The official CMMC requirements, released in January 2020, specifies that organizations in the defense supply chain will need a third-party security assessment before they are awarded a certification. The first round of assessors is now in the process of being trained, and it’s likely that the first CMMC audits will be carried out early next year or possibly earlier. Despite the ongoing pandemic, the CMMC timeline is still on track.
CMMC spans five levels, with each one having their own certification. Any organization that contracts or subcontracts for the DoD will need to have the proper certification before they can bid on requests for proposals. A level-one certification is mandatory for any organization that makes up the Defense Industrial Base (DIB). However, it’s best to aim for level three or higher, since that’s where the most lucrative contracts are.
Here are steps you need to take to ensure you’re ready when the CMMC compliance deadline comes around:
#1. Choose the right CMMC Certification level
Of course, every organization would like to have the best possible cybersecurity money can buy, but that’s not always possible. Each of the five CMMC compliance levels comes with its own requirements with regards to policy development and security controls. The higher your desired compliance level, the greater the investment needed. As such, it is critical to aim for a level that matches your current and likely future needs.
The best way to start is to assess your current portfolio of contracts with the DoD. For example, if none of them require you to handle controlled unclassified information (CUI), then you should be fine aiming for a level one or level two certification. However, if you do handle CUI, then level 3 or higher will be necessary. Level 3 or greater can also give you a competitive advantage and open the door to more lucrative contracts.
#2. Assess your current security controls
CMMC compliance requires that contractors periodically assess their cybersecurity controls and policies to determine how effective they are. The first thing you need to do is gain complete visibility into your infrastructure so you can define your system boundaries and minimize the threat surface where possible. In other words, you need to know exactly which systems store, transmit, or process CUI or other sensitive information. You’ll need to isolate those systems to ensure they’re adequately protected per the controls set out in NIST SP 800-171.
#3. Create your system security plan (SSP)
A system security plan is one document you need to have before you can earn a CMMC certification. An SSP identifies all the functions and features of a system that’s covered in the scope of CMMC, as well as the controls and policies in place to protect them. Fortunately, NIST provides a useful template which you can use to start filling out your SSP, although it does require some special knowledge and experience. It’s usually a lot more cost-effective to have an expert consultant do it instead.
#4. Build a plan of action and milestones (POA&M)
A plan of action and milestones will help your organization identify, assess, prioritize, and monitor its cybersecurity strategies. It helps you take a structured approach to mitigating the risks facing your organization in accordance with the requirements laid out by the CMMC. Your POA&M should also document the remediation plan and establish the resources and timelines required for implementing them. The main purpose of this document is to establish an ongoing and consistent process for continually improving your cybersecurity maturity. You can also find worksheets and templates online to help you get started.
#5. Seek external assistance
Achieving CMMC compliance can become a major administrative burden, particularly at higher levels. However, it’s also a legal necessity for any organization in the DIB, and achieving a higher certification level can be highly profitable. Even if you do have the necessary expertise in-house, pulling people away from their normal roles isn’t normally the best thing from a productivity standpoint, which is why outsourcing your security processes and systems often makes more sense.
Tapping into the expertise and experience of a managed security services provider (MSSP) is also good for improving security in its own right. They will be able to give you a balanced view of your current systems and infrastructure from an unbiased, outside perspective. For CMMC compliance, this is especially important, since having a third party CMMC audit is a key requirement.
Charles IT helps businesses achieve compliance so they can take on and maintain lucrative defense contracts. Call us today to schedule your security gap assessment.