Cybersecurity Maturity Model Certification (CMMC) compliance will soon be required for all DoD contractors.
While the Department of Defense hasn’t finalized rulemaking (yet), Defense contractors that may need to get certified at Level 2 under CMMC 2.0 shouldn’t wait until the last moment to prepare for CMMC compliance.
Keeping up with the latest CMMC updates can seem intimidating, but by following a few, fool-proof steps, you’ll be on a clear path toward certification.
This step-by-step guide will teach you how to prepare for CMMC with six practical steps to improve your security and compliance posture.
Have questions about implementing NIST 800-171, using industry-leading solutions? Or what you should do now to prepare for CMMC compliance?
Cuick Trac helps defense contractors satisfy all the technical controls for NIST SP 800-171 and CMMC Level 2. Learn how with a free 30-minute demo today!
How to prepare for CMMC compliance
- Identify your required CMMC level
- Assess and identify your CUI & FCI
- Read the CMMC Assessment Guides & Appendices
- Conduct a Thorough NIST 800-171 & CMMC Gap Analysis
- Develop & Review System Security Plans & Plan of Action and Milestones (POAM)
- Find the Right Partners to Evaluate Internal Resources
Step 1: Identify your required CMMC level
The CyberAB (formally known as the CMMC Accreditation Body) is responsible for developing procedures to certify Third-Party Assessor Organizations (CP3AOs). These organizations will provide assessors who evaluate the CMMC compliance levels of contractors who wish to do business with the DoD.
The CyberAB will also create and maintain a CMMC Marketplace where contractors can locate an accredited C3PAO in their area and schedule a CMMC assessment.
The specific assessment that the CP3AO performs depends on the CMMC maturity level that the requesting contractor wants to achieve, based on the data they store, process and transport.
CMMC 2.0 has three maturity levels:
- Level 1: Foundational cyber hygiene
- Level 2: Advanced cyber hygiene
- Level 3: Expert cyber hygiene
These maturity levels are hierarchical such that Level 1 provides the entry level of security, while Level 3 provides the highest and more advanced security.
The requirements for each higher level include all the requirements of the ones immediately below it.
For example, achieving Level 3 compliance means that a contractor must meet all the Level 1 & 2 requirements, in addition to the new requirements for Level 3.
Learn more: CMMC 2.0 levels
Level 1: Foundational cyber hygiene
CMMC 2.0 Level 1 provides basic protection of covered contractor information and only applies to organizations that handle Federal Contract Information (FCI).
This level is equivalent to CMMC 1.02 Level 1, based on the 17 controls in FAR 52.204-21.
These controls aim to protect the information systems of covered contractors, primarily by limiting access to authorized users.
Level 2: Advanced cyber hygiene
CMMC 2.0 Level 2 is designed for companies that work with Controlled Unclassified Information (CUI).
This level is equivalent to CMMC 1.02 Level 3, based on NIST SP 800-171, and includes all 14 domains and 110 security controls of CMMC 1.02 that come from NIST 800-171.
As a result, CMMC 2.0 Level 2 is in complete alignment with NIST SP 800-171.
Level 3: Expert hygiene
CMMC 2.0 Level 3 focuses on reducing a system’s vulnerability to detect advanced persistent threats (APTs), by requiring additional, enhanced/proactive requirements. This includes contracts that handle Confidential, Secret, and Top Secret information.
This level is still in development, however, reports have indicated that the requirements of Level 3 will be based on NIST SP 800-171’s 110 controls in addition to a subset of NIST SP 800-172 controls.
Step 2: Assess and identify your CUI & FCI
To prepare for CMMC compliance or a CMMC assessment, one of the first steps you’ll need to complete is identifying the data subject to CMMC.
An organization can quickly estimate the effort this process will require by answering the following five questions about data and user flows:
- Does the organization have CUI (digital and/or physical)?
- Is the CUI consolidated?
- Does the CUI have controls?
- Does the site have mature IT requirements?
- What are the scope and boundaries of the CUI?
What are the differences between CUI and FCI?
CUI and FCI are closely related types of government information, but it’s essential to understand their differences when obtaining CMMC.
