A subcontractor sought to secure a lucrative contract with a DoD prime contractor. The prime contractor, bound by its contractual obligations with the DoD, had to ensure that all its subcontractors complied with the requirements of its contract. This posed a significant hurdle for the subcontractor as their bid would only be considered if they had a CMMC 2.0 Maturity Level 2 certification. This posed a formidable challenge for the subcontractor because they had to prepare for a CMMC 2.0 level 2 assessment. They had to scope their assets, navigate the complex landscape of CMMC 2.0 compliance, self-assess to ensure they addressed the requirements of CMMC Level 1, and fully implement the NIST SP 800-171’s 110 controls. The subcontractor also had to prepare documentation such as SSP and POA&MS within a tight timeframe. With limited in-house expertise, they sought the assistance of Cleared Systems, a Registered Provider Organization (RPO), to prepare them for the upcoming CMMC level 2.0 Assessment by a C3PAO.
Objectives
- To enable the subcontractor to understand the requirements of CMMC 2.0 Level 2 and provide them with a clear roadmap for compliance.
- To help the subcontractor scope their assets and implement the 110 controls in NIST SP 800-171, a prerequisite for CMMC compliance and certification at maturity level 2.
- To assist the subcontractor in preparing necessary documentation like comprehensive and accurate SSP and POA&Ms.
- To equip the subcontractor with knowledge and skills for future compliance and empower them to handle similar situations independently.
- To ensure the subcontractor has everything in place and is well-prepared for the upcoming CMMC assessment by a C3PAO.
Challenges
- The subcontractor had a limited understanding of CMMC 2.0 Level 2 requirements. Since they lacked a clear roadmap for CMMC 2.0 compliance, preparing for the upcoming CMMC assessment proved challenging.
- The subcontractor had to scope their assets and determine which were subject to CMMC 2.0 compliance. This was a challenging task as they had to consider various factors such as the type, location, and ownership of the assets and the nature and sensitivity of the information they processed, stored, or transmitted.
- The subcontractor was under pressure to secure the lucrative DoD contract. They knew their bid would only be considered if they had a CMMC 2.0 Maturity Level 2 certification. This added to the stress of preparing for the assessment.
- The subcontractor had limited in-house expertise in cybersecurity compliance. They lacked the knowledge and skills to navigate the complex landscape of CMMC 2.0 compliance. This made it difficult for them to prepare for the assessment.
- Preparing the necessary documentation posed a significant challenge for the subcontractor. They needed to prepare accurate, complete, and consistent SSP and POA&Ms within a tight timeframe amid their limited in-house expertise. However, they did not know how to ensure these documents met all requirements.
- Implementing some of the NIST SP 800-171’s 110 controls, which addressed moderate confidentiality impact levels, proved challenging for the subcontractor. This is because they didn’t understand the intent and applicability of each control.
Solutions
- Cleared Systems assisted the subcontractor in self-assessing their compliance with CMMC 2.0 Level 1 requirements. We provided them a checklist which consisted of FAR Clause 52.204-21’s 17 basic cybersecurity practicesand a template to document their compliance status and evidence.
- Our team guided the subcontractor through scoping their assets and implementing the 110 controls in NIST SP 800-171. We provided practical advice and recommendations on achieving each control and tools and resources to facilitate the implementation process.
- Cleared Systems helped the subcontractor prepare documentation such as SSP and POA&Ms within the tight timeframe. Our team reviewed and validated the subcontractor’s documentation and ensured it met the CMMC 2.0 requirements.
- We provided a clear roadmap for CMMC 2.0 Level 2 compliance. By explaining each requirement in detail, our CMMC compliance consulting team ensured the subcontractor was well-prepared for the assessment.
- Cleared Systems provided ongoing support throughout the preparation process, addressing any concerns or questions from the subcontractor ensuring they felt confident and prepared for the upcoming CMMC 2.0 compliance assessment.
Results
- The subcontractor successfully implemented all 110 controls in NIST SP 800-171, a prerequisite for CMMC 2.0 compliance. This strengthened their cybersecurity posture and resilience, reducing exposure to cyber threats and risks.
- After the C3PAO conducted the assessment and found the subcontractor to have met all the requirements of maturity level 2, the CMMC AB certified the subcontractor as CMMC level 2 compliant. Consequently, the subcontractor achieved CMMC 2.0 Maturity Level 2 certification within the stipulated timeframe, securing the lucrative contract with the prime contractor.
- By achieving CMMC 2.0 Maturity Level 2 certification, the subcontractor enhanced their reputation and credibility in the defense industry, opening up new opportunities and markets for their business.