What exactly is a CMMC .997 plan and why might you need it?

by | Jun 29, 2021 | CMMC, Blog

A note from the president of Duffy Compliance, Shawn Duffy

As the Cybersecurity Maturity Model Certification (CMMC) process continues to roll out, and businesses learn what is involved in all five levels, some requirements will look familiar, and some will not.

At Maturity Level 1, a company is said to have “basic cyber hygiene” and must implement 17 practices across 6 domains. Maturity Level 2 (ML2) is a transition level and requires a company to implement 72 cybersecurity related practices across 15 domains.

ML2 also adds the requirement to document the company policies (Domain.ML.999) and procedures (Domain.ML.998) the company uses to meet those 72 practices. In ML2, the company processes are described as “documented” and are said to have “intermediate cyber hygiene.”

The first two levels are probably familiar, as most organizations have dealt with company policies/procedures and are used to following some sort of cybersecurity-related rules.

However, in CMMC Maturity Level 3 (ML3), things become slightly less common. In ML3, companies must implement 130 practices across 17 domains as well as document the policies and procedures related to meeting those practices. Pretty straight forward and in line with previous maturity levels. But CMMC now requires that these processes also be actively “managed”; this is where “.997” comes in as this is Domain.ML.997.

CMMC guidance states it this way: “Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training and involvement of relevant stakeholders.”

In other words, it is not enough to document your policies and procedures; companies must also demonstrate how they intend to manage their CMMC ML3 initiatives and provide the resources (people, technology, finances) needed to effectively implement them. Additionally, companies need to establish how they will measure their CMMC initiatives.

These management plans must address all 17 domains of CMMC ML3 and are really meant to be a strategic guide for management. To do it well, a company must put strategic thought into it, establish measurables, and define what success looks like from a cyber security standpoint. The company can then allocate resources and budget appropriately. Once properly resourced, the company must actively be measuring itself against the goals and objectives to see what is working and course correct as needed.

The managed plan is a way toward sound cybersecurity practices. Companies going through CMMC Level 3 certification need to demonstrate they are serious about cybersecurity. Proper resourcing, budgeting, and measurement of the effectiveness illustrates that commitment to establishing and maintaining good cyber hygiene.

Good cybersecurity does not happen by accident or for free. It takes commitment, and those .997 plans will demonstrate that commitment and your good cybersecurity to the certifying body or anyone else who needs to know.

Duffy Compliance can service your organization to create your .997 plans. Please reach out to us today.

Subscribe to Our Monthly Newsletter

Free education for cybersecurity.


Your personal information will not be shared and you are able to unsubscribe at any time.