Building a Healthy Body of Evidence

Preparing for the Cybersecurity Maturity Model Certification (CMMC) assessment is a considerable investment from both time and money perspectives. Organizations handling Controlled Unclassified Information (CUI) within the defense industrial base should expect to have an authorized CMMC 3rd Party Assessment Organization (C3PAO) certify their implementation of NIST SP 800-171 security requirements. Assessors will evaluate how the contractor implements each of the 320 objectives across all applicable assets within scope, to include people, facilities and technologies.

K2 Compliance for CMMC

 

For Organizations Seeking Certification (OSC)

The assessment process is expected to involve a review of artifacts, interviews of key personnel and tests of the technical, administrative and physical controls. As organizations prepare their body of evidence, they should establish a relationship between the artifacts, the security requirement objectives, and assets within scope.

Helpful CMMC Resources

FOR CONSULTANTS AND MANAGED SERVICE PROVIDERS

Many small businesses in the defense industrial base rely on information security subject matter experts and managed service providers to assist them in the implementation and documentation NIST SP 800-171 controls. Our platform was designed with a multi tenant architecture, allowing for consultants to navigate to client datasets using a single logon.

 

Preparedness Through Innovative Technology

K2 Compliance was initially developed to document our own implementation of the HIPAA Security Rule. As our compliance requirements evolved, we expanded it to document other frameworks such as SOC 2. During a Type II audit, our assessors noticed how efficient we were compared to other organizations struggling to keep up with tasks and organize documentation. During their presentation to our leadership team, they recommended we consider bringing K2 Compliance to market and suggested evaluating CMMC as a potential market to explore. Since then, we’ve made a series of enhancements specific to CMMC and we’re constantly working with our customers to improve its capabilities.

K2 Compliance for CMMC

Sophisticated Security

Integrate your existing Security Assertion Markup Language (SAML) Single Sign-On (SSO) for improved user experience and simplified administration.

API Integration

Application Programming Interfaces (APIs) allow for integration with your existing technology stack. Automate the input of artifacts or update Plans of Action and Milestones (POA&Ms) from your ticketing system.

Assessable Objectives

CMMC is assessed at the objective level for all assets within scope. Our tool calculates Level 2 compliance from the 320 objectives across all assets within scope.

AWS Cloud-Hosted

Every instance generated through K2 Compliance for CMMC exists within an AWS environment. For those with a lower risk tolerance, our interface can be built in an AWS FedRamp Moderate environment.

EXPORTABLE SSP

Export a system security plan (SSP) using the widely accepted FedRamp Moderate template tailored to meet requirement 3.12.4 from NIST SP 800-171.

MULTIPLE FRAMEWORKS SUPPORTED

Looking to go beyond the confidentiality requirements of NIST SP 800-171? We include other frameworks as well including HIPAA, NIST SP 800-172, NIST SP 800-53, and the NIST Cybersecurity Framework.

Schedule a demo to learn more about K2 Compliance for CMMC!

A Different Type of Deliverable

Small businesses are increasingly reliant on contracted information security professionals to assist them in understanding, implementing, and documenting the requirements of NIST SP 800-171. At the end of a ‘successful’ engagement, the deliverable is often an assortment of policies, procedures, artifacts and plans. However, policies should be updated annually, procedures, artifacts and plans change over time, and the responsibility is often on the small business to update the documentation. What if there was a better way…

K2 Compliance For Consultants and MSPs

Expiring Evidence

Specify the period of time an artifact is valid before it expires. Expirations can prompt reviews of procedures and artifacts before reaffirming that an objective is met for an asset within scope.

Delegated Assignments

Assign ownership at the practice and task levels to authorized users. Send electronic information requests to solicit input from non-system users.

Enhanced GAP Assessment

From a single workflow, assess NIST SP 800-171 at the objective level, generate a POA&M and SSP and calculate a Supplier Performance Risk System (SPRS) Score.

