CMMC

Our Approach to CMMC Compliance Support

Phase One: Assessment + Quick Wins

- Discovery: getting to know the organization, the data flows, the staff, and the LOE on the project; Gap Assessment on the Policy, Procedures, Guidelines and Standards in production (est 20 hours)

- Policy Packet v1: filling in the gaps above, crafting documents as needed. (est 20 hours)

- Control Implementation v1: implementing the low effort, low cost controls throughout the tech stack to deliver immediate value to the client. Not complete, but a great start... potentially addressing a significant number of controls (est 20 hours)

**Preparation for Phase Two by proposing a more detailed next step**

Phase Two: Implementing Target State Controls + Evidence Collection

- Defining the Boundary - what is scope? 

- Control Implementation v2: working through the next round of controls.

- Document Management: building the organization, repositories, etc.; artifact collection

- POAM + SSP: drafting the System Security Plan and the Plan of Action and Milestones

**Preparation for Phase Three by proposing a more detailed next steps**

Phase Three: Project Completion + Maintenance 

- POAM: Systematically addressing outstanding items (non-technical and technical)

- SSP v2: completion

- Documentation v3: final review, approvals, and organization for auditors (as needed)

- Maintenance: assuring target state for all efforts above are kept up to date

- Change Management: "care and feeding" + live evidence collection

Phase Four: Audit Support

- Advisor

- Support throughout C3POA Assessment