Where do I start with CMMC compliance?

Posted on Dec 22, 2023

At long last, the CMMC proposed rule will be released on December 26, 2023! 

If you have not prepared to pass the CMMC Assessment, there is no time like the present! (And if we may be so bold, we suggest preparing for the journey with some music to get you in the right frame of mind!)

Where does a contractor in the Defense Industrial Base start?

Rally the troops, and choose a leader: CMMC compliance is a team effort. A common misconception of the CMMC program is that it contains all technical controls and requires little coordination with staff not directly involved with IT. However, the CMMC program controls involve much more than technical configurations: human resources, building security, administration and operations, accounting, and even external service and cloud providers may be inscope. 

Leadership starts at the top. Management must make clear that conforming to the requirements of CMMC is a priority. Kick off an all-hands meeting to align and educate the entire organization and include goals, defined roles and responsibilities, and communication channels. It is key to have one person designated to serve as the lead to coordinate your team’s efforts. In one company that MNS Group works with, the head of business development led the compliance implementation for the company. Why that role to lead the effort? Lost opportunity. This individual had a lot to lose if the company did not become compliant in time to win the contracts that provided the bulk of his department’s income, and he possessed the skills to educate, encourage, and track the various departments to contributions. Whoever in your organization secures the honor, they will require the support of the management team.

The good news is that if you are working with MNS Group, we are able to assist your team with our CMMC Certified Professionals and Assessors (CCPs and CCAs), with implementation and support toward compliance.

Determine the level you need to comply with.

Your contract and the type of information your company handles determines the level and number of controls your organization must meet. Every defense contractor will need to meet at minimum Level 1. The CMMC 2.0 model consists of three distinct levels, each representing a different set of cybersecurity practices and processes:

Level 1 – Foundational: This level is focused on the protection of Federal Contract Information (FCI) and encompasses the basic safeguarding requirements for this information as outlined in Federal Acquisition Regulation (FAR) 52.204-21. It includes 17 practices that are fundamental to cybersecurity, largely aligning with basic cyber hygiene practices. At this level, companies are required to perform annual self-assessments.

Level 2 – Advanced: Level 2 aligns with the protection of Controlled Unclassified Information (CUI) and is based on a subset of the security requirements specified in NIST SP 800-171. Level 2 applies to you if your company handles CUI; you are already subject to DFARS 252.204-7012 requirements and have been since late 2017. This level includes a total of 110 practices and focuses on the implementation of intermediate cyber hygiene practices to protect CUI. Level 2 requires companies to undergo an independent third-party assessment every three years to ensure compliance.

Level 3 – Expert: This level is intended for companies that are part of the defense industrial base and are handling critical national security information. Level 3 is based on a subset of the security requirements from NIST SP 800-172, along with additional practices and processes from other sources to protect CUI and reduce the risk from Advanced Persistent Threats (APTs). Compliance with Level 3 requires a government-led assessment every three years. The final rule is expected to have greater detail on this level.

Target your efforts based on the level at which your organization must comply. 


If your company handles, creates, stores, or transmits CUI- who handles it? Where is it accessed, processed, or stored? The environment where CUI exists helps determine your scope. A System Security Plan (SSP) documents what controls are in place. The smaller the environment, the less expensive compliance efforts will be. Some companies find that an enclave for the CUI is a smart solution.

An enclave is a way for organizations to limit the endpoints that need to be secured, making compliance efforts more streamlined, resulting in less expensive and sometimes faster compliance. All contractors to the DoD will have Level 1 controls in-scope applied organization-wide, even if your CUI is confined to an enclave.

Read More »

COMPLY> The Journey

Posted on Dec 22, 2023

COMPLY> The Journey

There was never a task that was not enhanced by a great playlist! Achieving CMMC compliance is quite a journey! With 2024 on the horizon, it is a great time to rock out (with some humor) while making strides toward a stronger and more cyber-resilient company! Our team created a playlist to stream in the background. GO AHEAD- you deserve a little...

Read More »

Bracing for Impact: The Finalization of CMMC Rules and What It Means for DoD Contractors

Posted on Dec 4, 2023

As the finalization of the Cybersecurity Maturity Model Certification (CMMC) rule looms near, DoD contractors are on high alert. With CMMC 2.0, the Department of Defense (DoD) aims to streamline and strengthen cybersecurity requirements. This shift to a three-level model demands a strategic approach from contractors to ensure compliance and safeguard sensitive information.
Although the final CMMC rule has not been officially released yet, recent developments have brought significant updates. As of November 21, 2023, the Office of Information and Regulatory Affairs (OIRA) website shows an important change in the status of the eight components and the overarching Framework of the Cybersecurity Maturity Model Certification Program (CMMC). Previously marked as “Pending Review,” these elements have now been updated to “Consistent with Change.” This shift suggests that the CMMC program, along with its eight foundational policy elements, is advancing towards publication.

