Last Updated on September 5, 2023
All suppliers to the Department of Defense (DoD) or its contractors will soon need to comply with the Cybersecurity Maturity Model Certification (CMMC) standard at the mandated “maturity level” to participate in DoD contracts.
CMMC represents a higher degree of oversight for defense industrial base (DIB) organizations. The current program requires only a self-attestation of compliance with the NIST 800-171 cybersecurity standard and submission of a compliance score to the DoD’s Supplier Performance Risk System (SPRS) database. Businesses that are not yet fully compliant with NIST 800-171 may have significant gaps to close prior to a CMMC assessment.
It’s important to get an early start so you have adequate time to understand your specific CMMC compliance requirements and institute a consistent, repeatable, evidence-based compliance reporting process—so you can prove DoD CMMC compliance, achieve certification, and then maintain your certification in the face of endless change on all fronts.
This post covers the 7 key steps DIB orgs must take before they engage a Certified Third Party Assessment Organization (C3PAO) to evaluate their CMMC compliance.
One: Identify the DoD CMMC maturity level you will need to achieve.
CMMC compliance requirements vary depending on which CMMC maturity level a contract specifies:
- All DoD suppliers need to comply with CMMC Level 1, a “basic” set of 17 controls designed to meet security requirements for Federal Contract Information (FCI).
- Those DoD suppliers that receive and/or generate controlled unclassified information (CUI) will also undergo a rigorous third-party assessment against CMMC Level 2, which includes the 110 NIST 800-171 Rev. 1 controls.
- CMMC Level 3 is reserved for the largest prime contractors and other DIB orgs that handle the most sensitive CUI data types, and is designed to block advanced persistent threats (APTs). Still not fully specified as of this writing, CMMC Level 3 will be based on the NIST 800-171 controls plus a subset of the controls in NIST 800-172, Enhanced Security Requirements for Protecting CUI.
The first step in any CMMC compliance process is to determine which CMMC level your company needs to obtain based on contract requirements, input from your contracting officer, or the presence of CUI in your environment.
Two: Define the scope of your CMMC environment.
Most organizations do not need to certify their entire enterprise, just the parts that touch FCI or CUI. Accurately tracking the flow of sensitive data is therefore central to your scoping process.
Once correctly scoped, a logically and potentially also physically separate CMMC “enclave” will be much more realistic and cost-effective to secure. Your scope will also largely dictate the budget you’ll need to set aside for new security controls, policy and documentation updates, changes to current applications, consulting fees, and so on.
Three: Self-assess your compliance with CMMC at your chosen level.
Before you can move towards your destination you need to know where you are. You therefore need a robust self-assessment and gap analysis based on a clear understanding of CMMC requirements as they apply in your environment.
Your gap analysis then drives a plan of actions and milestones (POA&M) to remediate any gaps, including resource requirements and target dates to achieve full NIST 800-171 compliance (a 110 SPRS score).
To help them build the ideal roadmap to CMMC compliance, many organizations will partner with a CMMC Registered Provider Organization (RPO). Besides providing CMMC consulting services, an RPO can also help a business operationalize its compliance reporting process.
Four: Create a System Security Plan (SSP).
CMMC Level 2 and NIST 800-171 both mandate DIB orgs to have a System Security Plan (SSP) in place. Your SSP should give auditors, clients, prospects, and other stakeholders a readable overview of your security requirements and associated controls.
Review of your SSP is a first step any auditor will take in validating CMMC compliance. So, your SSP needs to be a “living” document that reflects your current security posture.
What should your SSP include? CMMC Practice CA.L2-3.12.4 in the CMMC 2.0 Assessment Guide for Level 2 states:
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Five: Close identified gaps and submit a new score to SPRS.
Using the findings on your CMMC compliance posture acquired in Step 3, in alignment with your SSP developed in Step 4, you can systematically close all identified gaps per your POA&M.
This process will enable you to conform to CMMC Level 2 (or in rare cases CMMC Level 3) requirements. Once you have remediated all nonconformities with NIST 800-171, you can submit a “perfect” 110 score to SPRS.
Every defense contractor that handles CUI must submit a score to SPRS, per the DFARS 7019 clause now appearing in all new and modified DoD contracts. It is vital that your score be accurate based on the DoD’s assessment requirements, so that a third-party assessor would give you the same score you gave yourself.
Six: Connect with a C3PAO to schedule your CMMC assessment.
Based on your NIST 800-171 compliance timeline, you should explore the Cyber-AB Marketplace to identify a compatible C3PAO to conduct your CMMC Level 2 assessment. (It is likely that the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will perform all CMMC Level 3 assessments.)
With thousands of firms needing certification and only a very limited number of C3PAOs currently available, getting a head start on scheduling your CMMC assessment is advisable. Choose a C3PAO from the Cyber-AB marketplace that has a proven track record assessing numerous organizations similar to yours against comprehensive security and compliance standards like ISO 27001 and SOC 2 Type II. Extensive familiarity with NIST 800-171 or other US government compliance standards is likewise essential.
Don’t hesitate to ask about credentials and security clearances for the professionals who will be conducting your assessment. If your CMMC infrastructure has a strong cloud component, you should also check whether a candidate C3PAO has experience assessing companies with significant cloud footprints. Another important factor is the C3PAO’s backlog and projected availability in relation to your certification deadline.
Seven: Stay current with the latest CMMC rollout development.
While CMMC 2.0 rulemaking is very close to completion and major program changes are unlikely, it’s important to keep current with CMMC news and timelines. The Cyber-AB website has multiple resources to help with this process, including news curation, press releases, webinars and other public events, and the popular monthly CMMC “Town Hall” recordings.
What’s next?
As the CMMC rollout moves closer, DIB suppliers need to move efficiently toward demonstrable CMMC and NIST 800-171 compliance.
CBIZ Pivot Point Security is a leading consulting firm with extensive experience working with US federal government compliance regimes and guiding clients to third-party cybersecurity certifications.
Contact us to discuss your goals and challenges with a CMMC expert.