In an effort to increase the resilience of its enormous supply chain, the Department of Defense has mandated that all contractors and subcontractors meet the CMMC requirements by 2026. However, the CMMC timeline also included the incorporation of CMMC requirements as early as in September 2020, when the first round of auditors began undergoing training, so contractors should have been ready for audits by the end of that year.
Even though the full implementation of CMMC practices might take a couple years, especially for higher certification levels, contractors should not postpone their efforts. After all, writing policy documents and deploying technical and operational solutions can take considerable time. The sooner contractors address the requirements of their chosen CMMC level, the sooner they will be able to resume bidding on RFPs.
Despite the COVID-19 pandemic, the CMMC framework is still on schedule. The original version was released in January 2020 but was updated to version 1.02 to address some minor administrative errors. It was then updated again in November 2021, to CMMC 2.0, which had more significant changes like changing the five tiers of compliance to three. It’s important to keep up to date with the continuing development and application of the CMMC timeline at the DoD’s website.
In the meantime, here’s the CMMC roadmap you need to follow to prepare for RFPs:
#1. Determine which CMMC level you would like to achieve
In an ideal world, every contractor would achieve the highest cybersecurity standard possible. Unfortunately, this is simply not practical for most smaller firms, such as those with no internal staff with the necessary expertise. Working with a managed security services provider (MSSP) can help speed up your efforts dramatically, but you still need to establish a realistic CMMC roadmap.
Firms which already have contracts with the DoD should, for the most part, should be able to obtain a certification fairly easily. For example, if you’re already compliant with NIST SP 800-171, then you shouldn’t have much difficulty reaching CMMC Level 2. This is the requirement for any contracts which involve the handling of controlled unclassified information (CUI). But reaching a higher level will be necessary for the most valuable contracts.
#2. Review the CMMC framework to learn what you need to do
The U.S. Department of Defense website provides a list of all the requirements you need to meet to reach your desired certification level. At this point, contractors should start drafting a budget for implementing the necessary policies and controls. It may be that it ends up being too costly to achieve these requirements within a given timeframe, in which case you’ll need to consider aiming for a lower level or working with a third party to accelerate your compliance strategy.
Once you’ve finalized your goals, you should build a plan of action and milestones (POA&M) to ensure continuing compliance with the NIST 800-171 documentation.
#3. Conduct a preparedness assessment to identify security gaps
Very few defense contractors can expect to achieve full CMMC compliance entirely in-house. In fact, contracting a third-party assessor is one of the underlying requirements of CMMC, and it’s necessary for earning a certification.
Having a CMMC preparedness assessment carried out by a third party can greatly reduce the burden on your in-house team. Also, it will likely reveal vulnerabilities you didn’t know existed. Getting outside help can save a lot of time and money and reduce risk by identifying security gaps and telling you exactly what you need to do to prepare for an official audit.
#4. Develop and implement practices to address any vulnerabilities
Depending on your current level of cybersecurity hygiene, you may need to deploy additional cybersecurity controls and patch any potential vulnerabilities. Even if you have all the systems and policies in place outlined in the CMMC framework, some might have hidden vulnerabilities which will be uncovered during the preparedness assessment.
When patching vulnerabilities, you need to incorporate all physical and virtual resources into your plan of action, such as desktop and mobile devices, peripherals, software, and any cloud-hosted apps and virtual machines you use. Again, an MSSP should be able to help you with this by offering a consolidated view of your computing infrastructure.
#5. Acquire a cybersecurity maturity certification based on an audit
Obtaining your certification won’t be possible until an assessment. The first round of assessors began assessing major DoD suppliers in late 2020. You can still ensure you’re ready when your time comes by scheduling a practice assessment with a professional consulting firm.
Charles IT helps defense contractors prepare for their upcoming CMMC audits with expert guidance and a comprehensive range of security services. Call us today to schedule your gap assessment.
The article was updated in July 2024 for accuracy.