Read More »

Travel, Temps, and Tempests, OH MY! Take Steps to Keep Tech Tip Top

Posted on Jun 21, 2023

Travel, Temps, and Tempests, OH MY! Take Steps to Keep Tech Tip Top

Hurricanes, thunderstorms, and a reliance on air conditioning that taxes the power grids can cause outages and increase the risk of power surges. To prevent any potential damage from power surges, it’s essential that all your PCs or servers are connected to UPS devices. That’s the battery backup that kicks in during power outages. Check the integrity of your Uninterruptible Power Supply (UPS); make sure the light on the UPS is working properly. You can also unplug the UPS from the power source to see if it will still power your computer without external electricity.

Did you test and find the UPS is not working? Plan to replace the UPS as soon as possible. Simply power down and unplug your device before leaving for the day, especially if bad weather is expected. If you are one of our clients and need advice regarding a new UPS, just open a ticket via your portal or email and we will happily help you choose one!

Keep Connected with Your Hot Spot
Power outages often interrupt internet connectivity, even after the power returns! As a stopgap until service can be restored, consider using your phone as a hotspot to get connected and be able to work again.

Speaking of Heat….

Read More »

MNS Group Becomes an Authorized CMMC C3PAO

Posted on May 10, 2023

MNS Group Becomes an Authorized CMMC C3PAO

MNS Group is pleased to announce that it has received The Cyber AB’s accreditation to certify government contractors and commercial companies with CMMC compliance, strengthening its ability to deliver comprehensive CMMC services.

Overseen by the Department of Defense (DoD) and Cyber AB, the CMMC Accreditation Body, MNS Group successfully passed the CMMC Level 2 assessment administered by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), meeting all CMMC Third-Party Assessment Organization (C3PAO) requirements.

Developed by the DoD, The Cybersecurity Maturity Model Certification (CMMC) program is designed to enforce the protection of sensitive unclassified information that is shared by the DoD with its contractors and subcontractors in the Defense Industrial Base (DIB). CMMC will require third-party evaluation to determine whether a contractor is fit to do business with the DoD and participate in the DIB. The Cyber AB established two non-governmental roles: the Registered Provider Organization (RPO) and the C3PAO. MNS Group has been an RPO since November 2020, assisting clients in their preparation to obtain their CMMC.

“With over 20 years of cybersecurity, technology, and business process experience, our team has been assisting members of the DIB to harden their cybersecurity posture and achieve CMMC compliance, and in doing so, strengthen our national security. Certifying as a third-party assessment organization was a natural next step. We look forward to our expanded role validating organizations seeking CMMC certification,” said Tobias Musser, CEO at MNS Group. “It is an honor to meet with DIB businesses and be allowed the opportunity to observe that they have met the tasks needed to secure the sensitive data entrusted to them, so they can get out there and win contracts.”

MNS Group is proud to be one of only forty CMMC C3PAOs accredited to April 29, 2023. It has CMMC Certified Assessors and Professionals on staff, as well as Registered Practitioners.

Read More »

Love your job again: hiring a Technology Consultant can make Monday your favorite day of the week 

Posted on Dec 12, 2022

Love your job again: hiring a Technology Consultant can make Monday your favorite day of the week 

When did the Sunday Scaries, the anxious dread that precedes the beginning of the work week begin for you? The calendar is full, the to-do list is over-populated, and leaders fill multiple roles leading to burnout and negativity. It is no wonder that the modern professional is not excited to jump out of bed on Monday. A single hire could change this for your organization. 

With such heavy workloads, energy toward creativity and out-of-the-box thinking is nil.  Business leaders need energy that allows traction toward working ON the business, and not just IN it – spinning plates and wearing so many hats. A technology consultant may be the answer to “smarten” your tech to work for you, so you can work on the business you (used) to love.  

What Is Technology Consulting? 

These days, a Technology Consultant does much more than manage printers, assist with helpdesk repairs, or install networks; after all, technology is woven into every aspect of business. A consultant serves as a sounding board from whom you can ask questions, who will learn about your business, your goals, and how you implement technology. A good Technology Consultant is NOT an IT consultant; they look at a much broader picture, identifying efficiencies in processes, assessing risk, controlling costs, and advising on compliance and liability. Delegating these roles to experts will help you get back to the work you enjoy and may even help profitability. 

A study by IBM and the Ponemon Institute found that the use of emerging technologies reduces costs. For example, the adoption of artificial intelligence, security analytics, and encryption saved companies up to $1.49 million compared to those who did not use these tools.  

Read More »