Compliance Guide Guide

How does SharkStriker help you become CMMC compliant?  


How does SharkStriker help you become CMMC compliant?  

In one survey, it was found that a majority of defense contractors lack basic cybersecurity standards.

The research revealed that: 

  • Over 65% did not have SIEM (Security Information and Event Management). 
  • 61% did not have Endpoint Detection and Response (EDR). 
  • 78% did not have a vulnerability management solution. 
  • 62% did not have Multi-factor Authentication (MFA) 

It shows the lack of cybersecurity hygiene in organizations in the defense sector.

Since defense organizations engage in contracts with multiple parties for defense-specific supplies, they must ensure that contractors follow security best practices to keep sensitive information safe from exposure that could lead to disastrous consequences.

What is CMMC compliance? 

Cybersecurity Maturity Model Certification was framed by the Department of Defense in 2019 for rendering a fundamental level of cybersecurity in its supply chain. One of the primary goals that CMMC compliance seeks to achieve is to secure all Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that form the primary part of the contract between the Department of Defense and its vendors.   

CUI is all the information about DoD that may comprise information related to weapons, defense, and other related things.  Whereas FCI may comprise all the information related to the contract and may consist of information related to the terms, parties involved in the contract, and other related information.   

As per the CMMC compliance, all organizations must devise a System Security Plan (SSP) that reflects detailed information on the security of each aspect of their IT infrastructure that engages in the transmission of all the CUI.

Who governs it? 

The CMMC is regulated by the Department of Defense (DoD), and all the organizations subjected to the compliance are assessed through 3rd party audits for all the contractors that are part of the Defense Industrial Base (DIB). These audits are conducted independently by C3PAO (3rd party Assessor Organization) accredited by Cyber AB (CMMC Accreditation Body).

To whom is CMMC compliance applicable?

All the contractors that are a part of the Defense Industrial Database (DIB) are subject to CMMC compliance. There are more than 300,000 global providers of services and goods to the Pentagon, making CMMC a critical compliance whether they are contractors or subcontractors.

What do the levels of maturity mean in CMMC? 

CMMC has designated levels as per the contracts for every contractor. The levels vary depending on the level of cybersecurity and the measures at place. All the organizations will be evaluated based on the level subjected to.  

These requirements are based on the implementation of controls stated at each level based on NIST 800 171. The recently released CMMC 2.0 has replaced 5 level model that previously existed with a three-tier model where Level one is foundational, and level 3 is expert.   

The following are the controls recommended:

  1. Incident Response (IR)  
  2. Access Control (AC) 
  3. Maintenance (MA) 
  4. Security Assessment (SA)  
  5. Configuration Management (CM) 
  6. Asset Management (AM) 
  7. Risk Management (RM) 
  8. Awareness and Training (AT) 
  9. Media Protection (MP) 
  10.  Audit and Accountability (AU)  
  11. System and Communication Protection (SC)  
  12. Personnel Security (PS) 
  13. Physical Protection (PE) 
  14. Recovery (RE) 
  15. System and Information Integrity (SI) 
  16. Identification and Authentication (IA) 
  17. Situational Awareness (SA) 

The following the different levels as per the CMMC compliance:

Level 1: Foundational  

All the organizations that fall under level 1 of the CMMC compliance category are required to implement all the 17 controls recommended in the NIST 800-171 for information security of all the systems deployed, limiting access for all the users. It renders a basic level of information security for all the organizations that handle FCI.

Level 2: Advanced 

At this level, organizations will be assessed on their implementation of 110 controls across 14 domains as mentioned in NIST 800-171. It applies to all the companies that handle CUI. Organizations will be assessed every 3 years by a third-party assessor, in addition to the annual self-assessment for critical national security information.

Level 3: Expert

It applies to all the companies responsible for handling CUI for DoD. It requires them to implement more than 110 controls in NIS 8SP 800 171 and NIS 8SP 800 172. They will be evaluated by the government-led assessment every 3 years.

What are the challenges to CMMC compliance? 

There are some bottlenecks that contractors face in becoming CMMC compliant. These challenges include:  

Limited team for compliance management 

Organizations lack the cybersecurity and compliance expertise required to identify & address CMMC compliance gaps. They miss the aspects of cybersecurity that demand a higher level of expertise. 

