If you’re a business that deals with the U.S. Department of Defense, you’ve probably heard about the Cybersecurity Maturity Model Certification, or CMMC for short. This certification is like a shield that ensures your organization’s cybersecurity is up to snuff when working with the DoD.
But here’s the thing: preparing for a CMMC compliance assessment might sound daunting, like a complicated puzzle waiting to be solved. Well, fear not! In this blog post, we’ll break down how to get your business ready for that all-important assessment.
Here are the steps on how to prepare for your CMMC assessment:
Step 1: Identify your Required CMMC Level
The task of creating protocols to accredit Third-Party Assessor Organizations (CP3AOs) falls under the authority of the CyberAB, formerly known as the CMMC Accreditation Body. These organizations will provide assessors that evaluate the CMMC compliance levels of contractors looking to work with the DoD.
Additionally, the CyberAB will establish and manage a CMMC Marketplace where contractors can look for an authorized C3PAO in their neighborhood and arrange for a CMMC evaluation.
Depending on the CMMC maturity level that the seeking contractor wishes to reach in relation to the data they store, process, and transmit, the CP3AO will do a specific evaluation.
CMMC 2.0 has three maturity levels:
- Level 1: Foundational cyber hygiene
- Level 2: Advanced cyber hygiene
- Level 3: Expert cyber hygiene
These maturity levels are arranged hierarchically, with Level 1 offering the lowest level of security and Level 3 being the greatest and most sophisticated.
All of the prerequisites for the levels directly below it are included in the requirements for each higher level.
For instance, obtaining Level 3 compliance necessitates that a contractor satisfy all Level 1 and Level 2 standards in addition to the new Level 3 requirements.
Level 1: Foundational cyber hygiene
Only companies that handle Federal Contract Information (FCI) are covered by CMMC 2.0 Level 1, which offers the most fundamental protection for covered contractor information.
CMMC 1.02 Level 1 is the corresponding level, according to the 17 controls in FAR 52.204-21.
These measures essentially restrict access to authorized users with the goal of safeguarding the information systems of covered contractors.
Level 2: Advanced cyber hygiene
Companies that work with Controlled Unclassified Information (CUI) should use CMMC 2.0 Level 2.
Based on NIST SP 800-171, this level corresponds to CMMC 1.02 Level 3 and comprises all 14 domains and 110 security controls from NIST 800-171.
As a result, NIST SP 800-171 and CMMC 2.0 Level 2 are entirely in line.
Level 3: Expert hygiene
By mandating extra, enhanced/proactive requirements, CMMC 2.0 Level 3 focuses on lowering a system’s vulnerability to identify advanced persistent threats (APTs). Contracts that deal with Confidential, Secret, and Top Secret material fall under this category.
Although Level 3 standards are still being developed, reports indicate that they will be based on a subset of NIST SP 800-172 controls in addition to the 110 controls from NIST SP 800-171.
Step 2: Assess and Identify Your CUI & FCI
One of the first tasks you must finish to get ready for CMMC compliance or a CMMC evaluation is figuring out which data will be subject to CMMC.
By responding to the following five queries regarding data and user flows, an organization can immediately determine how much work this process will require:
- Does the organization have CUI (digital and/or physical)?
- Is the CUI consolidated?
- Does the CUI have controls?
- Does the site have mature IT requirements?
- What are the scope and boundaries of the CUI?
What differences exist between CUI and FCI?
Although CUI and FCI are closely comparable categories of government data, it’s critical to comprehend their distinctions when obtaining CMMC.
Any information that a government organization produces or owns is considered CUI. It necessitates precautions, which could be in the form of a legislation, permit, policy, or regulation, to allow a contractor access.
Based on the robustness of the safeguards needed to protect them, CUI can be further divided into two types: CUI Basic and CUI Specified.
CUI Basic still needs to be protected, but the government is unclear about how. The government must provide clear safeguarding measures to protect CUI Specified.
Unless an executive agency developed, used, or possessed that information, neither category of information exists in a non-executive part of the government.
FCI, in general, refers to any data provided to or produced by a contractor in connection with providing a good or service to the government under a contract.
However, it does not include information that the government has made publicly available or transactional data required for payments.
The FAR 4.1901 definition of FCI is further clarified by the Committee on National Security Systems Instruction (CNSSI) as covering “any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.”
Step 3: Read the CMMC Assessment Guides & Appendices
One of the initial stages towards CMMC compliance should be a thorough evaluation of the CMMC assessment guides and their appendices because these papers have stayed consistent over the course of development.
