About Partners Contact Client Portal
LinkedIn Twitter
Services Industries Insights & Events Careers & Culture

Services

RubinBrown specializes in providing a comprehensive range of services to meet business and personal needs. Whether you require expert tax, strategic business consulting, audit services or more, RubinBrown's team of experienced professionals are here to support you.

View All Our Services
Assurance Services
Benefit Plan Audit Services Public Company Services SOC Examinations, IT Audit, & Third-Party Risk
Consulting Services
Business Process Improvement Services Business Restructuring & Bankruptcy Services Cyber Security Services Environmental, Social and Governance Services ERP & Enterprise Software Advisory Fraud & Forensics SOC Examinations, IT Audit, & Third-Party Risk Information Technology Services Litigation Services Mergers & Acquisitions Services Risk & Internal Audit Services Valuation Services
Entrepreneurial Services
Outsourced Accounting & Advisory Services
Tax Services
Federal Tax Services Private Client Services Credits & Incentives Services State & Local Tax Services
RubinBrown Advisors RubinBrown Corporate Finance

Industries

At RubinBrown, we bring experience across a range of industries. Our experience enables our professionals to offer tailored solutions catering to the intricacies of each sector. Our professionals have years of focused engagement and skills, allowing them to navigate industry-specific challenges to benefit our clients.

View All Our Industries
Colleges & Universities Construction Gaming Healthcare Law Firms Life Sciences & Technology Manufacturing & Distribution Not-For-Profit Private Equity Public Sector Real Estate Transportation & Dealerships

Insights & Events

At RubinBrown, we provide valuable insights detailing emerging trends and industry-specific information. Our events, hosted virtually and in-person, keep you informed and connected to the topics and industries that matter most to you and your organization.

View All Insights & Events
Mar 25

Unlocking Growth: ERP's Role in Private Equity Investments

Learn More & Register

Preparing for CMMC Compliance: Get Started!

Learn More

RubinBrown Sports Betting Index: January 2025 Analysis

Learn More

Tax Bill Watch 2025: Progress Update

Learn More

Careers & Culture

At RubinBrown, we are inspired team members, working as one firm, living our core values, and Being Our Best for Others while delivering totally satisfied clients. We invite you to learn more about the Firm's culture, the Be Your Best for Others mentality, and explore the available opportunities at RubinBrown.

Discover Our Culture
Baker Tilly International Campus Recruiting Diversity & Inclusion Experienced Recruiting RubinBrown Charitable Foundation Join The Team
Back to Insights

Preparing for CMMC Compliance: Get Started!

Contact Us

Preparing for CMMC Compliance: Get Started!

Contact Us

Organizations supporting the Department of Defense (DoD) will soon be required to go through the Cybersecurity Maturity Model Certification (CMMC) process. CMMC assessments have already started, and the requirement will start showing up in DoD contracts in mid-2025. Preparing for the formal CMMC audit can take organizations up to 18 months, so if your organization has DoD contracts, get started as soon as possible. Achieving certification requires careful planning, implementation of security controls, policies, training, recurring human activities, and rigor to meet the CMMC requirements. 

Our team of dedicated cybersecurity specialists, including former military members, put the following guidance together to help organizations achieve and maintain compliance with CMMC.

1. Scoping

The most critical step in the process is to understand the scope boundaries and detail where Controlled Unclassified Information (CUI) is received, transmitted, stored, and processed. We start with the business processes and then map to the technology. Document the people, processes, and technology within the CMMC scope and diagram the electronic and physical (paper) data flow throughout the environment. Remember, CMMC includes personnel (HR), contracting (Legal), training (everyone with potential contact to CUI), and technology requirements—only a few of the requirements are purely technical.

Many organizations have processes that meet the requirements but fail to formally document the processes and maintain supporting evidence. The system diagram must identify CUI, Security Protection, Contractor Risk Managed, Specialized, and Out-of-Scope Assets.

2. Conduct a Readiness Assessment Early

One of the most important steps in preparing for CMMC is understanding where your organization currently stands. So many organizations have good processes and technology to meet the requirements but fail on documentation and training. Invest the time to review CMMC compliance from top to bottom, identify areas of improvement, and remediate issues.

