12 Steps to Help You Get Ready for CMMC
If you are a defense contractor handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), you will soon be required to achieve Cybersecurity Maturity Model Certification (CMMC).
CMMC is the Department of Defense’s (DoD) upcoming assessment standard, designed to ensure that defense contractors are in compliance with current security requirements for protecting sensitive defense information.
At its core, CMMC compliance is defined by the following main objectives:
- Protect sensitive defense information such as FCI and CUI from cyber attacks and nation state actors.
- Ensure compliance with the NIST 800-171 and DFARS 7012 standard.
- Create a unifying cybersecurity standard for defense contractors.
- Ensure accountability for defense companies that are responsible for protecting government data.
This blog provides a checklist to help you organize your company’s efforts to meet the upcoming standard.
What is CMMC Compliance
There are 3 levels of CMMC compliance, with increasingly vigorous security standards as the levels ascend.
Level 1 (Foundational) applies to companies that handle only Federal Contract Information (FCI), such as contract performance reports or proposal responses. Companies handling CUI, such as research and engineering data, or engineering drawings, will need to meet Level 2 (Advanced) or Level 3 (Expert).
While CMMC is not yet in contracts, it will be soon. Achieving CMMC compliance can take a year or more for the average small to medium-sized business (SMB), so contractors should not delay getting started on their compliance journeys.
Quick Guide to Get Started with CMMC
Moreover, defense contractors currently handling CUI are already subject to DFARS 252.204-7012 requirements and have been since late 2017. That clause stipulates that contractors must meet the 110 NIST 800-171 controls in order to safeguard CUI during the course of their work with the DoD. These same controls are at the heart of CMMC Level 2.
CMMC is part of a broader move towards more rigorous enforcement of cybersecurity standards throughout the Defense Industrial Base (DIB). In order to remain competitive for government contracts, defense contractors must prioritize achieving CMMC compliance. This blog post will help you do so efficiently.
CMMC 2.0 Checklist
We’ve broken your CMMC compliance journey down into 12 straightforward steps. By following these steps, you will ensure that you approach compliance in an efficient and comprehensive way. And while these steps enable you to see a clear path forward, do realize that you will need to allow yourself at least 12-18 months to go through this checklist.
- Determine what level of CMMC compliance your organization requires.
The level of CMMC you need to meet depends on what sort of government data you handle.
Once CMMC rolls out, every defense contractor will have to meet at least Level 1 (Foundational). At Level 1 contractors will be required to protect FCI based on the 17 controls found in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information. These controls look to protect covered contractor information systems and limit access to authorized users.
If your organization handles CUI, you will need to meet Level 2 (Advanced) or Level 3 (Expert). Level 2 security controls will mirror NIST SP 800-171, aligning completely with the 14 control families and 110 security controls developed by the National Institute of Technology and Standards (NIST) to protect CUI. Companies that currently have a DFARS 7012 clause in their contract are already required to meet these same 110 controls.
Level 3 focuses on reducing the risk from Advanced Persistent Threats (APTs) for companies working with CUI on DoD’s highest priority programs. The DoD is still determining the specific security requirements for Level 3, but has indicated that its requirements will be based on NIST SP 800-171’s 110 controls plus a subset of 20 NIST SP 800-172 controls, making for a total of 130 controls.
As the first step in your CMMC compliance journey, check your contract to determine which level you will be required to meet. This will allow you to work toward a clear target.
- Ensure that there is at least one person on your team who owns CMMC compliance.
Dispersing responsibility too often results in no responsibility. Assign a compliance point person to own your team’s compliance journey. This will often be someone in IT, but it doesn’t have to be.
Your compliance point person will need to meet with the various stakeholders within your organization and ensure their participation and timely delivery of results. The compliance point person is also responsible for ensuring appropriate technologies are purchased, policies are created, and protocols are followed.
