Steps to CMMC Level 2

When the Department of Defense (DoD) announced that members of the Defense Industrial Base (DIB) would need to achieve Cybersecurity Maturity Model Certification (CMMC) compliance to continue doing business, CIS Secure took immediate action. Achieving CMMC Level 2 was not merely a compliance exercise for us; it was crucial for maintaining our ability to serve our customers and protect the sensitive information entrusted to us.

At the outset, our various business units were at different levels of security maturity. One of the major challenges was aligning them under a unified approach to meet CMMC requirements. This involved restructuring parts of the network and expanding the scope from isolated enclaves to an enterprise-wide strategy.

Enlisting help

We partnered with CyberSheath, a Managed Security Services Provider (MSSP), to assist us with technical implementation and alignment. Their expertise significantly reduced the effort required to configure systems and controls to meet CMMC requirements.

For the assessment, we chose Cybersec Investments a Certified Third-Party Assessor Organization (C3PAO), based on recommendations and proven experience.

Addressing Key Challenges and Leveraging Expertise

Our gap analysis, conducted with CyberSheath, revealed several key challenges, including policy misalignment across divisions and a misunderstanding of which business units were in scope for CMMC. Although we had an internal cybersecurity team in place, the combined resources of our team and our MSSP provided a deep bench of expertise. From the start, we treated our System Security Plan (SSP) and Plan of Action & Milestones (POA&M) as living documents, updating them throughout the process to track progress and assigning responsibilities to avoid last-minute scrambles.

Prioritizing and Mitigating Security Gaps

We prioritized gaps based on the time and resources needed to close them, starting with those that required new equipment. The most challenging areas were network security and wireless controls, which necessitated replacing hardware to meet requirements. We also overhauled our policies and procedures to cover all business units and extended the scope to include end-user devices rather than just enclaves. For training, we leveraged CISA and KnowBe4 programs delivered through our internal learning platform.

Streamlining Documentation and Evidence Collection

Our documentation was directly aligned to the CMMC assessment matrix, ensuring easy navigation. We approached evidence collection methodically, reviewing each assessment item step-by-step in advance and organizing evidence in a way that allowed for quick access during the assessment.

Prior to the formal assessment, we conducted a thorough internal audit of all documentation and evidence. Our MSSP was instrumental in swiftly resolving any last-minute issues. This preparation ensured there were no surprises on assessment day.

Securing CMMC Level 2 Certification

With deep experience in the CMMC ecosystem, our MSSP, CyberSheath, shared their knowledge of leading C3PAOs in the market. Drawing on that broader industry insight, we identified Cybersec Investments as the right fit — offering flexible scheduling and competitive pricing.

In the weeks leading up to the assessment, our IT team meticulously reviewed the SSP and evidence, meeting multiple times per week to check and cross-check each other’s work. Thanks to this thorough preparation and the support of our MSSP, the assessment proceeded smoothly without any unexpected challenges.

Lessons Learned

• Start Early: The process takes longer than expected.
• Ensure Leadership Buy-In: This is critical for resource allocation and prioritization.
• Engage Trusted Partners: MSSPs and experienced C3PAOs can greatly reduce risk.
• Plan for Organizational Changes: Acquisitions, restructuring, or re-scoping can impact your compliance path.
• Understand Your CAGE Code Hierarchy: Prevent delays in submission.
• Confirm Technology Stack Meets FIPS Requirements: Ensure this without sacrificing necessary functionality.

CMMC Certification Business Outcomes and Value

• Certification has reinforced our credibility with government and defense clients, providing assurance that CIS Secure meets and maintains rigorous DoD cybersecurity expectations.
• Clients have greater confidence in CIS Secure’s ability to safeguard Controlled Unclassified Information (CUI).
• Certification opens opportunities that require CMMC Level 2 and streamlines security reviews during contract pursuits.
• Gaps were identified and resolved, strengthening our overall security posture.

Maintaining Compliance and Looking Ahead

Achieving certification is only the beginning. CIS Secure maintains compliance through regular documentation reviews, continuous monitoring, and proactive updates to controls as threats and requirements evolve. We stay informed about changes to the CMMC framework and leverage our MSSP’s compliance expertise to stay ahead of the curve.

CMMC Level 2 certification is both important and beneficial. Start early, stay focused, and ensure leadership is fully engaged. With the right planning and trusted partners, achieving compliance is an attainable goal and a critical step in protecting both your organization and the customers you serve.