A detailed readiness (or gap) assessment will identify potential issues in security controls, policies, and procedures compared to CMMC requirements. Ensure the readiness covers the full scope of CMMC, including all 14 families, 110 controls, and over 300 objectives. Remember, failing one objective causes the entre control to fail. Details are critical to CMMC compliance. CMMC Level 1 (organizations only handling Federal Contracting Information (FCI)) still has 17 controls and requires the same level of rigor.

We highly recommend you include onsite physical security reviews as part of the readiness process. The results should include an updated System Security Plan (SSP) and Plan of Action & Milestones (POA&M) system diagram and data flow diagram. The POA&M helps drive your priorities and tasks for remediation and improvement requirements.

3. Develop & Implement Security Policies

Identify the policies, procedures, and documentation needed to meet compliance requirements.

The SSP must describe how the organization implements each control in detail. The organization must have evidence to verify the implementation of each control according to the description in the SSP. Organizations must have policies, plans, and written procedures in addition to the SSP.

4. Strengthen Technical Controls & Cyber Hygiene

A key component of CMMC, as detailed in NIST SP800-171, is implementing a strong cybersecurity program to protect CUI. Requirements like enforcing multi-factor authentication (MFA), encrypting data at rest and in transit, monitoring for suspicious activity, maintaining endpoint security, and enforcing physical security restrictions are just a few of the requirements.

Some of these, like MFA for email, are quick and easy. Other requirements, like requiring MFA for all administrators for all types of access, can take a little longer to implement. Although the cybersecurity triad refers to confidentiality, integrity, and availability, the NIST SP800-171 standard is hyper-focused on confidentiality. The standard and CMMC are focused exclusively on the protection of CUI.

5. Train Employees on Security (& CUI) Awareness

Security training for employees and contractors is another requirement. Security awareness programs with ongoing training and phishing tests are a given. Beyond basic security awareness, all employees and contractors also need to be trained about CUI handling and storage, even if they are not directly involved with CUI. If someone in the organization identifies CUI (paper or electronic), they need to know how to handle it and how to secure it. 

6. Establish Continuous Monitoring & Incident Response Plans

Achieving CMMC certification is not a one-time effort—organizations must continuously monitor their security posture and be prepared to respond to incidents. CMMC requires annual updates to the SSP, periodic re-assessments, annual incident response testing, annual risk assessments, and many additional ongoing processes. The details on continuous monitoring will vary by company, technology, and service providers, but it all needs to be documented, executed, and evidenced on an ongoing basis.

The Bottom Line

Organizations with contracts supporting the DoD (prime or sub) need to get started as soon as possible on CMMC. Preparing for CMMC is a complex process, will take time, and definitely feels tedious at times. The controls detailed in CMMC (NIST SP800-171) guidance are good security controls and will not only help meet compliance requirements; they will also make the organization more resilient against cyber-attacks. If your organization needs assistance, make sure you reach out to qualified, certified, CMMC consultants and assessors for support.

 If you or your organization has questions, the RubinBrown Cyber Security Services team is ready to talk to you about CMMC, how to achieve compliance, and developing a long-term sustainable compliance program.

 

 

Published: 03/20/2025

Readers should not act upon information presented without individual professional consultation.

Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.

 

Contact Us:

Talk to Our Experts

Robert Rudloff, CISSP, CISA, QSA, CMMC RPA Partner rob.rudloff@rubinbrown.com 303-952-1220

Be Your Best for Others at RubinBrown

At RubinBrown, our firm fosters a culture built upon five vision points, and are guided by our philosophy of Being Our Best for Others. Discover how you can be your best at RubinBrown today by visiting our Careers & Culture Overview for available opportunities and more.

Discover Our Culture

Join Our Mailing List

RubinBrown periodically sends breaking regulatory updates, technical summaries, industry-specific information and event (in-person and virtual) invitations through electronic newsletters.

Sign Up for Our Communications
1-800-678-3134 Certified Public Accountants & Business Consultants

Ranked a Top 50 Accounting Firm by Inside Public Accounting

Firm News Disclaimers Privacy Policy Client Payment © 2025 RubinBrown LLP
ABACUS Recruiting RubinBrown Advisors RubinBrown Corporate Finance