Video Series: 6 Steps to CMMC Compliance

The first step that any defense contractor should take in their compliance journey is determine the level of CMMC their organization needs to meet.

This video explains where contractors should look for their CMMC level and what they will need to comply with for each level.

The second step that any defense contractor should take in their compliance journey is managing the scope of their compliance environment and limiting where CUI resides.

This video explains the factors contractors should consider when determining their scope.

The third step that defense contractors should take in their CMMC compliance journey is protecting their CUI. This is a key requirement of NIST 800-171 and is at the core of CMMC.

This video explains the technology and compliance factors contractors need to consider in choosing a platform to protect CUI.

The fourth step that defense contractors should take in their CMMC compliance journey is creating robust documentation that explains the policies and procedures the organization uses to protect CUI.

Documentation includes items such as a System Security Plan (SSP), Plan of Action and Milestones (POAMs), and the Customer Responsibility Matrix (CRM). The video also mentions the value of PreVeil’s pre-filled documentation in simplifying the compliance process.

The fifth step that defense contractors should take in their CMMC compliance journey is ensuring they conduct a self-assessment against the NIST 800-171 requirements.

Self-assessment is not just a good idea, but a requirement stated in the FAR and DFAR.

The sixth step that defense contractors should take in their CMMC compliance journey is to consider if they should hire a third party partner such as a Registered Practitioner (RP), Registered Practitioner Organization (RPO), MSP, MSSP or a C3PAO to help them with their compliance.

Hiring a 3rd party can be a smart business decision but it depends on your organization’s needs and budget.