The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard for protecting controlled unclassified information (CUI) pertaining to the Department of Defense.
The DoD has one of the world’s biggest supply chains, spanning over 300,000 organizations. Any organization that’s part of that supply chain in any capacity, or is considering signing off contracts with the DoD in the foreseeable future, will need to achieve compliance. By the end of 2026, all new DoD contacts will contain CMMC requirements.
Although most DoD contractors should already have achieved a high level of cybersecurity maturity, one of the biggest differences between CMMC and previous compliance measures and standards is the requirement for an independent audit. The first auditors are already undergoing training, so it’s only a matter of time before audits begin. This means that it’s essential for contractors to take every necessary step to ensure they’re ready to pass a CMMC audit as soon as possible.
What is a CMMC Compliance audit?
CMMC audits will be carried out by the newly formed CMMC Accreditation Body, which is still in the process of building out its auditor training and certification processes. While no auditors have been appointed just yet, some level of CMMC certification will be mandatory for signing off new Requests for Proposals (RFPs) next year.
The DoD onboards contractors based on their risk profiles. These are meant to align with the five CMMC certification levels. To date, the CMMC level-1 requirements have been finalized, but contractors should ideally be aiming for at least a level-3 certification to secure and retain the more lucrative contracts next year and beyond.
CMMC audits are meant to shore up gaps in previous NIST 800-171 self-assessments through independent, government-mandated review. After receiving an audit, DoD contractors will be assigned an appropriate certification level. Exactly how these audits will be carried out in real-world scenarios remains to be seen, but there are many steps you can take now to prepare your cybersecurity infrastructure for your desired certification level.
Which level do you need to achieve?
Every single DoD contractor needs to achieve a minimum level of compliance. CMMC Level One includes 17 controls, which must be applied to earn the minimum certification. Subsequent levels require all the controls from any previous levels, while also introducing new ones of their own. Level Five, the highest one, mandates a total of 171 controls.
Related reading: CMMC Certification Levels: What Is the Right Level for My Company?
Levels one and two will also apply to contractors who don’t store government information on their corporate networks. This includes resellers operating within the DoD supply chain. Levels Three and Four will apply to contractors who handle CUI, especially information which could be reverse-engineered by hostile states. Finally, Level Five will likely apply to organizations that handle very sensitive (albeit unclassified) information like manufacturing schematics and weapons testing.
Naturally, organizations which have achieved higher levels of compliance are much more likely to be awarded high-value contracts, although the cost of implementing and maintaining these requirements will also be substantially higher.
7 steps to prepare for your CMMC compliance audit
Regardless of your current level or the one you’re aiming for, the CMMC has released several steps to prepare for an audit.
1.) Map out your CUI environment
You can’t apply security policies and controls effectively until you know where data is stored, processed, and transmitted. The first step is to gain full visibility into any systems that handle CUI. This also allows federal contracting officials to determine your risk level.
2.) Identify applicable NIST 800-171 controls
Once you have mapped out your CUI environment, you will need to identify which systems, services, and operations fall within the scope of the NIST 800-171 standard, which CMMC is based upon. Applicable controls will depend on whether they store, process, or transmit CUI.
3.) Develop policies and standards to address requirements
Next, you need to create the policies, standards, and procedures required to address your CMMC requirements. Every contractor has a unique operational environment, hence the need for clearly documented policies and procedures that align with the level of risk.
4.) Operationalize policies and standards to implement controls
This is the stage where contractors put their policies into force by applying the controls set out by the NIST 800-171 standard. You will need to apply all the controls of the CMMC level you want to meet, including those of all previous levels.
5.) Document your CMMC environment
Next, you need to document which security controls are in place, along with any deficiencies. These will be addressed in a System Security Plan (SSP), and a Plan of Action & Milestones (POA&M), respectively.
6.) Leverage controls for assessing risk and maturity
Applying controls and documenting your procedures is one thing – you also need to know how successful your efforts are. There are countless ways you can mix and match controls, hence the dynamic nature of information security demands regular and standardized assessments.
7.) Utilize metrics to identify areas for improvement
Once all your controls and documentation are in place, you must establish a way to continually monitor their effectiveness. Over time, you will collect detailed insights into your infrastructure, which will highlight areas in need of improvement.
Charles IT can help you prepare for your CMMC compliance audit with a gap assessment to identify any potential issues with your cybersecurity infrastructure. Contact us today to get started.