The Cybersecurity Maturity Model Certification (CMMC) is the newest standard established by the Department of Defense (DoD) to ensure that security processes and controls effectively protect the Controlled Unclassified Information (CUI) on Defense Industrial Base (DIB) networks and systems.
Although CMMC is not yet required for all contractors, it is gradually being phased in for certain DoD contractors and will soon become a mandatory standard that all contractors must meet before bidding on DoD contracts.
10 Steps To CMMC Compliance In 2021
Businesses that wish to continue working with the federal government must take the necessary steps to prepare for a CMMC audit in which a CMMC Third Party Assessment Organization (C3PAO) will ensure compliance. The following checklist aims to help contractors better prepare for meeting compliance requirements.
1. Perform A Readiness Assessment
A readiness assessment helps contractors identify potential challenges that could arise when implementing new processes or procedures. Start by looking at the IT environment as it currently stands.
In particular, businesses should review their current security strategies in managing CUI and Federal Contract Information (FCI). Businesses can choose to perform a self-assessment or outsource this task to a third party consulting company.
2. Understand The 5 Levels Of Cybersecurity Maturity
The CMMC model framework consists of 17 domains. Businesses are subject to audits for CMMC levels two through five. Also, with each domain there are capabilities that span across all five levels. There are a total of 171 practices across the five levels and each level includes the processes and practices of the level below.
The five levels of cybersecurity maturity include:
- Level 1 – CMMC level 1 is characterized as “Basic Cyber Hygiene” and contains 17 practices. There are no maturity processes assessed at level 1. This basic standard is achievable by most small businesses and is equivalent to the requirements from FAR Clause 52.204-21. CMMC level 1 is required for all organizations that work with FCI.
- Level 2 – CMMC level 2 intends for businesses to achieve ‘intermediate cyber hygiene. Level 2 essentially acts as a bridge between level 1 and level 3 and includes all level 1 practices in addition to 48 new practices from the NIST SP 800-171 framework. Processes must be documented at CMMC level 2 for assessment.
- Level 3 – CMMC level 3 is reached when a business achieves ‘good cyber hygiene. This level is required for all businesses that process, store, or transmit CUI. It is built upon levels 1 and 2 and has the primary purpose of protecting Controlled Unclassified Information. It includes 110 security requirements from NIST SP 800-171, as well as 20 additional practices that can help businesses achieve good cyber hygiene.
- Level 4 – CMMC level 4 builds upon the processes and practices of levels 1 through 3. Level 4 includes 11 more practices from Draft NIST SP 800-171B, in addition to 15 practices designed to demonstrate a proactive cybersecurity program. Businesses that seek CMMC level 4 certification must have the ability to take corrective action and maintain contact with higher-level management to report status changes.
- Level 5 – CMMC level 5 focuses on advanced persistent threats and further builds upon the processes and practices of the levels below it. It is characterized by advanced practices that are resilient against even the most advanced attacks from experienced cyberhackers. Level 5 includes a total of 171 practices.
3. Determine The Level Of Compliance Required
To properly prepare for a CMMC audit and ensure that the business is in full compliance, companies must first determine the CMMC level of compliance they will be required to meet.
In most cases, prime contractors are notified directly by the Department of Defense that they will need to comply with CMMC. Subcontractors may receive this information from their prime contractors.
Since the DoD is currently in the process of migrating from NIST 800-171 to the new CMMC framework, all defense contracts will soon require CMMC. However, existing contracts with the DoD will not have CMMC requirements implemented. Look to sections C and F of the RFP to determine if the contract requires CMMC.
Note that with the majority of DoD contracts, companies that seek compliance only need to achieve level 1, 2 or 3 certification. Only a select group of businesses will be tasked with meeting the CMMC security requirements listed under levels 4 and 5. The bulk of assessments performed will be for level 1.
4. Prepare For A CMMC Assessment
Consider hiring an experienced consulting company to perform a CMMC pre-assessment of the business’s current IT environment. This process can help organizations determine their CMMC readiness and provide valuable insight as to potential gaps that should be addressed prior to the audit.