One of the compliance lead’s first tasks should be creating a timeline for how the organization will get to CMMC-ready. There are numerous ways in which the timeline can unfold. For example, an organization can first focus on the controls that cannot be POAMed or the organization can focus on completing a certain number of controls every month. Every business is different so the plan will need to be individualized. Most importantly, the compliance lead will need to ensure that each control will point back to the company’s System Security Plan (SSP), as described below, as well as its policies and procedures.
- Determine where CUI lives in your environment.
The size of the enclave wherein CUI lives determines how costly it will be to achieve compliance. The smaller you can make that enclave, the cheaper, faster, and easier compliance will be to achieve because you will have fewer endpoints to secure and fewer people to train on CMMC compliance protocols.
Start by assessing your scope as it stands right now. Where does CUI flow in and out of your environment? Where is it stored, accessed, processed?
Once you have the answer to those questions, do your best to narrow your scope. Every access point you eliminate is dollars back in your pocket.
- Determine who has access to the CUI.
Scope isn’t just about where CUI is stored, it’s also about who has access. Again, the size of the group with access to CUI will determine how costly compliance is.
Limit access to CUI to only those team members for whom access is critical to their work. Every person who has access will need to be trained on CUI management and will require licenses to compliant technologies. The fewer the people with access, the faster and cheaper it’ll be to conduct that training and secure those licenses.
- Determine what technologies you will use to protect CUI
Most organizations will need to employ new technology solutions to protect unstructured CUI data such as email and files. In fact, email and files are how CUI is most often shared with colleagues both inside and outside of an organization. If you’re using commercial O365 or GSuite, those communication systems cannot support CMMC compliance. You’ll need to make a switch.
Not all encryption is created equal, so it’s not enough to simply choose an end-to-end encrypted system. You’ll need to make sure that your new communication platform relies on FIPS 140-2 validated encryption modules to protect CUI. FIPS 140-2 is the security standard that the government requires to ensure that cryptographic modules are secure enough to protect data with national security implications.
Further, any cloud service provider (CSP) you use to store CUI must meet FedRAMP Moderate Baseline or Equivalent standards. Ask to see a certificate of equivalency from a FedRAMP third party assessor organization (3PAO).
- (Optional: 6). Hire a CMMC Registered Practitioner (RP) to help determine your compliance score.
You will likely need a third party to help you implement technology and get your documentation organized. This expert can ensure you have as few compliance gaps as possible. Turn to an RP or RPO (registered practitioner organization) to help.
An RP might catch something you missed, or be able to tell you if anything in your SSP is unclear. If your RP hits any snags, pause at this step to close the security gaps they’ve identified. At this step you may want to hire a managed service provider (MSP) to help close those gaps if your inhouse competencies are limited.
Once your RP agrees that you’re ready, proceed to the next step.
- Ensure you have robust documentation.
It’s not enough to simply protect your CUI, you also must be able to prove that you’re compliant. CMMC assessments will be conducted by Certified Third Party Assessment Organizations (C3PAOs) at Levels 2 and 3. These C3PAOs will require your System Security Plan (SSP) to show how you are meeting each assessment objective as well as providing sufficient evidence and support to demonstrate that you are meeting the assessment objectives.
Even if you had an RP help in the previous step, you will need to work diligently to complete your documentation and ensure you have evidence of the policies and procedures implemented.
Your SSP will document the cybersecurity program that’s in place and describe how you meet the 110 NIST 800-171 controls through policies, procedures and training. It serves as a roadmap for the assessor, showing how you’re meeting NIST 800-171.
Creating an SSP cannot be left as a last step pre-assessment. It’s not only a roadmap for assessors, but also for you. It will help you identify what security gaps exist in your system and will provide direction for your compliance journey.
Create your SSP early on in your compliance journey. It’s a living document and will change with your system as you work towards compliance.
For more information on how you will be assessed, check out the CMMC Assessor’s Guide.
- Create your list of POA&Ms.
At this point in your compliance journey, you might have some controls you are unable to meet. For now, create a Plan of Action and Milestones (POAM) for those items and specify the technologies and procedures you will need in order to close those gaps.
