Updated: 6/27/23
CMMC is an acronym that most companies that work for the U.S. Department of Defense have become familiar with. The Cybersecurity Maturity Model Certification, or CMMC for short, is a set of standards issued by the DoD to help defense contractors in the Defense Industrial Base (DIB) improve their cybersecurity capabilities. All contractors who want to work with the DoD will need to meet specific requirements.
Preparing For The CMMC 2.0 In 6 Steps
The CMMC 2.0 encompasses several levels, ranging from CMMC 2.0 levels are based on the data created, processed, or stored in your environment. The focus is protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). To understand what level may apply to you, you need to identify the type of information you handle and where it is handled within your environment. This will establish the scope of your compliance with CMMC 2.0
1. Determine Your Organization’s Target Maturity Level
Despite common misconceptions, CMMC 2.0 is not entirely new. Instead, it contains security controls from other established cybersecurity standards, such as NIST SP 800-171 and NIST SP 800-53.
CMMC 2.0 is used to establish levels of cybersecurity maturity. There are three levels in total.
Self-assessment, third-party assessment organizations (3PAOs), and government-led assessments will be used for determining the maturity level of a business. The three maturity levels of CMMC include:
- Level 1 – Basic Cyber Hygiene- 17 Requirements with Self-Assessment
- Level 2 – Alignment with the 110 requirements of NIST SP 800-171
- Level 3 – Requirements based on NIST SP 800-171 and 800-172
2. Obtain or Verify Compliance with NIST SP 800-171
NIST SP 800-171 requires contractors to consistently document and update system security plans (SSPs), including data like network diagrams, company policies, and relationships between systems. It also mandates that contractors regularly assess the security controls within their organizational systems to identify their effectiveness in application.
While preparing for the CMMC 2.0, businesses should verify that they are compliant with NIST SP 800-171. Performing a gap analysis and readiness assessment can help businesses better understand if they meet the requirements for compliance. Readiness assessments help identify processes and systems that may not meet the standards.
Assessments look at a number of factors, such as if IT staff are adequately trained, if there is an incident response plan in place, how security protocols are implemented and maintained, and how data is stored and access to sensitive information is controlled.
3. Create a System Security Plan or Update Your Current One
A system security plan (SSP) refers to a document that must be continually updated when a business implements significant changes to its security processes or profile. To meet CUI and NIST SP 800-171 requirements, an SSP must include information about each system within a contractor’s environment that transmits or stores CUI. SSPs also reveal the flow of information between systems.
Preparing for the CMMC 2.0 requires a business to either create a system security plan or update their existing one. When developing or updating an SSP, it is important to ensure that it meets certification requirements.
4. Develop a Plan of Action & Milestones (POA&M)
The next step in preparing for the CMMC 2.0 involves building a plan of action and milestones (POA&M). A POA&M is designed to document the remediation project plan and can help identify resource requirements and timelines. Both the SSP and POA&M should prove that the business has the proper cyber practices in place to meet NIST SP 800-171 compliance. It should also address any potential gaps in coverage.
5. Implement the POA&M
Once a POA&M has been completed, it can then be implemented. Completing the POA&M helps ensure compliance with NIST 800-171 and will show essential information like activities necessary to resolve security issues, a timeline of project completion dates, allocation of resources, qualification of risk levels and insights into how security gaps were discovered.
6. Continue Maintaining Compliance
Maintaining cybersecurity compliance is an ongoing effort. As organization’s prepare to be compliant with CMMC 2.0, businesses must continue to monitor their infrastructure to ensure compliance and detect potential security issues before they become too costly to handle. Ongoing monitoring can be challenging for businesses to handle on their own. That is why many companies choose to work with experienced business management consultants who specialize in delivering risk management and compliance services.
Speak With Hartman Executive Advisors For More Information
CMMC 2.0 was designed to serve as a verification tool to ensure that businesses meet the appropriate levels of cybersecurity processes and practices. Cyber threats continue to grow every day and these IT standards help keep businesses protected. To learn more about how to prepare for the CMMC or to speak with an experienced risk management consultant, reach out to the experts at Hartman Executive Advisors today.