There are several steps that businesses can take to prepare for their CMMC assessment. Start by identifying all relevant CMMC requirements that must be met.
Next, perform a gap analysis of the security controls and processes to identify problem areas that require attention. Finally, make a list of remediation steps that the business will need to complete before hiring a C3PAO to conduct a CMMC assessment.
5. Undergo Remediation To Resolve Compliance Issues
After performing a CMMC assessment based on the desired level of maturity that the business would like to achieve, the company should have a list of practices that it is not yet meeting.
CMMC compliance differs from NIST 800-171 compliance as businesses are obligated to correct any deficiencies found before they can meet all compliance requirements.
There are several documents that businesses can create to help in the remediation process, such as Plans of Action with Milestones (POA&M) and System Security Plans (SSP). While simply creating these documents is not enough to achieve compliance, they can be useful in resolving compliance issues that may arise.
6. Cut Down On The Amount Of CUI In Contracting Systems
It makes sense that the more CUI a contractor stores, receives or transmits, the higher the risk of a cybersecurity event. Whenever possible, contractors should cut down on the amount of CUI that they have stored on their systems.
If CUI is sent by another contractor or subcontractor, try to limit the amount of information received so that only relevant data needed for work purposes is received. With less CUI, it will be easier to protect sensitive information.
7. Use A FIPS Validated Cryptographic Platform
IT systems are not considered to be compliant until they have been validated using FIPS encryption. CMMC compliance requires an IT system to use FIPS validated cryptography to protect data that is both at rest and in transit.
Any platform that uses this technology has been submitted to the National Institute of Standards and Technology (NIST) for certification. Businesses can look to NIST for a list of FIPS validated cryptographic platforms which they can use to verify if their system is compliant.
8. Avoid Costly And Quick Solutions
It can be tempting for businesses to search for quick solutions to check CMMC compliance. However, most self-compliance tools are not configured properly and without extensive knowledge of how to configure them, these tools can be a waste of time and money.
Avoid purchasing self-analysis CMMC compliance tools that are designed to look for gaps in compliance and instead focus on manual strategies for meeting compliance requirements.
9. Hire A C3PAO To Conduct An Assessment
Businesses that work in federal supply chains must pass a CMMC audit performed by a C3PAO to achieve compliance. C3PAOs are the only parties that can perform these audits as they have been authorized by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to conduct assessments.
Self-assessments are not permitted with CMMC in the same way that they are with NIST 800-171, meaning businesses cannot achieve CMMC certification on their own.
10. Wait For An Assessment Report
Once a C3PAO has performed an assessment of the business, an assessment report will be created. If the report shows that there are no deficiencies, the C3PAO will soon after issue a CMMC certificate.
A copy of the assessment report and CMMC certificate is then sent to the DoD. CMMC certificates are valid for a period of three years. After the C3PAO submits the CMMC certificate, the business is considered to have met their requirement for compliance.
Advantages Of Achieving CMMC Certification
Aside from being able to bid on federal contracting jobs with the DoD, many businesses are unaware of the additional benefits that come with achieving CMMC compliance. One of the biggest advantages of obtaining CMMC certification is to improve business processes while simultaneously protecting sensitive CUI and intellectual property in the supply chain.
There are other benefits to consider when contemplating CMMC compliance. Adopting best practices across the five maturity levels can help businesses better prepare for and prevent cyber incidents.
CMMC certification can also help businesses recover from cyber incidents faster and without financial penalization. Finally, achieving CMMC certification helps maximize the cybersecurity resilience of the DIB and DoD.
Speak With An Expert About Reaching Required Compliance Levels
The cost of cybercrime is increasing every day. According to the FBI, the cost of cybercrime in the United States was $3.5 billion in 2019 and is expected to be much higher due to many intrusions and exploits that go unnoticed.
To ward against these catastrophic financial losses, the Department of Defense is actively working to protect data and reduce the risk of data breaches. The CMMC is expected to become a mandatory requirement in the near future for all DIB contractors to protect national security.
For more information about CMMC compliance in 2021 or to speak with an experienced CMMC third-party assessor candidate, contact the knowledgeable professionals at Vaultes today.