The Cybersecurity Maturity Model Certification (CMMC) replaces the current DFARS 252.204-7012 clause that defense contractors currently have to when entering into a contract with the Department of Defense. Based on the NIST SP 800-171 framework, albeit with the addition of various other processes and practices, CMMC compliance spans five levels, with the third one being the minimum requirement when dealing with controlled unclassified information (CUI).
Here are some common mistakes to avoid when preparing for your CMMC audit:
#1. Not knowing which level to target
When embarking on your CMMC compliance journey, the first step is to identify an appropriate scope for the project. This involves targeting the right level. Aiming too low could mean being locked out of lucrative contracts with the DoD. On the other hand, aiming for too high a level may end up being prohibitively time-consuming and costly, especially for smaller businesses. Deciding which level to target is, therefore, the obvious first step.
Most organizations will want to aim for CMMC level 3, since this is the minimum requirement for protecting CUI. By contrast, the previous two levels are purely foundational, and should be considered as first steps to take. CMMC levels 4 and 5 are much more advanced, since they pertain to proactive and progressive cybersecurity respectively. The best way to start is to look at where you currently stand by thoroughly assessing your existing security gaps.
#2. Having an incomplete asset inventory
You cannot expect to protect assets that you are not even fully aware of. Lack of visibility into data-bearing assets is actually a more common problem than many business leaders realize. The number of endpoints continues to rise with the increasing popularity of employee-owned devices, mobile devices, cloud-hosted resources, and internet-connected smart devices. It is a lot harder to keep track of all these systems than it might sound.
Maintaining an up-to-date inventory of every networked device, service, and user account is a crucial starting point when determining where your potential vulnerabilities lie. Furthermore, CMMC requires that CUI be contained and isolated so that it can be properly protected and monitored. In other words, it should not be stored nor transmitted outside your secure network and systems.
#3. Delaying compliance preparation
CMMC does not come into full force until October 2025. That might sound like a long time off, but audits will be starting long before then. As such, organizations that can earn their CMMC certifications well in advance of the implementation date will have a clear advantage when it comes to bidding on requests for proposals (RFPs) with the DoD. That is why it is important to start your compliance preparation sooner rather than later.
Achieving CMMC compliance itself takes time, but you can speed up the process significantly by working with a registered provider organization (RPO). These organizations are approved by the CMMC Accreditation Body to provide expert guidance for those seeking compliance. If you are currently compliant with the existing DFARS 252.204-7012 clause, then it should not take a great deal of effort to reach CMMC level 3, especially if you work with an RPO.
#4. Assuming NIST covers everything
The CMMC is a unified standard set to replace the DFARS clause. The DFARS clause itself requires that organizations achieve full compliance with the globally recognized NIST SP 800-171 information security framework. However, CMMC, despite also being based on the same framework, introduces a number of practices and processes that are not covered by NIST, so they should not be considered interchangeable.
CMMC incorporates features and abilities from several other frameworks, such as ISO 27002, NIST 800-171B, NIST 800-53 rev4, and CERT RMM v.1.2. While this may sound complicated, CMMC is very clear about which controls and processes you need to have in place to achieve a given cybersecurity maturity level. In other words, it is a new framework in itself, so you can achieve full compliance just by following the CMMC requirements instead of including others.
Charles IT provides expert guidance to ensure you don’t overlook anything important when preparing for your CMMC certification. Call us today to schedule your first consultation!