Automating CMMC 2.0 compliance is going to be key to broad implementation. Last week the Department of Defense announced CMMC 2.0. The new version simplifies the approach by mapping 3 levels (Foundational, Advanced, and Expert). CMMC 2.0 also streamlines control mapping to the NIST standards for Advanced (NIST SP 800-171) and Expert levels (NIST SP 800-172). CMMC 2.0 also eliminates the maturity levels that were used in the first version of the model. Left unanswered however where the answers to the questions: How do I Prepare for CMMC 2.0 Compliance? And do I automate CMMC 2.0 compliance?
Preparing for CMMC 2.0 — What are the Controls?
While the DoD announced the revised program, they did not release updated controls for CMMC Foundational, Advanced, and Expert controls. Instead they advised that Level 1 (Foundational) would remain the same as CMMC 1.0, while Level 2 (Advanced) would mirror NIST 800-171 and Level 3 (Advanced) would map to a subset of NIST 800-172. For practical matters, the specific mappings were left out.
For us, the control mappings are the key to using the framework. So we took DoD’s guidance and updated the anticipated mappings in a spreadsheet. This mapping enables organizations to feed tool that can automate CMMC 2.0 compliance.
How do I Automate CMMC 2.0 Compliance?
Many of the organizations that will need Level 3 (Expert) certification, will need to first adhere to NIST SP 800-172 controls. Careful analysis of these controls that a majority (85 of 110) are technical controls. The good news here is that the majority of these technical controls can be validated and proven effective through automated testing. Our analysis shows that over 60% of all CMMC 2.0 Level 3 controls can be tested through automated assessment tools, including nearly 80% of the technical controls. Automated testing is a real time and resource saver allowing organizations to complete assessments 4-12X faster using 25% of the people. This gives organizations the opportunity to streamline their compliance and reporting requirements by automating CMMC 2.0 compliance by mapping the framework into risk assessment tools and breach and attach solutions that are likely already deployed in a number of locations. This approach opens the door for continuous compliance testing and monitoring that can lead to even more personnel and resource savings over time.
