CMMC v2 Readiness

Overview

This project involves leading a full CMMC v2 (Cybersecurity Maturity Model Certification) analysis engagement for a client preparing for an official certification audit. The work spans multiple cloud environments and covers all 110 security practices required for CMMC Level 2 compliance.

What is CMMC?

CMMC is the U.S. Department of Defense’s framework for making sure companies that handle controlled defense information take security seriously. If your organization processes or stores CUI (Controlled Unclassified Information) and wants to work on DoD contracts, CMMC certification is required.

Getting certified is not just a matter of filling out a form. It requires real evidence that your controls are in place, working, and consistently applied across every system that touches CUI.

What We’re Doing

Our role is to help the client close the gap between where they are now and where they need to be before an auditor walks in the door. That means:

• Running a full assessment of their current security posture against all 110 CMMC Level 2 practices
• Identifying gaps and prioritizing which ones carry the most risk or require the most time to fix
• Building the evidence package that auditors will review during the assessment
• Providing a clear remediation roadmap with owners, timelines, and milestones
• Running validation checks to confirm fixes are actually in place before the audit

Tools and Approach

Wiz for Gov

We are using Wiz for Gov to scan and assess the client’s cloud environments. Wiz gives us visibility into misconfigurations, exposed assets, and compliance gaps across multiple clouds — all from a single platform.

Wiz for Gov is built specifically for government and defense use cases. It understands the strict data handling requirements that come with CUI workloads and aligns well with the expectations of a CMMC assessor.

Wiz CMMC Reporting

Wiz has a built-in CMMC reporting module that maps scan findings directly to the 14 CMMC domains and their associated practices. Instead of manually cross-referencing every result against the control list, the tool handles that mapping automatically and produces structured reports we can hand to auditors.

This significantly reduces the manual effort involved in building the evidence package and makes it easier to track which gaps are closed and which are still open.

Scope

The engagement covers:

• Multiple cloud platforms (AWS, Azure, GovCloud)
• On-prem and hybrid environments
• All 14 CMMC v2 Level 2 domains
• Supporting systems and third-party tools that are in scope for CUI

The 14 domains span areas including access control, audit and accountability, configuration management, incident response, media protection, risk assessment, system integrity, and more.

Approach

The engagement is broken into phases:

1. Scoping — Define which systems are in scope, who owns them, and what CUI flows through them
2. Assessment — Run automated scans and manual reviews against all 110 practices
3. Gap analysis — Document what is missing, what is partial, and what is already compliant
4. Remediation planning — Build a prioritized plan to close the gaps before the audit
5. Evidence collection — Gather and organize the documentation that auditors will request
6. Validation — Confirm that remediated controls are working as expected

Current Status

Active. The gap assessment is complete and the remediation plan is in place. The client is actively working through the remediation backlog, and we are supporting evidence collection and validation in parallel.