In 2020, the U.S. Department of Defense (DoD) declared that any organization providing products or services to the DOD or its supply chain must comply with the Cybersecurity Maturity Model Certification (CMMC).
This cybersecurity standard for the DOD applies to any organization participating in a contract with the DOD, whether it’s as a prime contractor or a secondary contractor.
These contracts contain a Defense Federal Acquisition Regulation Supplement (DFARS), which requires contractors to implement a System Security Plan (SSP) and Plan of Action & Milestones (POAM).
These requirements are detailed in NIST 800-171, specifically sections 3.12.4 and CMMC Practice 157 in the Security Assessment (CA) Domain (CA.2.157.)
The purpose of the SSP is to provide auditors with a clear overview of your organization’s information security (IS) posture, including requirements and controls to meet those requirements.
The DOD provides guidance on compliance assessment that indicates a review of your SSP should be the first step in ensuring DFARS compliance before awarding the contract, meaning that a SSP is required to obtain a DOD contract.
A SSP has always been part of the NIST 800-171 security requirement as described in DFARS 252.204-7012, and is even more valuable under the newer (CMMC) and DFARS 252.204-7019 and 7020.
We can help you create an SSP or fill in the gaps of your existing SSP, including the scope and CMMC 2.0 requirements.
Talk to an experienced security advisor at Cuick Trac today to learn more about CMMC security policy, incident response, and System Security Plans.
Get DFARS/NIST 800-171 Compliant With Cuick Trac — a private hosted, virtual enclave
CMMC 2.0 Levels (Updated from CMMC 1.02)
The new CMMC 2.0 levels are based on the type of information DIB companies handle, and has lowered the number of CMMC levels from five (in CMMC 1.02) to three (in CMMC 2.0) by cutting out the original “transition” levels 2 and 4.
Each level includes the controls of the preceding level, as well as controls for that level to which an organization is seeking certification.
These levels indicate the amount of data security the contractor can provide, allowing government agencies to award contracts based on the contractor’s security posture.
The CMMC maturity levels are cumulative, meaning that a contractor must demonstrate that it possesses the required processes and practices for a particular level before it can apply for the next highest level.
In general, a contractor that only handles Federal Contract Information (FCI) requires CMMC 2.0 Level 1, while a contractor that also handles Controlled Unclassified Information (CUI) may require CMMC 2.0 Level 2 or above.
To learn more about the new levels, read CMMC 2.0 Levels Explained.
Level 1: Foundational
CMMC 2.0 Level 1 is the lowest maturity level and provides “Foundational” security practices for companies that handle FCI that isn’t critical to national security, as described in Federal Acquisition Regulation (FAR) clause 52.204-21, Basic Safeguarding of Covered Contractor Information.
This level consists of 17 practices that include “Identity & Authentication” and “Access Control.” Level 1 is intended to protect contractor information systems and limit access to authorized users, so it’s required for any contractor that provides products that aren’t Commercial Off the Shelf (COTS).
CMMC Level 1 requires annual self-assessments.
At a minimum, most DOD contractors will need to achieve CMMC 2.0 Level 1 compliance..
Level 2: Advanced
CMMC 2.0 Level 2 provides “Advanced” cybersecurity requirements for organizations that handle prioritized and non-prioritized acquisitions that handle CUI, rather than just FCI and is most comparable to CMMC 1.02 Level 3.
Level 2 mirrors NIST SP 800-171, with 14 levels and 110 security controls developed by the National Institute of Technology and Standards (NIST) to protect CUI.
Since virtually all DOD clients handle CUI, initial findings from the Secretary of Defense for Acquisition and Sustainment (USD(A&S) estimate that more than 50,000 Prime and Sub-Contractors with CMMC requirements will need to achieve this advanced level of compliance.
Depending on whether or not an organization handles CUI critical to national security, this level has two thresholds for conducting assessments and the frequency at which they need to be completed.
Companies that handle prioritized acquisitions with CUI data critical to national security will require Third-party assessments (C3PAOs) every three years.
Companies that handle non-prioritized acquisitions with CUI data not critical to national security will only require an annual self-assessment.
Level 3: Expert
The main focus of CMMC 2.0 Level 3 is to provide “Expert” cybersecurity standards to reduce risk from Advanced Persistent Threats (APTs) for members of the Defense Industrial Base that handle data critical to national security.
According to data presented by Katie Arrington, Chief Information Security Officer for Acquisition and Sustainment (CISO(A&S)) to the Under Secretary of Defense for Acquisition and Sustainment (USD(A&S)), preliminary findings have estimated only ~160 Prime and Sub-Contractors with CMMC Requirement will need to achieve compliance with CMMC 2.0 Level 3.
