CMMC Compliance Consulting, Gap Analysis & Audit Readiness Assessment Services

Step 1: Initial Consultation and Data Collection

During our initial conversations and while we collect some data about your environment, we will focus on a few areas:

• Understanding your Controlled Unclassified Information (CUI) data flow: CUI refers to sensitive government data that, while not classified, requires protection from unauthorized access and distribution. We will analyze the flow of your CUI data—where it originates and how it’s processed, stored, transmitted, accessed, and used.
• Collecting and reviewing your existing cybersecurity policies, procedures, and documentation: This helps us look for noncompliance gaps and learn more about your cybersecurity environment.
• Assessing your security architecture, technologies in use, and any existing compliance reports or audits: We will learn more about your cybersecurity strategy, tools, and compliance history.

Step 2: Interviews with Key Personnel

While we can do much of the technical portion of the assessment on our own, this process is highly interactive and requires significant time spent with you to discuss the controls and what’s needed to meet them.
• Interviews: We will conduct structured interviews with your IT staff, security officers, executive management, and other relevant stakeholders.
• Discussions: We will seek to understand perceived versus actual security needs, concerns, and expectations from various departments.
• Qualitative Data: We will gather qualitative data about your security culture, employee security awareness, and stakeholder engagement in cybersecurity initiatives.

Step 3: Technical and Process Evaluation

Next, we’ll take all the information learned, evaluate your environment, and begin to build a picture of your current state.
• Evaluation: We will evaluate the effectiveness and coverage of your current cybersecurity measures against the CMMC Level 2 categories and subcategories.
• Assessment: We will assess your integration of cybersecurity practices into your daily operations and decision-making processes.
• Gaps: We will identify strengths, weaknesses, and potential areas for improvement within the CMMC cybersecurity framework.

Step 4: Gap Analysis Execution

Compliance requirements can be difficult to interpret. We’ll walk you through a detailed analysis of your current alignment for the level of compliance you need and provide recommendations for what is needed to pass your third-party audit.
• Checklist: We will utilize a detailed checklist aligned with CMMC Level 2 standards to methodically identify areas of non-compliance.
• Gap Analysis: We will analyze compliance gaps to determine underlying causes, potential risks, and any impact on your security posture.
• Recommendations: We will develop a prioritized list of recommendations for addressing any identified gaps, taking into consideration your business objectives, resources, and risk tolerance.

Step 5: Gap Assessment Deliverables

With the results of your Gap Analysis in hand, your next step is to plan how you’re going to implement the missing security controls. These controls will include both technical and non-technical measures. That means that you’ll need to involve multiple departments, not just IT. And, of course, VC3 will help with the following deliverables.
• System Security Plan (SSP): An SSP is a report that outlines the discrepancies between your current security controls and the CMMC Level 2 requirements.
• Plan of Actions & Milestones (POA&M): A POA&M is an actionable plan that prioritizes what identified gaps to address, giving you a roadmap to achieve full compliance with the CMMC Level 2 requirements.
• Supplier Performance Risk System (SPRS) Score: Subcontractors are required to update their SPRS score so primary contractors can see it.