CMMC is an acronym that most companies that work for the U.S. Department of Defense have become familiar over the last year. The Cybersecurity Maturity Model Certification, or CMMC for short, is a fresh set of standards issued by the DoD to help defense contractors in the Defense Industrial Base (DIB) improve their cybersecurity capabilities. All contractors who want to work with the DoD will need to meet specific requirements.
Preparing For The CMMC In 6 Steps
The CMMC encompasses several maturity levels, ranging from “Basic Cybersecurity Hygiene” to “Advanced.” CMMC replaces an existing government contracting rule called the Defense Federal Acquisition Regulation Supplement (DFARS). This rule requires government contractors to implement NIST Special Publication 800-171, a cybersecurity standard that outlines security and privacy standards for “controlled, unclassified information” (CUI).
Here are some essential things to do to prepare for meeting compliance.
1. Determine Your Organization’s Maturity Level
Despite common misconceptions, CMMC is not entirely new. Instead, it contains security controls from other established cybersecurity standards, such as NIST 800-171 and NIST 800-53.
CMMC is used to establish levels of cybersecurity maturity. There are five levels in total , and the more controls that a business implements, the higher the maturity levels. Businesses that have a higher maturity level are often looked upon more favorably and become eligible to bid on more contracts.
Third-party assessment organizations (3PAOs) are responsible for determining the maturity level of a business. The five maturity levels of CMMC include:
- Level 1 – Basic Cyber Hygiene
- Level 2 – Intermediate Cyber Hygiene
- Level 3 – Good Cyber Hygiene
- Level 4 – Proactive
- Level 5 – Advanced/Progressive
2. Obtain or Verify Compliance with NIST 800-171
NIST 800-171 requires contractors to consistently document and update system security plans (SSPs), including data like network diagrams, company policies, and relationships between systems. It also mandates that contractors regularly assess the security controls within their organizational systems to identify their effectiveness in application.
While preparing for the CMMC, businesses should verify that they are compliant with NIST 800-171. Performing a gap analysis and readiness assessment can help businesses better understand if they meet the requirements for compliance. Readiness assessments help identify processes and systems that may not meet the standards.
Assessments look at a number of factors, such as if IT staff are adequately trained, if there is an incident response plan in place, how security protocols are implemented and maintained, and how data is stored and access to sensitive information is controlled.
3. Create a System Security Plan or Update Your Current One
A system security plan (SSP) refers to a document that must be continually updated when a business implements significant changes to its security processes or profile. To meet CUI and NIST 800-171 requirements, an SSP must include information about each system within a contractor’s environment that transmits or stores CUI. SSPs also reveal the flow of information between systems.
Preparing for the CMMC requires a business to either create a system security plan or update their existing one. When developing or updating an SSP, it is important to ensure that it meets certification requirements.
4. Develop a Plan of Action & Milestones (POA&M)
The next step in preparing for the CMMC involves building a plan of action and milestones (POA&M). A POA&M is designed to document the remediation project plan and can help identify resource requirements and timelines. Both the SSP and POA&M should prove that the business has the proper cyber practices in place to meet NIST SP 800-171 compliance. It should also address any potential gaps in coverage.
5. Implement the POA&M
Once a POA&M has been completed, it can then be implemented. Completing the POA&M helps ensure compliance with NIST 800-171 and will show essential information like activities necessary to resolve security issues, a timeline of project completion dates, allocation of resources, qualification of risk levels and insights into how security gaps were discovered.
6. Continue Maintaining Compliance
Businesses must continue to monitor their infrastructure to ensure compliance and detect potential security issues before they become too costly to handle. Ongoing monitoring can be challenging for businesses to handle on their own. That is why many companies choose to work with experienced business management consultants who specialize in delivering risk management and compliance services.
Speak With Hartman Executive Advisors For More Information
CMMC was designed to serve as a verification tool to ensure that businesses meet the appropriate levels of cybersecurity processes and practices. Cyber threats continue to grow every day and these IT standards help keep businesses protected. To learn more about how to prepare for the CMMC or to speak with an experienced risk management consultant, reach out to the experts at Hartman Executive Advisors today.