Until rulemaking occurs (between July 2022 to December 2023), it’s difficult to know what practices will be in CMMC Level 3, however, the DoD has indicated that its requirements will be based on NIST SP 800-171’s 110 controls and a subset of NIST SP 800-172 controls.
If your long-term plan is to achieve this level of security and compliance we would recommend treating NIST SP 800-172 as the complete framework for implementation.
What is an SSP, and Why Do You Need One for CMMC Compliance?
The greatest weakness of NIST 800-171 is that it allows contractors to attest themselves, often resulting in a relaxed security approach.
CMMC is the DOD’s initiative to correct this vulnerability by requiring audits from third parties, thus providing contractors with an incentive to close out POAMs.
Furthermore, the DoD wants to increase the security posture of its contractors without waiting for the CMMC’s full rollout.
As of December 1, 2020, DoD prime and subcontractors must report their progress towards achieving full NIST 800-171 compliance in order to receive contract awards that require DFARS 252.204-7019 and 7020.
Contractors must enter this report and score into a federal database called Supplier Performance Risk System (SPRS).
This is a major accountability change, as it’s the first-time contractors have to enter an accurate score that can be referenced back to by DOD at any point in the future.
The new CMMC guidelines include requirements to develop, document, and maintain SSPs that describe system boundaries and operating environments a System Security Plan and Plans of Action that all CMMC 2.0 Levels.
- CA.L2-3.12.4: “Develop and document a system security plan”
- CA.L2-3.12.4: “Periodically update system security plans”
- CA.L2-3.12.2: “Develop and implement plans of action”
Contractors must also specify the implementation of their security requirements and the relationships of their systems with other systems.
Appendix B of the CMMC guide further describes the SSP’s role in CMMC as an outline of the guidelines and security standards that an affected organization must follow as well as their security personnel’s roles and responsibilities.
SSPs should also include diagrams that illustrate how the organization’s systems interact with each other.
It should also describe the organization’s design philosophies, including interfaces, network protocols, and defense strategies.
While an SSP should generally provide a high-level view of these elements, it should still provide sufficient detail to guide the organization in implementing its systems.
As a result, the SSP should make frequent references to the organization’s current policies and procedures.
What information needs to be part of our System Security Plan?
The overall purpose of CMMC and NIST 800-171 is to protect CUI, so the information in the SSP should focus on this topic.
It should include a clear definition of the organization’s business, especially its Aerospace and Defense (A&D) boundaries.
The SSP should also describe the types of CUI organizations handle and what it does with that information.
Additional information in the SSP should include details of the methods an organization uses to store, process, and transmit CUI.
Furthermore, the SSP should describe the security controls it has implemented to protect CUI, or is planning to implement, including the procedures its personnel must follow.
Known gaps in the organization’s CMMC posture are also important details for the SSP to describe which the POAMs will eventually close.
How do we create a System Security Plan (SSP) for CMMC?
The process of creating an SSP generally includes the following four basic steps:
1. Gather documentation
Gather all the documentation that describes your organization’s current security posture with respect to NIST 800-171 or CMMC compliance assessments, especially policies and procedures.
This documentation could describe your organization’s entire IT environment or just a subset of it, depending on the business model. Ensure the documentation is current by checking with relevant stakeholders.
2. Get input
Gather input from stakeholders who are responsible for system security, including data owners, system managers, and system operators.
This step ensures the documentation from step 1 matches your organization’s current IT environment.
3. Fill gaps in documentation
Fill in any gaps in your existing documentation and what’s required by CMMC, DFARS, and NIST, typically through additional research and interviews.
You’ll also need to implement a cybersecurity program to generate any other documentation that’s currently lacking.
4. Compile the SSP components
The DoD recommends that contractors organize their documentation into an SSP template to ensure they’ll be prepared for a compliance audit.
This document should be clear and explainable, and something the contractor can stand behind and defend its accuracy.
What is a Plan of Action & Milestones (POAM)?
Security standards like NIST 800-171 and CMMC both provide frameworks for managing robust security requirements. These standards help organizations implement the controls they’ll need to protect CUI.
However, not even the most diligent IT department can guarantee complete compliance with every requirement all the time.
For example, some security controls rely on software that can be very expensive. If the software your organization is using to provide this control reaches the end of its useful life, it might not be able to afford a replacement.
Another possibility is that your organization needs an alarm system installed, but the only qualified vendor in your area is booked up.
In these cases, your organization can be non-compliant with no practical method of redressing the issue. It must then develop a POAM to document these security deficiencies, including the resources needed to correct them.
It’s also vital to create and track milestones for these tasks, especially estimated completion dates.
This practice assures assessors that the organization takes cybersecurity seriously by holding itself accountable. NIST 800-171 documents the requirement for a POAM in section 3.12.2, also known as Basic Security Requirements.
