CMMC Compliance Services

Phase I -Initial Documentation Review 

LRQA will review the following critical information: 

• CUI Flow Diagram (if available) 
• Network Diagram(s) 
• System Security Plan (SSP) 
• Asset Inventory: Hardware, Firmware, Software, Devices and Users 
• Existing Policies and Procedures, Plans, and Standard Operating Procedures (SOP’s) 

This documentation will be uploaded into a FedRAMP Equivalent GRC software tool for long-term collection of evidentiary data and ongoing cybersecurity maturity. 

Phase II - Executive Leadership Meeting 

CMMC Compliance is not an “IT issue.” CMMC is an enterprise issue because of where and how CUI flows through an organization. The security controls and evidence are not static, but rather a collection of living documents. As a result, it requires implementing significant governance, risk, and compliance (GRC) changes to how you run your business – it is NOT just the IT department's responsibility. 

Consequently, Senior and/or Executive Management must be involved in the kickoff meeting, since they will be ‘accountable’ in the CMMC Customer Responsibility Matrix (SRM) and ultimately accountable for the CMMC certification. Additionally, any staff that could possibly touch CUI needs to be involved since they will be considered the ‘data owner’ in the CRM. LRQA will cover the following in this meeting: 

• Acronyms & Terms 
• CMMC Assessment Process (CAP) 
• Critical Items: CUI Flow Diagrams, Asset Classifications, SSP, POAM, etc. 
• Gap Analysis Methodology 
• Roles and Responsibilities 
• Roadmap for future meetings 

Phase III – CUI Scoping Workshops 

The majority of IT systems don't specifically segregate data and tracking the flow of CUI within an organization can be a serious compliance headache. So, the first critical step in analyzing a company’s cybersecurity posture is determining how CUI flows within your organization. LRQA’s expert CCA’s and CCP’s follow the official CMMC Scoping Guide to visually map the flow of CUI within your company. These workshops will accomplish the following goals to create a diagram that will become part of your SSP for CMMC Certification: 

• Identify & Document organizational workflows where CUI is processed, stored & transmitted 
• Define how CUI is managed internally and externally 
• Identify users, devices, facilities, automated processes and functions, etc. that interact with CUI – these will be “in-scope” for CMMC 
• Designate a preliminary CMMC Assessment Boundary 

Phase IV – CMMC Objective Evaluation 

Our CCAs and CCPS follow the DoD’s CMMC Assessment Process (CAP 2.0) methodology to determine your compliance by evaluating your current security controls against the 14 Domains, 110 Practices, and 320 Objectives of CMMC. These security controls will be verified through the collaboration of your organization's staff throughout the process. The following artifacts will be compiled in the GRC software: 

• Documentation of client responses in workshops 
• Evidence to validate security controls for 320 objectives, if available 
• Control evidence that is not available will be noted, the applicable objective will be marked as not implemented, and that control objective will be added to the POAM 

Phase V – Reports and Findings 

LRQA will develop and present a Final Report with the following deliverables: 

• CUI Flow Diagram(s)  
• CUI Asset Inventory & Classifications 
• System Security Plan (SSP) 
• CMMC Assessment & Certification Boundaries 
• Supplier Performance Risk System (SPRS) Score 
• Plan of Action & Milestones (POAM) 
• Recommend priorities & a schedule for POAM completion 

We support project management of the remediation program, consult on the most effective corrective measures to meet requirements and report on the progress to senior management and executive stakeholders. As a world leading cybersecurity business, we also have the experts capable of fulfilling any roles where you may need support.  

LRQA has flexible options for CMMC Advisory Services based on your organization’s needs. Some clients have knowledgeable IT and compliance personnel or work with an experienced NIST 800-171 compliant MSP, while other organizations have limited personnel resources and need more help. Either way, we provide the right amount of support you need. 

• In conjunction with IT staff and any External Service Providers (ESPs), facilitate workshops to develop the Customer Responsibility Matrix (CRM)  
• Assist the organization with compiling evidence for POAM items 
• Develop and implement CMMC/CUI training for staff  
• Mark & Label all CUI Assets that are in scope, as required for certification (documents, facilities, hardware, etc.)   

There are numerous CMMC compliance evidence documents that must be generated weekly, monthly, quarterly, semi-annually and annually to prove that an organization is following their policies, processes and procedures to maintain their cybersecurity posture and CMMC certification. LRQA can assist you in setting up a schedule for compiling evidence (artifacts) at regular intervals as required, proving on-going compliance and cyber maturity.  

Whatever your level of engagement, LRQA’s expert staff can provide you with the support necessary to be successful in your pursuit of full CMMC Compliance.