It’s important to note though that according to the CMMC Assessment Process (CAP) Guide, C3PAOs will allow for only a limited use of POAMs at the time of assessment and then only for a small number of the lowest scoring practices. You will need a minimum score of 80% (88/110) to be eligible for a conditional certification so we do not recommend relying on POAMs to pass CMMC.
POAMs will not be accepted on the highest severity practices (those controls worth 3 or 5 points) but if you have a small number of low severity (controls worth 1 point) POAMs you may be able to earn a conditional CMMC certification. You will be required to close out those POA &Ms and reassess any and all POAMs within 180 days of final submission.
Remember that a POA&M must outline your plan for meeting a control. It details what resources you will require, what milestones you must meet, and when you will complete those milestones.
- Conduct a self-assessment against NIST 800-171A.
Once you have a clear target, you’ll need to determine where your system currently stands in relation to that goal. The best way to do this is to conduct a self-assessment against NIST 800-171A. NIST 800-171A is a special publication (SP) from NIST that defines assessment objectives for NIST 800-171. There are 320 objectives which map to the 110 controls. Each of the 110 controls can have multiple objectives. In order to satisfy the control, the contractor must meet ALL of the objectives.
If your target is Level 2 or 3, conduct a self assessment against all 320 objectives of NIST 800-171A to become CMMC compliant. If your target is Level 1, you’ll only need to conduct a self-assessment against the 17 relevant controls in NIST 800-171.
As noted above, each of the 110 controls of NIST 800-171 is worth a weighted score of either 1, 3, or 5 points. Thus the possible scores on your NIST 800-171 range from -203, meaning you’ve satisfied no controls, to +110, meaning you’ve met all controls.
- Close security gaps.
Once you’ve identified the unmet controls, you must take the outlined action(s) to meet those controls. POA&Ms are strictly time bound and will expire within 180 days after you have your C3PAO assessment. A POA&M must document all proposed actions to remediate deficiencies and the respective timeframe for doing so. The POA&M should detail the progress of corrective actions as they are carried out and thus be updated regularly.
It is critical that organizations prioritize closing any security gaps.
- (Optional) Get a final check with either a Registered Practitioner Organization (RPO) or a C3PAO.
Your penultimate step will be to hire outside help for a final check before your assessment. You should work with a trained and certified RPO or or C3PAO.
An RPO helps to prepare Organizations Seeking CMMC Certification (OSCs) for certification. RPOs are experts on compliance, and can act as a consultant for your organization.
Some C3PAOs also act as RPOs to assist OSCs with preparation for their outside assessment. However, because of potential conflicts of interest, you cannot hire the same C3PAO to help you both prepare for and then later conduct your outside assessment.
The goal of this final check is to ensure that your organization is sufficiently prepared and that necessary evidence is available for the assessment team to review in the following step.
- Schedule a C3PAO to conduct an assessment.
As the final step in your CMMC compliance journey you’ll need to hire a C3PAO to conduct your assessment. They’ll use your SSP, employee interviews, company artifacts and site visits to determine your meeting of CMMC compliance.
You can find a list of accredited C3PAOs on The Cyber AB Marketplace. Your organization will be fully responsible for obtaining the needed assessment. After the completion of the CMMC assessment, the C3PAO will upload the assessment report into CMMC EMASS, which DoD can access.
To stay competitive for DoD contracts it’s important to begin your CMMC compliance journey today. Stay tuned to the DoD’s statements for updates on CMMC’s rollout, but don’t wait for a set deadline to get serious about compliance.
Schedule a Compliance Consult with PreVeil:
Set up a 15 minute session and get answers to your CMMC, NIST 800-171 & ITAR questions.
Achieving compliance can take up to a year for an average SMB. By preparing yourself now, you’ll be well positioned to bid for, and win, DoD contracts when CMMC goes into effect. Reach out to Noël Vestal, PreVeil’s resident CMMC compliance expert, for a complimentary 15 minute compliance consult to get you started.