Cyberattacks pose a serious threat to national security, and defense contractors should start preparing now for the new wave of legislation being introduced to guard against those threats. With CMMC audits expected to start taking place by the end of the year, potential and existing DoD contractors are running out of time to prepare for their CMMC applications.
Here’s what you need to start doing right away, to ensure you’re ready to meet the DoD CMMC requirements:
#1. Choose your target maturity level
The first thing to do before sending in your CMMC application is to choose your target maturity level. There are five levels to choose from, with the first one being mandatory for any contractor that’s included in the Defense Industrial Base (DIB). However, reaching a higher level awards more valuable certifications and allows you to bid on more lucrative contracts with the DoD.
Generally speaking, contractors should be aiming for CMMC Level 3, since this is required for any organization that collects, stores, or processes controlled unclassified information (CUI) on behalf of the DoD. For example, if you want to bid on projects that require ITAR compliance, you will also need to have a Level 3 certification.
Related article: CMMC Certification Levels: What Is the Right Level for My Company?
Contractors should review the requests for proposals (RFPS) to understand which levels are required for particular roles.
#2. Determine whether you need external help with the CMMC application
It’s important to consider the overall business impact, including the financial costs, of pursuing CMMC compliance. While there’s no denying achieving a high maturity level will open up many lucrative new opportunities, as well as reduce cyber risk in general, the resources required may be prohibitive.
If that’s likely to be the case, you may need external security or compliance services. Even if you do have the expertise and financial resources in-house, taking employees away from their regular roles may not be the most cost-effective option either. Operations teams must identify any gaps in internal capabilities and figure out what they need to outsource.
It’s strongly recommended that you seek out external help if you want to achieve CMMC Level 3 or higher or have no dedicated cybersecurity department.
#3. Conduct a self-assessment
When the time comes to apply for a CMMC certification, you’ll no doubt want the process to go as smoothly as possible. Although not mandatory, a self-assessment will give you a clear overview of your current cybersecurity posture and reveal areas in need of improvement. The important first step is a so-called gap assessment, which looks for gaps in your security.
Your self-assessment should be coordinated between operations and IT to evaluate whether your current security controls are sufficient. All your findings should be clearly documented, enshrined in company policy, and reviewed in line with the CMMC level you’re targeting, as well as the levels below it.
Related article: 7 Reasons Why You Need a CMMC Assessment and How Charles IT Can Help
The best approach is to refer to the NIST Handbook 162, which is specifically designed for assisting in self-assessments and creating a plan of action and milestones (POA&M).
#4. Remediate your security gaps
Reaching DoD CMMC requirements implementing certain cybersecurity controls, which will increase iteratively with each level. For example, Level 1 requires the application of 17 controls in total, while Level 5 has a total of 177 controls. This includes all the controls from previous levels as well.
The POA&M created in the previous step will now serve as a to-do list and help you track the completion of all gap remediation activities. These activities may also include the development of new organizational policies, procedures, and standards. In some cases, it may even involve major changes to your IT and operational infrastructure.
Cloud-based software providers can help enormously when it comes to remediation, as they often already have the necessary security controls in place to comply with CMMC.
The final step is to conduct a CMMC readiness assessment, which involves repeating the self-assessment until every potential security gap documented in your POA&M has been resolved. If, by this stage, you still haven’t brought in external help, now would be a good time. External providers may find vulnerabilities and opportunities that an in-house team could easily miss. It also serves as a practice run for a real audit and ensures your business will be ready in time for the CMMC application deadline.
Charles IT can assess gaps in your cybersecurity posture and devise a plan to remediate them so you’re ready for your CMMC application. Schedule a consultation now to find out more.