Our last article examined the steps that your organization needs to take in order to complete the scoring process.  This is an important step, as you will now have obtained a quantitative value that shows where your controls lie in terms of strengths and weaknesses. The next step is to get ready for the CMMC Gap Analysis.

How To Get Ready

The first step in preparing for this task is to decide which of the standards you plan to use.  There are currently four of them, and they are as follows:

1. Maturity Level 1:

This is the level that is deemed to be when you need to obtain maintain only the minimal standards of Cyber Hygiene.  There is no defined or certain process that has to be maintained here, all you have to do is make sure that you have the necessary controls to come into compliance with the 17 CMMC domains:

  • Access Control;
  • Identification and Authentication;
  • Media Protection;
  • Physical Protection;
  • System and Communication Protection;
  • System and Information Integrity.

This certification level is designed for the Small to Medium Sized Business, geared more towards the defense subcontractors that contribute to the overall bid in some fashion.  In this regard, these kinds of organizations will be primarily using the FCI Datasets.  The requirements can be seen in more detail here.

2. Maturity Level 3:

This level actually builds upon the previous Maturity Levels of 1 and 2.  Before you can achieve certification at Maturity Level 3, you must have first achieved it in the previous two.  At this point, your organization is deemed to be practicing good levels of Cyber Hygiene, because you will now be dealing with the safeguarding of the CUI datasets that you have been entrusted with by the DoD.

Maturity Level 3 requires that you come into compliance with 17 domains of the CMMC.  They are as follows:

  • Access Control;
  • Asset Management;
  • Awareness and Training;
  • Audit and Accountability;
  • Security Assessment;
  • Configuration Management;
  • Identification and Authentication;
  • Incident Response;
  • Maintenance;
  • Media Protection;
  • Physical Protection;
  • Personnel Security;
  • Recovery;
  • Risk Management;
  • Situational Awareness;
  • Systems and Communications Protection;
  • System and Information Integrity.

One of the key differences between Maturity Level 3 and Maturity Levels 1 and 2 is that at this point when you have to have a plan in how your controls will protect the CUI datasets, and you must also actively implement and maintain that plan as well.  Equally important is updating that plan as new occurrences take place.

3. The NIST Frameworks:

There are also numerous government frameworks that you may have to come comply with as well, including those that have been set out by the CMMC.  These include the following:

  • NIST Special Publication 800-53: This document details all of the security and privacy controls as they relate to the Information Systems that are utilized by the US Federal Government.  More information can be found here.
  • The NIST Special Publication 800-171: This document entails how the defense contractors and their subcontractors must come into compliance with CUI datasets.  In fact, this document lays the foundation for the CMMC.  The complete document can be accessed here.

Taking Inventory

Once you have determined which of the above three routes you plan to follow to get to your desired CMMC Certification Level, the next step is to take stock of the IT asset inventory you have that you plan to use to get that certification. This all falls down squarely onto the Asset Domain of the CMMC.  There are two capabilities that you must meet, which are as follows:

  • The identification and documentation of assets that will be used to process the CUI datasets (also known as C005);
  • The management of the asset inventory and the specific attributes they possess such as the type of software applications, firmware, database operating system, etc. that will be used to not only further process the CUI datasets but to store them as well.

The Use of 3rd Party Services

Remember, it is very important that you do not attempt to achieve CMMC Certification all on your own.  Rather, you should seek the help and advice of other external agencies, primarily that of the Certified Third-Party Assessor Organization, also known as the C3PAO.  These entities have been certified by the CMMC Accreditation Body (also known as the CMMC-AB) in order to conduct full-fledged assessments for your organization.

Constructing The Data Flows

Apart from categorizing all of the IT assets and controls you have in place to process and secure the CUI datasets, it is also equally important that you map out the data flows so that you get a good visual as to what is going on, and what can be improved based on that.  For example, after mapping, you may find that transmission of the datasets could be further optimized into a more efficient and streamlined process.

A good resource to get started with this process can be found here.


Once you have the above in place, you can then go ahead and start the Gap Assessment for your CMMC Certification.  This is when you compare all of the controls you have in place at the current time, and what the CMMC requires.  The difference of these two is then what you need to further remediate upon.  More information about conducting this process can be seen at these links below:


But once again, this is probably not something you should attempt to do by yourself.  Contact us today to get this right the first time!

And, finally, don’t forget to register for the very special CMMC Symposium on October 28th.  You can register here.