There are many ways to identify deficiencies in an SSP, but the most common is to inspect an organization’s information systems via an internal review or external auditor.
However, organizations with a mature posture are more likely to continuously monitor their security controls.
This process often identifies controls that aren’t as effective as they should be or are completely absent. Regardless of the circumstances, a POAM document must track security deficiencies and specific corrective actions for each one.
NIST provides a sample POAM template that can help your organization track the actions it needs to perform to achieve CMMC compliance.
It’s important to remember that filling out this form isn’t a mere administrative exercise. The real purpose of the POAM is to identify compliance gaps and develop ways to mitigate them.
Developing an effective POAM requires the developer to take a high-level perspective when identifying the resources needed to complete each identified task.
That means that it shouldn’t be the sole responsibility of any particular department. Company leaders also need to be involved in a POAM to ensure it receives the necessary resources and holds entities responsible for executing necessary actions.
Practical considerations and specific details are also necessary for creating a useful POAM, as they demonstrate a commitment to resolving security deficiencies.
POAMs often list vague or unrealistic tasks, making it clear to the reader that the organization doesn’t take deficiency remediation seriously.
Milestones are also a key component of an effective POAM. Simple tasks may only require an estimated completion date, but POAM authors should typically break complex tasks into multiple phases, with separate milestones.
A POAM is a living document, meaning authors should update the POAM continuously as an organization progresses towards remediating deficiencies.
Page 89 of NIST 800-53 Rev.5 recommends that organizations use software to POAM items, which could include an existing ticketing system.
Organizations shouldn’t underestimate a POAM’s importance in securing government contracts.
NIST 800-171, 3.12.4 advises that federal agencies may consider SSPs and POAMs to be critical to risk management for non-federal organizations when deciding to pursue a contract with that organization.
As a result, the quality of your POAM can directly affect your chances of getting a DOD contract.
DOD will begin issuing the first contracts with CMMC requirements in 2022. Other security frameworks like NIST 800-171 allow auditors to excuse security deficiencies that are properly documented in a POAM.
However, CMMC implements a binary grading system in which an organization meets all the requirements for a given maturity level, or it doesn’t.
Even if an organization passes its CMMC audit, it still needs a POAM to document its compliance measures.
Again, you should treat your POAM as a living document that records previous deficiencies after they’ve been remediated.
SSP and POAM templates from the National Institute of Standards and Technology (NIST)
Your organization’s in-house IT staff can complete an SSP template, provided it has the necessary time and expertise.
However, this approach can result in a lack of objectivity when it comes to identifying compliance gaps.
You can also engage third-party experts to assist in this process, which can reduce the time and money needed to complete it.
This strategy also ensures that the resulting SSP complies with CMMC requirements, making it useful to auditors while meeting the requirement of separation of duties between IT and Security
There are no official SSP and POAM templates from the government, but many private companies provide them.
How Cuick Trac can help you build your CMMC compliant System Security Plan (SSP)
Conducting a CMMC assessment and developing an effective SSP are challenging tasks, but they’re also essential for obtaining DoD contracts.
You must also ensure that your organization performs its due diligence for other cybersecurity requirements such as NIST 800-171 and DFARS.
This process can be completed with just a collection of Excel spreadsheets, especially for larger organizations. Cuick Trac can help ensure that your organization meets all requirements for CMMC accreditation.
Our SSP and POAM creation and updating advisory make baseline CMMC self-assessments for CMMC 2.0 Level 1 and Level 2 (with non-critical CUI) easy to perform.
We also provide a strategic dashboard with an integrated view of your CMMC compliance at any time including compliance gaps and recommendations on how to fill them.
In addition, Cuick Trac utilizes a compliance management and audit accountability tool that stores the documentation required for every assessment objective and organizes it so auditors can easily find what they need during compliance assessments.
Speak with a System Security Plan (SSP) Advisor today
An SSP and POAM are both essential for complying with CMMC and safeguarding your sensitive data. Even if your DoD contract doesn’t require CMMC compliance at this time, it will in the near future.
It’s essential to begin the compliance process now, as it can be complex and time-consuming.
Third-party providers like Cuick Trac can provide critical assistance in obtaining CMMC compliance, and developing organizational policy, and templates especially if your core competencies don’t include a fully managed IT and security program
Schedule your free consultation with one of our CMMC advisors today if you are or expect to become a member of the defense industrial base.
We can help you avoid fines or the loss of contract opportunities by strategically planning and implementing security controls and CMMC policy templates.
Cuick Trac meets virtually all of the requirements related to the communication and storage of CUI for Level 2 compliance, where most widely-used commercial systems used to store and share CUI do not.