Taking the pain out of CMMC Level 2 certification

Snapshot

Companies looking to bid for — and maintain — contracts with the United States Department of Defense (DoD) must meet all requirements within the Cybersecurity Maturity Model Certification (CMMC) program if they will be handling Controlled Unclassified Information (CUI). Any organization that operates with DoD information must achieve a perfect score of 110 and is expected to demonstrate its commitment to solid cybersecurity practices. There are very few exceptions. 

A full-service transportation and logistics provider that does some work with the U.S. Government recently engaged Kalles Group to assess its readiness to meet all 110 security requirements for CMMC 2.0 Level 2. The KG team gave the company a roadmap for meeting the ideal completion date for registering their Supplier Performance Risk System (SPRS) score.   

U.S. Navy ship

Challenge

The sheer complexity facing organizations seeking CMMC certification for DoD contracts 

CMMC 2.0 is mandatory for all contractors and subcontractors that form part of the U.S. Defense Industrial Base (DIB). CMMC certification involves meeting 17 Federal Contract Information (FCI) controls, which include identity and access management (IAM), physical security, media sanitization, assets, and configuration management, plus an additional 93 Controlled Unclassified Information cybersecurity requirements. No failures are allowed among the 17 controls. 

CMMC is not a standard. It is a certification program that relies on a National Institute of Standards and Technology (NIST) standard, NIST SP 800-171. This Special Publication impacts the Federal Government itself and any companies working within government contract-related supply chains. It serves to protect CUI that is processed, stored, or transmitted by organizations operating non-federal information systems. The difference between NIST 800-171 and CMMC is that the former is a regulatory standard, and the latter is the certification that is granted when an organization is independently deemed compliant with it. 

To achieve certification, which is focused exclusively on the contract scope, organizations must demonstrate compliance by physical or logical means. Companies in a position to easily separate their commercial business from their DoD contracts — and that can afford to do so — might opt to sequester their DoD operations from their commercial operations by creating a secure enclave environment. Secure enclaves function as digital fortresses that store, process, and safeguard CUI that is separate from the broader company network.  

Making things even more complicated, businesses must attest that their contractors are also able to meet these requirements successfully. Depending on the size of the organization, the assessment cost can be anywhere between $50,000 and $100,000. If certification is not granted, and the company wants to try again, they can expect to pay this exorbitant price a second time. 

Given the arduous process, huge expense, and lack of tolerance for any shortcomings, many companies in this position seek out expert guidance to conduct a Readiness Assessment before trying to get CMMC certified. These include companies — like our client — that service both commercial and government sectors and find it advantageous to have ongoing government opportunities despite receiving only a percentage of their total revenue this way.   

 

Expanded scope, limited CMMC assessor availability, and a time crunch exacerbated matters  

The way things played out specifically for the client, who provide extensive multi-modal capabilities in transportation and logistics, made CMMC certification even more complex. Only after the contract was signed did it become clear that the assessment targeted for one company in fact required assessing a family of 12 companies. Each of these companies shared core infrastructure and IT but had completely different operational processes. The choice to seek a single assessment was risky; if any of the 12 companies failed just ONE of the 110 requirements, all companies would fail that requirement. 

Lack of time was a major issue. The client could start losing DoD contracts as early as March 2025. This time crunch meant that speedy navigation of the CMMC certification labyrinth was vital for a sizable chunk of business. With only 50 C3PAOs (CMMC Third-Party Assessment Organizations that are authorized by the CMMC Accreditation Body) for the entire country at the time of engagement, timing could be even more critical to meet the first wave of official assessments. (The lack of approved assessors is a major issue facing the roughly 300,000 DoD providers expected to achieve and maintain certification.) To reserve a C3PAO, the company would need to demonstrate likelihood to succeed in an independent assessment with an SPRS score of greater than +88. 

Approach

Reducing CMMC complexity by gathering information on scope and identifying gaps 

Kalles Group began by gathering all relevant information about what the CMMC certification Assessor might look at. This included identifying all primary and sub-suppliers, including legal affiliates; all external service providers (ESPs) and cloud service providers (CSPs); and all processes and technologies used, including those supplied to ESPs (such as cloud hosts, or downstream sub-contractors). The consultants also determined who has access to these processes and technologies and how they are currently being protected.  

Kalles Group and the company’s core Readiness team worked with each in-scope company to build out use cases and data flows pertaining to how they conduct DoD-contracted business. The KG team identified all acquired, generated, manipulated, transformed, refined, stored, or transmitted data relevant to the contract. They traced it through all relevant end-to-end use cases — including those used for storage and backup, incident management, audits, and quarterly or annual reporting — and categorized it as either FCI or CUI to determine how it should be protected.  

The final part of the information-gathering process involved defining the total scope of the CMMC assessment and identifying all data protection gaps standing in the way of achieving Level 2 certification. This work culminated in a Town Hall meeting, which the KG team ran end to end. The company was then ready to self-assess and report for Level 1 and plan remediations for Level 2. 

 

Why expert guidance is crucial in the CMMC Level 2 certification process  

CMMC certification is a painstaking process, and it is not something any organization relying on DoD contracts should go into unprepared. Given the unforgiving requirement of meeting all 110 controls — particularly when the organization seeking certification must attest to the ability of its suppliers to meet these controls as well — getting guidance from experienced consultants is key.  

Consulting firms like Kalles Group can determine with confidence what the full CMMC assessment scope must be and ensure that no important matters are overlooked. Use cases and data flows are important tools in drawing up action plans that will make a very difficult analysis process flow much more smoothly.  

Results

A concrete gap analysis and plan of action with no stone left unturned 

Kalles Group performed the vital work of tracing all paths of information flow that could contribute to the CMMC assessment scope. With the KG team’s commitment to thoroughness, the transportation company could rest assured that there would be no surprises during the assessment itself.  

By providing a set of prioritized, concrete remediation plans along with a sketch timeline and roadmaps for completing them, the KG team helped the company understand what they would have to do for a successful bid to achieve compliance. This put the client on a path to meet their optimal completion date for registering their SPRS score, the essential prerequisite to ordering a certification assessment. 

Your future is secured when your business can use, maintain, and improve its technology

Request a free consultation