The Cybersecurity Maturity Model Certification (CMMC) is a universal cybersecurity standard, which applies across the entire supply chain of the US Department of Defense. This includes over 300,000 companies.
CMMC builds upon the established NIST SP 800-171 documentation to identify five levels of cybersecurity maturity. Most importantly, it requires that all DoD contractors obtain third-party audits of their security capabilities to earn and maintain their certifications.
What is a System Security Plan?
When seeking to enter into contracts as a supplier to the DoD, non-federal organizations have to submit a System Security Plan (SSP). This is an iterative document detailing all the steps taken to protect systems which process, store, or transmit controlled unclassified information (CUI).
An SSP should be updated whenever a company makes any significant changes to its security posture, such as by making major technology replacements or upgrades or assigning new key stakeholders or operational processes.
An SSP should be easy to reference and update. It should also be accessible to people who aren’t familiar with the CUI environment so that they can garner a fundamental understanding of the systems involved, the risks facing them, and the security controls required.
#1. Gain visibility into your assets
Before you can reliably apply any security policies and controls, you first need to know where your assets lie. This is a lot easier said than done in the age of cloud computing, where many data assets are spread across a large and disparate range of interconnected virtual machines, physical systems, and data lakes.
Asset management is one of the key capabilities defined in the DoD CMMC framework, and it should be at the top of your CMMC compliance checklist.
Start by tracking, categorizing, and classifying all resources in your organization which might potentially store or transmit CUI. Make sure to include all the hardware used for work, as well as your software and data assets.
#2. Evaluate your operating model
Once you’ve identified which assets store or transmit CUI, you’ll need to evaluate their system environments and operation models. This should include a detailed topology of your entire IT infrastructure.
Your operating environment may consist of assets in the public or private cloud, company data centers, hybrid systems, and dispersed endpoints like mobile devices.
While you don’t need to include every physical device, it is important to include all instances, such as virtual and physical servers, databases, and applications. It should also incorporate all system boundaries, interconnections, and key components.
#3. Identify your key stakeholders
CMMC compliance is the result of the concerted key stakeholders throughout the organization. You may want to include an organization chart outlining the hierarchy of your stakeholders to assist with the escalation of any potential problems later on.
Identifying key stakeholders is especially important due to the unpredictable and fluid nature of cyberthreats. They can move across departments, functions, and systems, and anyone in the organization can be affected.
Since risks form in operational gaps, such as hand-offs and information silos, it’s important to get everyone involved. Be sure to identify who should be involved in ongoing compliance and decision-making to create an organization-wide culture of accountability.
#4. Define your goals and milestones for the DoD CMMC Framework
System security plans are living documents which need to be updated whenever there’s a major change to your operational or technology environment. This includes any milestones planned for the life cycle of the systems that make up your CUI infrastructure.
The system development life cycle (SDLC) framework defines milestones governing the entire life of an asset in your CUI environment from the initiation of a concept through its design and implementation, operation, and eventual disposal.
Include in your SSP a brief explanation of the planned milestones throughout the lifecycle of each system. This should include operational phases such as under development and major modification, and anything else that might be relevant.
#5. Establish a remediation plan
No cybersecurity infrastructure is ever going to be perfect. With the threat landscape evolving every day, it’s important to prepare for the worst-case scenario.
Remediation plans serve to address security gaps uncovered during a readiness assessment and prepare you for CMMC compliance. It’s a plan of action detailing the activities necessary to resolve potential security issues, the allocation of resources required to mitigate the risks, and insights into how the vulnerabilities were uncovered.
When should you start your SSP for your DoD CMMC Framework
Given the time it can take to complete these steps, it’s important to review, initiate and update your security controls as soon as possible if you want to work, or continue working, as a DoD contractor. Also, auditor’s schedules are filling up fast given the need for third-party auditing to achieve compliance. By acting quickly, you’ll have a competitive advantage over those who continue to delay.
If you have compliance requirements you need to meet, Charles IT can help you prepare your technology and operational infrastructure accordingly. Schedule your GAP assessment today.