The absence of an Information Security Program in place 

The biggest challenge is that many organizations don’t have an information security program. Even if they are compliant with other frameworks, it isn’t enough since those frameworks do not cover all the aspects of the CMMC compliance 

Challenge locating and identifying Controlled Unclassified Information (CUI) 

Many times, contractors struggle to easily locate, identify, and categorize the CUI they store, leading to the implementation of blanket controls for securing CUI that result in unnecessary costs and wastage of time.   

Their System Security Plan (SSP) does not address all the aspects of CMMC compliance 

Contractors fail to accurately and timely implement all the aspects of the System Security Plan (SSP) as recommended by CMMC rendering their SSP incomplete, increasing their non-compliance risk significantly. Organizations may also neglect regular assessment that may result in their non-compliance. 

CMMC compliance is viewed as a checklist  

CMMC compliance is often viewed as a one-time activity that involves measures from a checklist of measures to be implemented. However, it is a continuous activity that requires organizations to periodically keep up with the changes in compliance.   

Underestimation of the time required to achieve the compliance 

Organizations may underestimate the time required to effectively identify and implement all the measures recommended in compliance. CMMC demands investing time and doing research that organizations may not be prepared for.   

What are the consequences of being non-compliant to CMMC? 

There is no mention of a monetary penalty for CMMC non-compliance. The DoD has directed that all the Defense Industrial Base contractors are liable to be compliant with CMMC regulations by 2025. A contractor may lose a DoD contract if they are found to be non-compliant in an audit.   

What are the benefits of CMMC compliance? 

By implementing all the guidelines recommended by CMMC, organizations experience a range of business benefits. Some of the business benefits of being compliant include: 

Increased business opportunities 

The primary advantage of being CMMC compliant is that it makes an organization eligible for acquiring contracts from DoD. It improves the chances of landing a government contract significantly.   

Improved posture in the long run 

It recommends measures for risk management to assist organizations in managing risk and securing their most sensitive information assets in the long run.   

Adherence to global standards 

The CMMC guidelines comprise some of the global best practices in information security. So, by implementing these best practices, businesses automatically adhere to many global cybersecurity standards.   

Relatively less cost of compliance assessment  

Compliance assessments can be costly. However, in CMMC, all the organizations that fall under level one can self-assess and save money on compliance assessments. 

Prepares against cyber incidents 

It provides proactive measures that assist organizations to control damage and secure their information assets from the outcome of cyber-attacks.   

How does SharkStriker help you become compliant? 

SharkStriker provides a single-stop service that addresses all aspects of compliance and cybersecurity, offering dedicated support throughout the compliance journey. Through subject matter experts on board, they help organizations take the much-needed steps for staying compliant, especially in a highly volatile regulatory environment.   

The following is SharkStriker’s approach to compliance: 

Risk Assessment 

The first step is to prepare a scope as per the discussion with the client and to conduct an organization-wide Risk Assessment using Vulnerability Assessment and Penetration Testing (VAPT), categorizing the risks as per severity and preparing a report of all the risks.   

Gap Assessment 

The next step is to conduct a multi-level compliance gap assessment to understand the areas to be addressed in compliance with appropriate measures. Once we have assessed the compliance gaps, we prepare a detailed report.

Risk Treatment Plan

Once the gaps in cybersecurity and compliance are identified, we prepare a comprehensive plan with all the measures, controls, rules, and procedures for treating all the compliance and cybersecurity risks across the infrastructure. 


We implement the risk treatment plan with the right people, processes, measures, controls, technology, resources, and expertise.

Post-implementation audit

To ensure that the risk treatment plan is implemented effectively, we run a post-implementation audit, and upon identification of the gaps we take measures to treat them. 

Awareness and Training 

Awareness is a critical aspect of compliance. We conduct an awareness assessment across levels and identify all the areas where there are gaps in awareness of compliance and cybersecurity. Then we prepare training and awareness programs to treat all the awareness gaps in cyber security and compliance in the organization. 

Implement best practices for securing financial information with SharkStriker’s compliance management services for DORA 

Read More

Endpoint Security