October 18, 2023

Last Updated on January 8, 2024

Cybersecurity Maturity Model Certification (CMMC) Level 2 and CMMC Level 3 certificates will be valid for 3 years. So, to maintain a CMMC certification, defense suppliers will need to undergo reassessment by a certified third-party assessment organization (C3PAO) every three years following their initial certification.

As you’re working towards CMMC compliance, how can you set yourself up for success with maintaining your initial CMMC certification? This blog post covers 3 essential best practices.

One: Comply with the right NIST 800-171 version.

Just as CMMC has morphed from CMMC 1.0 to CMMC 2.0, the NIST 800-171 cybersecurity standard that CMMC is based on has just been updated to Revision 3. The “initial public draft” is awaiting finalization by NIST following a 60-day public comment period that ended on July 14, 2023.

The changes between NIST 800-171 Rev. 2 and Rev. 3 are significant, including:

  • Updates and additions to the security requirements and families, yielding an increase from 110 controls in Rev. 2 to 138 controls in Rev. 3
  • Improved specificity and other wording changes for many security requirements to align them with NIST 800-53 Rev. 5 and the NIST 800-53B moderate control baseline
  • Introduction of organization-defined parameters (ODP) in selected security requirements to increase flexibility and help organizations manage risk

Currently, companies that achieve early CMMC Level 2 certification under the Cyber AB’s voluntary assessment process will be audited against NIST 800-171 Rev. 2. Like many defense suppliers, you may already be at or close to NIST 800-171 Rev. 2 compliance. In that case, if you get your CMMC certification early against Rev. 2, you’d have most of your 3-year certification window to bump up to NIST 800-171 Rev. 3 compliance before your next external audit.

But if you’re currently six to nine months or more away from seeking a CMMC Level 2 or CMMC Level 3 assessment, you should consider aiming for NIST 800-171 Rev. 3 compliance now. Another advantage of going straight to NIST 800-171 Rev. 3 compliance is you’ll have a stronger security posture and a greater ability to protect controlled unclassified information (CUI) on your systems in the current threat environment.

At a minimum, organizations planning to seek CMMC certification should include the NIST 800-171 Rev. 3 controls within your next annual security risk assessment or internal audit.

Two: Invest in a GRC platform.

The right Governance, Risk, and Compliance (GRC) platform can help automate the operation of your cybersecurity program and simplify both external and internal audits. It gives your business a “single source of truth” for provable security and compliance.

To efficiently maintain “continuous compliance” with a comprehensive, third-party verified cybersecurity standard like CMMC, companies need a unified system of record. This ensures that the trusted security data your IT staff, management, auditors, clients, and other stakeholders need is complete, accurate, and available on demand.

If your business is growing rapidly and/or faces evolving compliance requirements against two or more cybersecurity/regulatory frameworks (e.g., CMMC and GDPR), your team probably needs all the automation it can get to help track compliance tasks. Some of the capabilities of a leading GRC tool include:

  • Automated workflows
  • Real-time visibility into compliance task status
  • Automated alerts to drive task completion
  • Ability to give auditors easy access to only the artifacts they need
  • Integrates vulnerability scans and other data from third-party tools (e.g., Nessus, Qualys)
  • Dashboard-driven insights help guide compliance decision-making and reporting

Recognize that operationalizing compliance is harder than achieving it.

For almost every organization, it will be easier to achieve that first-time CMMC certification than to operationalize the cybersecurity program to stay compliant over time.

Teams seeking CMMC certification naturally focus on implementing controls and generating artifacts to pass the first external certification audit. Less attention is paid to developing a “project plan” that documents all the tasks required to maintain security and compliance. This leads to a backlog of effort and a scramble to get past the next audit or other compliance milestone.

To efficiently operationalize cybersecurity and compliance, the associated workflows should be seamlessly integrated into everyday business processes. Examples include:

  • Integrating security planning into the overall business planning process
  • Documenting your security and compliance metrics and goals alongside other business metrics
  • Incorporate compliance communications/artifacts into your current collaboration tool (e.g., Microsoft Teams, Asana)
  • Migrating your compliance program to a GRC platform to streamline workflows and auditing

A sign of compliance maturity is the ability to proactively recognize and respond to changes that introduce new compliance risks. Such changes can include introducing new products and services to the market, gaining new clients, using new vendors, processing new data types, coming under new regulations, using new technologies, and more.

What’s next?

To accelerate your time to value and maximize ROI on CMMC, consider working with a CMMC Registered Provider Organization (RPO) like CBIZ Pivot Point Security. Our highly experienced team is authorized by the CMMC-AB to offer recommendations, consulting, internal audit support, and other services to help DIB organizations achieve and maintain CMMC compliance in the most cost-effective, forward-looking, and trouble-free manner possible.

Contact us to speak with a CMMC expert about your cybersecurity program, your overall compliance picture, and how we can help you achieve successful CMMC certification.