (PM) in place for this, it’s time to get one It’s money well spent.

Monitor and analyze data

Review security plan and make updates

Also, as a friendly reminder from one of your favorite Millennials, companies selling you packages to help get you CMMC certified are not your friend, lover, or companion. They do not know any more than you do on what will be required, so how can they sell you a package for $799 to get certified and compliant? Take that money, spend it on your significant other, buy more plants or get your dog a spa day.  (That’s not even a joke… If you live in DC, you know you’ve seen a teacup dog in a stroller before…)

And be sure to take care of your staff that are going to work tirelessly for you to be compliant. Give them bonuses, up their annual raise, give a few extra PTO day’s as thank you. As someone who knows firsthand, a little appreciation goes a long way. Because I can PROMISE you, your folks are getting 3-5 emails a day from recruiters. Give them a reason to stay.


Related News

NJ has over 10 years inside the DoD working for various organizations and cleared defense contractors. With an ear to the ground on all things OPSEC, cyber, machine learning & mental health, she is an untapped keg of open source information.