In an effort to increase the resilience of its enormous supply chain, the Department of Defense has mandated that all contractors and subcontractors meet the CMMC requirements by 2026. However, the CMMC timeline also included the incorporation of CMMC requirements as early as September this year. The first round of auditors is now undergoing training, so contractors should be ready for audits by the end of the year.
Even though the full implementation of CMMC practices might take a few years, especially for higher certification levels, contractors should not postpone their efforts. After all, writing policy documents and deploying technical and operational solutions can take considerable time. The sooner contractors address the requirements of their chosen CMMC level, the sooner they will be able to resume bidding on RFPs.
Despite the onset of the COVID-19 pandemic, the CMMC framework is still on schedule. The original version was released in January 2020, but has since been updated to version 1.02 to address some minor administrative errors. While this iteration doesn’t include any substantial changes, it’s important to keep up to date with the continuing development and application of the CMMC timeline at the DoD’s website.
In the meantime, here’s the CMMC roadmap you need to follow to prepare for RFPs:
#1. Determine which CMMC level you would like to achieve
In an ideal world, every contractor would achieve the highest cybersecurity standard possible. Unfortunately, this is simply not practical for most smaller firms, such as those with no internal staff with the necessary expertise. Working with a managed security services provider (MSSP) can help speed up your efforts dramatically, but you still need to establish a realistic CMMC roadmap.
Firms which already have contracts with the DoD should, for the most part, should be able to obtain a certification fairly easily. For example, if you’re already compliant with NIST SP 800-171, then you shouldn’t have much difficultly reaching CMMC Level 3. This is the requirement for any contracts which involve the handling of controlled unclassified information (CUI). But reaching a higher level will be necessary for the most valuable contracts.
#2. Review the CMMC framework to learn what you need to do
The official CMMC version 1.02 document provides a list of all the requirements you need to meet to reach your desired certification level. At this point, contractors should start drafting a budget for implementing the necessary policies and controls. It may be that it ends up being too costly to achieve these requirements within a given timeframe, in which case you’ll need to consider aiming for a lower level or working with a third party to accelerate your compliance strategy.
Once you’ve finalized your goals, you should build a plan of action and milestones (POA&M) to ensure continuing compliance with the NIST 800-171 documentation.
#3. Conduct a preparedness assessment to identify security gaps
Very few defense contractors can expect to achieve full CMMC compliance entirely in-house. In fact, contracting a third-party assessor is one of the underlying requirements of CMMC, and it’s necessary for earning a certification.
Having a CMMC preparedness assessment carried out by a third party can greatly reduce the burden on your in-house team. Also, it will likely reveal vulnerabilities you didn’t know existed. Getting outside help can save a lot of time and money, and reduce risk by identifying security gaps and telling you exactly what you need to do to prepare for an official audit.
#4. Develop and implement practices to address any vulnerabilities
Depending on your current level of cybersecurity hygiene, you may need to deploy additional cybersecurity controls and patch any potential vulnerabilities. Even if you have all the systems and policies in place outlined in the CMMC framework, some might have hidden vulnerabilities which will be uncovered during the preparedness assessment.
When patching vulnerabilities, you need to incorporate all physical and virtual resources into your plan of action, such as desktop and mobile devices, peripherals, software, and any cloud-hosted apps and virtual machines you use. Again, an MSSP should be able to help you with this by offering a consolidated view of your computing infrastructure.
#5. Acquire a cybersecurity maturity certification based on an audit
Obtaining your certification won’t be possible until enough assessors become available. The first round of assessors are still in training, and will likely start assessing major DoD suppliers by the end of the year. However, you can still ensure you’re ready when the time comes by scheduling a practice assessment with a professional consulting firm.
Charles IT helps defense contractors prepare for their upcoming CMMC audits with expert guidance and a comprehensive range of security services. Call us today to schedule your gap assessment.