The purpose of each control’s definition and other specifics should be studied. Contractors should also make sure they are aware of the distinctions between the three CMMC maturity levels, including their goals, safeguards, and specifications that a C3PAO will analyse.
Contractors that have previously worked for the DOD will be familiar with the NIST SP 800-171 standard for data protection.
The Federal Information Security Modernization Act (FISMA) and ISO 27001 are two more security standards, nevertheless, that DoD contractors may already be most aware with.
Particularly at its lower maturity levels, the security criteria in these standards sometimes overlap with those of CMMC.
As one of the pillars of the CMMC framework, NIST 800-171 is extremely pertinent to CMMC compliance.
Because these two standards are so closely related, if a contractor complies with NIST 800-171, it is already in compliance with CMMC Level 1.
All 110 security measures listed in NIST 800-171 are included in CMMC, while higher maturity levels also have extra controls.
Step 4: Conduct a Thorough NIST 800-171 & CMMC Gap Analysis
The areas in which an organization’s security posture falls short of a given standard are identified through a gap analysis against the assessment goals in the assessment guides and NIST 800-171A.
In order to make sure that all of these controls have been implemented, a contractor who is already employed by the DoD will normally wish to start this process with a NIST 800-171 gap assessment.
To find new controls that the contractor hasn’t installed, the next step should be to conduct a CMMC gap analysis for the required maturity level.
Before hiring a seasoned consultant or undergoing a formal examination by the C3PAO, the contractors themselves can conduct both of these exams.
The drawback is that because self-assessments typically lack the expertise necessary to accurately interpret the assessment objectives, they are generally less successful.
Having said that, a self-audit is a crucial first step for organizations to conduct in order to determine the implementation plan they will use.
Step 5: Develop & Review System Security Plans & Plan of Action and Milestones (POAM)
A system security strategy is a document that details how a company complies with or intends to comply with security requirements for a system.
The system security strategy, in particular, outlines the system boundaries, the environment in which it operates, how the security requirements are carried out, and any linkages or relationships with other systems.
The steps a member of the DIB must take to address the inadequacies found in the NIST 800-171 gap assessment are outlined in a POAM. It should specify the precise duties to be carried out and the materials required to do them.
NIST 800-171 non-compliance was permitted as long as the contractor created a POAM to address any issues and made progress on it.
That won’t be the case for many businesses, though, as most contracts needing CMMC level 2 certification (or higher) would call for annual self-attestation in addition to a third-party evaluation every three years.
There are a few exceptions, as there usually are.
Select projects that require CMMC level 2 certification but handle non-prioritized data that is not crucial to national security may be permitted to carry out an annual self-assessment under the CMMC 2.0 paradigm. This is probably exceedingly rare and infrequent.
Step 6: Find the Right Partners to Evaluate Internal Resources
Each contracting organization must receive a specific CMMC maturity level from a C3PAO after the assessment is completed. It is strongly advised that contractors collaborate with reputable and knowledgeable vendors to properly prepare before that examination.
Finding a dependable vendor with the appropriate credentials is essential since they will participate in the process as a partner rather than merely a third-party auditor.
For the optimal approach to achieve CMMC compliance, a long-term engagement with a C3PAO and trustworthy subject matter expert suppliers is crucial. Many of the additional certifications that a contractor may need before receiving a contract will interact with CMMC in some way.
One of the first things a C3PAO does to get a contractor ready for an audit, for instance, is to streamline the audit process.
One of the most crucial methods for these organizations to keep up with this developing process is by attending CMMC-AB town halls. These incidents can make it more likely that a C3PAO will be able to effectively assist contractors in their quest for CMMC.
How can Intelecis Help?
Preparing for your CMMC Compliance assessment can seem like a daunting task, but it’s a crucial step to ensure the security of your organization’s sensitive information and maintain trust with your clients. At Intelecis, we understand the challenges that come with meeting the CMMC requirements, and we’re here to make the process as smooth as possible for your organization.
Our team of experts is dedicated to helping you navigate the complex landscape of cybersecurity and compliance. We have the knowledge, experience, and tools necessary to guide your organization through each stage of the CMMC assessment, from initial planning to implementation and validation.
With our support, you can rest assured that your organization will be well-prepared to meet the CMMC standards, safeguard your data, and maintain your reputation. Don’t wait until it’s too late – take action today to ensure your compliance and protect your business.
So, if you’re ready to embark on the journey to CMMC compliance and want a seamless experience, talk to us today.