Meet New Prospects

When we have customers and prospects who need consulting services, we introduce them to a referral partner that is best suited to meet their needs.

Custom Templates

Jumpstart progress on new engagements by creating a template that references standard policies, procedures and technologies that are most commonly used by your customers.

Referral Model

If our tool helps you and your clients, we’ll share in the revenue you help us generate or pass the same percentage discount along to your customer.

 
Related Content
The Go-To CMMC Policy Templates According to NIST
The Go-To CMMC Policy Templates According to NIST

Organizations should identify the roles assigned to each statement within the policy. Mapping policy commitments to requirements and roles creates a shared responsibility matrix.

Read More →
Crosswalking ISO/IEC 27001 to NIST SP 800-171A: A Comprehensive Guide
Crosswalking ISO/IEC 27001 to NIST SP 800-171A: A Comprehensive Guide

ISO/IEC 27001 provides a head start to implementing NIST SP 800-171A. This guide crosswalks work done under ISO/IEC 27001 into NIST SP 800-171A. The crosswalk resource enables mapping Annex A controls to NIST assessment objectives..

Read More →
NIST SP 800-171A Rev 3 Mapping to Rev 2 Assessment Objectives: A Thorough Guide
NIST SP 800-171A Rev 3 Mapping to Rev 2 Assessment Objectives: A Thorough Guide

In May 2024, the NIST published revision 3 of Special Publication (SP) 800-171. Revision 3 supersedes Revision 2 published in early 2020 and updated in early 2021. Let’s breakdown a mapping of this revision to revision 2.

Read More →
CMMC Level 1 Continuous Monitoring: Everything You Need to Know
CMMC Level 1 Continuous Monitoring: Everything You Need to Know

Here’s everything you need to know about CMMC Level 1 continuous monitoring.

Read More →
[ANSWERED] Who is Responsible for Protecting CUI?
[ANSWERED] Who is Responsible for Protecting CUI?

Having all of these hands on deck now complicates things a bit when it comes to responsibilities and safeguards. So who exactly holds the responsibility for protecting CUI? And how should one go about it? Let’s get into it!

Read More →
Exploring CMMC 2.0 Levels: The Path to Cyber Resilience
Exploring CMMC 2.0 Levels: The Path to Cyber Resilience

Today we are going to explore the updated version of CMMC 2.0. Including its different levels, as well as new features and enhancements that help to fortify organizations' cybersecurity structure. Let’s get into it!

Read More →
CMMC Data Flow Diagrams: An Ultimate Guide
CMMC Data Flow Diagrams: An Ultimate Guide

This blog focuses on how organizations define those boundaries. We collaborated with KNC Strategic Services (KNCSS), an authorized third party assessor organization (C3PAO). They offered their own take on creating a data flow diagram.

Read More →
NIST SP 800-171 Rev 3 FPD Crosswalk of Assessment Objectives (XLSX Included)
NIST SP 800-171 Rev 3 FPD Crosswalk of Assessment Objectives (XLSX Included)

This blog will focus on the following topics; crosswalk methodology, key changes in the update to NIST SP 800-171 Rev 3, organizational defined parameters (ODPs), and applicability.

Read More →
CMMC GRC Toolset Essentials: A Closer Look
CMMC GRC Toolset Essentials: A Closer Look

In this post, we take a closer look at how these features create assurance traceability. We’ve also created a virtual demonstration showing our tool handling these requirements.

Read More →
NIST SP 800-171 vs 800-53: Everything You Need to Know
NIST SP 800-171 vs 800-53: Everything You Need to Know

The National Institute for Standards and Technology (NIST) publishes pioneering cybersecurity standards. In this blog, we look at two of their well known special publications (SP) and discuss:

Read More →
Schedule a demo to learn more about K2 Compliance for CMMC!

Downloadable CMMC Resources

Regardless of your role in the ecosystem, we’ve curated a series of free resources to help further the cause of understanding and implementing NIST SP 800-171 in the defense industrial base.

 
 

It's time to protect your bottom line.