The team had researched CMMCv2.0 and developed a method of mapping CMMC to other cybersecurity policy frameworks such as CISv8.0 as utilized by LightGrid’s outsourced IT team. In forming the maps to be used by personnel, we developed the skills necessary to dissect frameworks in order to adapt them to other related, or unrelated policy frameworks. This was a necessary skillset due to the complexity of cybersecurity frameworks, along with the contradicting natures of different policies.. With this in mind, we made an effort to quickly establish a connection between the two primary frameworks while also making them as simple as possible so that any personnel could make use of and find assistance with the policies we were hoping to fully implement.
The policies specifically rested solely within CMMCv2.0, the implementation of which was approaching the mandatory date as outlined by the Department of Defense. Previously, all government agencies and adjacent contractors were required to abide by NIST 800-171 standards, CMMC being the updated, more in depth coverage of that familiar set of policies. However, specific questions still remained such as the specifics of CMMC, how it would connect or affect pre-existing systems, and most importantly, the timeline it would take to deliver the developed policies so that implementation can be viewed as successful. In order to uncover more information as well as have some of our questions answered, we attended the DoD’s CMMC Webinar hosted by Stacy Bostjanick and Dave McKeown. The webinar provided in depth information stretching across all fields of CMMC such as implementation, personnel affected, policies that connect with pre-existing 800-171 mandated policies, and most importantly that timeline we were hoping for.
We learned through this webinar that CMMC implementation begins March of 2023, meaning we only had eight short months to prepare for a complete framework overhaul, implementation strategy, and policy development. The webinar detailed the importance of time management, as the process post March will lead to CMMC committees analyzing compliance to determine if implementation can be considered successful. Should we fail, we would not be eligible for contracts due to our inability to assure data protection as the handling of classified data cannot be carried out should there not be trusted policies in place.
CMMC arranges success based on the previously implemented 800-171 scoring system, where the implementation group is judged based off of how many points they subtract from a pre-determined maximum. Each specific policy is bundled with a point value determined by the importance of that policy, such as how much it affects, or how difficult it is to implement. The DoD recommends regular self-assessment when implementing CMMC, along with constant monitoring of implementation procedures as well as the progress updates required. However, we were confident in our ability to progress on schedule.