CUI is any information that a government agency creates or possesses. It requires safeguards for a contractor to access, which may take various forms such as a law, permit, policy, or regulation.
CUI may be further categorized into two types based on the strength of the safeguards required to protect them: CUI Basic and CUI Specified.
CUI Basic still requires protection, but the government doesn’t specify the exact methods. CUI Specified must be protected by specific safeguarding methods provided by the government.
A non-executive branch of the government possesses neither type of information unless an executive agency created, uses, or possesses that information.
FCI is generally any information given to or generated by a contractor associated with delivering a product or service to the government through a contract.
However, it excludes information that the government has released to the public and transactional information needed for payment purposes.
The Committee on National Security Systems Instruction (CNSSI) further specifies in FAR 4.1901 that FCI includes “any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.”
- Does the organization have CUI (digital and/or physical)?
A contractor’s site probably has CUI if a prime contractor is subject to DFARS 252.204-7012 via a DoD contract or a supplier on such a contract. - Is the CUI consolidated?
Applying the controls needed for CMMC is easier when the CUI is isolated to a specific set of applications. The effort required for this process generally becomes more expensive and time-consuming as the number of applications that process, store, or transmit CUI increases. However, it may still be less burdensome to apply CMMC controls broadly than to consolidate the CUI. - Does the CUI have controls?
CUI requires controls to monitor, protect and audit it, although the mere fact that CUI should be isolated to a particular set of systems doesn’t guarantee control. The assessor must consider factors such as infrastructure, network, physical location, and authentication procedures to ensure that only authorized users can access the CUI. - Does the site have mature IT requirements?
Many CMMC security requirements map directly to the security controls of NIST SP 800-171 and focus on good IT requirements that are specifically related to the protection of CUI. This includes regular backups and OS upgrades, especially those that hatch security vulnerabilities. AV software installation and regular use is also a standard IP practice. - What are the scope and boundaries of the CUI?
The NIST Guide for Developing Security Plans for Federal Information Systems defines the scope to obtain CMMC. This document describes scope as the degree to which CUI affects the implementation of security controls in an information system.
Considerations in this determination include infrastructure, technology, scalability, risk management, and public access to the system containing CUI.
Step 3: Read the CMMC Assessment Guides & Appendices
A thorough review of the CMMC assessment guides and their appendices should be one of the first steps toward CMMC compliance, as these documents have remained consistent throughout their development.
Specific items to study include the definition and intent of each control. Contractors should also ensure they understand the differences between the three CMMC maturity levels, including their purpose, controls, and requirements that a C3PAO will evaluate during its assessment.
Contractors who have previously performed work for the DOD will already have experience with data protection requirements, particularly NIST SP 800-171.
However, there are also additional security standards that DoD contractors may already be most familiar with such as the Federal Information Security Modernization Act (FISMA) and ISO 27001.
The security requirements in these standards often overlap with those of CMMC, especially for its lower maturity levels.
NIST 800-171 is highly relevant for CMMC compliance because it was one of the foundations of the CMMC framework.
As a result of the close relationship between these two standards, a contractor is already compliant with CMMC Level 1 if it’s compliant with NIST 800-171.
CMMC contains all 110 security controls in NIST 800-171, although higher maturity levels also include additional controls.
Learn more: CMMC Compliance 2.0: Controls, Levels, & Assessment
Step 4: Conduct a Thorough NIST 800-171 & CMMC Gap Analysis
A gap assessment against the assessment objectives within the assessment guides and NIST 800-171A identifies the areas in which an organization’s security posture fails to meet the requirements of a particular standard.
A contractor already working for the DoD will typically want to begin this process with a NIST 800-171 gap assessment to ensure it has implemented all of these controls.
The next step should be to perform a CMMC gap analysis for the desired maturity level to identify new controls that the contractor hasn’t implemented.
Both of these assessments can be performed by the contractors themselves before engaging with an experienced consultant, or a formal assessment by the C3PAO.
However, the caveat is that self-assessments tend to be less effective due to the lack of experience needed to interpret the assessment objectives correctly.
