CMMC readiness: Practical insights and lessons learned

Getting ready for Cybersecurity Maturity Model Certification (CMMC)? Whether you’re starting to build a foundation or have already met baseline NIST 800-171 criteria, adequate CMMC preparation requires significant time and resources. 

In a recent webinar, CMMC readiness: Insights and lessons learned from industry leaders, Johnson Controls Federal Systems (JCFS) Director of IT Security, Governance, Risk and Compliance, Amit Reizes, P.E., CISSP, MBA, joined Baker Tilly CMMC specialists Matt Gilbert and Jacob Stroupe for a candid discussion on CMMC readiness. 

This on-demand webinar provides a real-world perspective on the CMMC assessment process with practical examples you can immediately put into practice to help ensure your own organization’s successful CMMC certification. Learn about the new CMMC rules, what to expect in the coming months and how you can structure your journey toward a successful CMMC certification by learning from JCFS's experience. 

Covered topics include: 

• Relative pros and cons vis-à-vis enterprise versus enclave scoping 
• Cloud-based service providers and CMMC rules 
• Leading practices to structure your CMMC readiness project 
• Determining factors to pass a CMMC assessment  

Getting started with CMMC readiness  

When preparing for a CMMC certification, the importance of clearly defined goals and objectives cannot be overstated. A common hallmark that differentiates organizations that ultimately achieve CMMC certification from those that do not is often seen at the outset of the project: Has executive buy-in been secured? Have key team members been given necessary information to foster a comprehensive understanding of the project and the elements for which they may hold ownership? 

Developing a strong understanding of your business culture, project objectives and available data will help your organization succeed. How do you acquire sensitive data? How do you process it? Where do you save it? Who do you share it with? These are only a few of the questions you’ll need to answer to demonstrate proper management of controlled unclassified information (CUI) during your CMMC assessment. Thoughtful consideration of your answers will help your organization thoroughly prepare.  

Moving forward with CMMC readiness  

By establishing robust standards and a culture of risk management, your organization will more easily be able to define its scope and classify data. As previously noted, Baker Tilly guidance recommends engaging with executive leadership to secure buy-in and real business engagement at the beginning of your CMMC certification project. Together with enterprise-wide education, thoughtful gap analysis and the establishment of baselines will help ensure your team is aligned. 

To achieve certification, it's essential to create a comprehensive evidence package with supporting materials that demonstrate compliance with each control. Additionally, conducting mock interviews can help technology owners prepare for the types of questions they may encounter during the official CMMC assessment phase. 

CMMC readiness for success 

Achieving CMMC certification is a substantial project with hundreds of tasks, necessitating the focus of your entire team along with effective project management. An approach of continuous preparation will not only be helpful to build the “muscle memory” your assessor will require, but also to give your key personnel the confidence they need. 

Want to learn more? Watch the complete CMMC readiness: Insights and lessons learned from industry leaders webinar now.