That said, a self-audit is an important beginning step for organizations to understand the type of implementation strategy they will take.
Step 5: Develop & Review System Security Plans & Plan of Action and Milestones (POAM)
A System Security Plan is a document that describes how an organization meets the security requirements for a system or how an organization plans to meet the requirements.
In particular, the system security plan describes the system boundary; the environment in which the system operates; how the security requirements are implemented; and the relationships with or connections to other systems.
A POAM is a plan that develops the measures a member of the DIB must take to correct the deficiencies identified in the NIST 800-171 gap assessment. It should identify specific tasks to perform, and the resources needed to complete them.
Non-compliance with NIST 800-171 was acceptable, provided the contractor prepared a POAM to correct deficiencies and made progress on it.
However, that won’t be the case for many organizations under CMMC, since most contracts requiring CMMC level 2 certification (or above) will require an assessment from a third party every three years, along with annual self-attestation.
Like always, there are a few exceptions.
Under the CMMC 2.0 model, select programs that require CMMC level 2 certification, but handle non-prioritized data not critical to national security, may be allowed to conduct an annual self-assessment. This is likely to be very far and few between.
Learn more: How to create a System Security Plan (SSP)
Step 6: Find the Right Partners to Evaluate Internal Resources
A C3PAO must perform the assessment and assign a particular CMMC maturity level to each contracting organization. Before that assessment, it’s highly recommended that contractors work with trusted and experienced vendors to prepare correctly.
This trusted vendor will be a partner in this process rather than just a third-party auditor, making it crucial to find one with the right qualifications.
Many of the additional certifications that a contractor will require before winning a contract will interact with CMMC in some way, so a long-term partnership with a C3PAO and trusted subject matter expert vendors, is essential for developing the best strategy for achieving CMMC compliance.
For example, streamlining a contractor’s audit process is also one of the first steps a C3PAO performs to prepare the contractor for an audit.
Attending CMMC-AB town halls is one of the most important ways for these organizations to remain informed on this evolving process. These events can help ensure that a C3PAO can effectively guide contractors through the journey of obtaining CMMC.
How does Cuick Trac help?
Getting started with CMMC may seem daunting since it’s such a new framework with many unanswered questions. Learning how to prepare for CMMC compliance will give you a head start on the eventual rollout of CMMC requirements for all DoD contracts.
Not sure where to start? Our team of CMMC consultants can help you understand CMMC 2.0 requirements and if a purpose-built virtual enclave, like Cuick Trac, would be a good fit for your organization.
Cuick Trac is the most affordable, practical, and secure CMMC compliance solution that helps contractors, manufacturers, and engineers who work with the Department of Defense (DoD) and the Federal Government meet the requirements for processing, storing, and transmitting CUI.
How? With features including a pre-configured enclave, with pre-configured firewall, a built-in security information and event management (SIEM) solution, end-to-end encryption, and multi-factor authentication (MFA), Cuick Trac implements the technical controls of NIST 800-171 controls that CMMC 2.0 Level 2 compliance requires in far less time than most “built for you” environment configurations.
It’s packed with more out-of-the-box features than any CUI enclave, and did we mention you also have the option to include administrative and physical requirement support?
Next steps: Get a free 30-minute demo today
Get started on the road to CMMC compliance
Cybersecurity Maturity Model Certification (CMMC) is becoming essential for any contractors who want to work for the U.S. Department of Defense (DoD).
The new unified standard for cybersecurity requirements across the entire defense industrial base (DIB), a supply chain with over 300,000 contractors, will be a part of all DoD contracts within the next few years.
You’ve heard it before, the early bird gets the worm.
By preparing for CMMC compliance now you’ll avoid missing contracts or waiting in the long queue for certification behind everyone else once the DoD makes CMMC 2.0 mandatory.
If you have questions about CMMC compliance or want to learn how your organization can pass DFARS 252.204-7012 compliance or implement the technical controls of NIST 800-171 controls in weeks, not months, our CMMC compliance experts are here to help.
Next steps: Call 612-428-3008 or contact us online to discuss your security needs with one of our CMMC compliance experts.
