Cybersecurity Maturity Model Certification (CMMC) is the verification method being used to increase the security of the Department of Defense’s supply chain, as an extension of the Defense Federal Acquisition Regulations System (DFARS) to protect DoD information.
One of the major differences between these two systems is that DFARS allows contractors to assess their own security posture, while CMMC requires independent audits from authorized third parties. A contractor's failure to achieve the required CMMC level will eventually prevent that contractor from working on DoD contracts, and most likely across other Government agencies in the future.
A CMMC audit is an assessment of an organization’s cybersecurity posture, which is performed by third-party assessment organizations (C3PAOs) belonging to the CMMC Accreditation Body (CMMC AB). Many C3PAOs are still in training, and the number of organizations within the Defense Industrial Base (DIB) is in the hundreds of thousands, so it may be some time before an organization receives an audit by a C3PAO, but that doesn’t mean preparing today should be ignored. For organizations currently subject to DFARS, Prime contractors, the Defense Contract Management Agency (DMCA) and legal teams can ask for proof of NIST 800-171 compliance today.
All DoD contractors must achieve CMMC compliance by 2025, but they should begin preparing for those audits now. Auditors will be in high demand once they become available, so it’s important for contractors to start this process as soon as possible. (Learn more: Who needs to be CMMC compliant?)
An authorized CMMC auditor may conduct several types of audits, depending on the CMMC maturity level and cybersecurity standards the contractor is attempting to achieve. The complexity of this process and the degree of the contractor’s involvement can therefore vary greatly, especially when the auditor performs multiple audits. Assessors can help contractors on their journey towards CMMC, although they won’t be allowed to grant certification to those Organizations Seeking Certification (OSCs) Here are some areas to focus on, prior to a CMMC audit.
The CMMC-AB authorizes Registered Provider Organizations (RPOs) to provide the consulting and support that contractors need to meet their new obligations under CMMC. RPOs are trusted by the CMMC-AB, as they have been trained in CMMC methodologies. Contractors can thus simplify the auditing process by partnering with an RPO. The basic steps of preparing for a CMMC audit include determining the maturity level your organization requires, assessing its current security posture and establishing a security roadmap for achieving the required maturity level.
The process of preparing for a CMMC audit is highly dependent on the specific maturity level your organization requires. For example, a DoD contractor that won't be working with Controlled Unclassified Information (CUI) may need to do very little to prepare for an audit, besides basic safeguarding practices. On the other hand, contractors that need to handle highly sensitive information may need to implement many additional security controls to achieve their required CMMC certification.
CMMC includes five maturity levels with progressively greater requirements. For example, Levels 1 and 2 are for contractors that don't typically handle CUI, which typically includes resellers. CMMC Level 3 is for contractors that handle CUI such as general schematics for equipment in the CUI network. Levels 4 and 5 apply to contractors who require sophisticated security to protect CUI specifically targeted by adversaries or advanced persistent threats (APTs). A business that deals with results from weapon testing or detailed schematics for qualifying equipment would typically require CMMC level 4 or 5.
Understanding your organization's current state of security is the next step in preparing for a CMMC audit. If you have been diligent in complying with DFARS 252.204-7012 by fully implementing NIST SP 800-171, because your organization handles CUI, you likely have less work to do in order to achieve CMMC Level 3. Otherwise, you'll typically need to complete a thorough assessment of your organization's current security posture to determine the specific steps needed to achieve and maintain the required CMMC maturity level.
It's still a good idea to assess your current procedures to ensure your organization isn't missing any security controls, even if you only need a low-level CMMC. It's possible for something to slip through the cracks since contractors were previously responsible for assessing themselves under NIST SP 800-171.
The final step in preparing for a successful CMMC assessment is to create a roadmap of the process for becoming CMMC compliant before the audit. This roadmap should include the procedures for implementing the required security measures and protocols. Start with the scheduled date for the audit and work backwards to determine the deadlines for each of these steps. Ensure you allow additional time to resolve unexpected complications, which can be a common occurrence for CMMC.
The wait times for audits will be lengthy at first, until the necessary number of C3PAOs becomes trained and comfortable in their roles. You don't want to add to the delay in obtaining certification by leaving essential tasks incomplete.
The following practices can help your organization prepare for a CMMC audit.
In addition to identifying CUI, you also need to determine its storage location, how it's processed and where it's transmitted. You also need to identify the processes, services and systems that are within the scope of DFARS 252.204-7012/NIST SP 800-171. This information describes your CUI environment, which auditors will closely scrutinize during the audit. The contracting official for the DoD will define CUI in the contract for the prime contractor, who is then required to provide that definition in its contracts to subcontractors. Your contracting official or prime contractor should be able to provide further guidance on whether a particular data set qualifies as CUI.
Once you've defined your CUI environment, you can identify the processes, systems and services in that environment that are within the scope of NIST SP 800-171. This identification process will be based on the storage, processing and transmittal of CUI. NIST SP 800-171 defines 110 CUI controls, and CMMC Level 3 defines an additional 20 CUI controls.
You must then identify the controls that apply to your environment. In the case of simple, flat networks, all of these controls will probably apply to your entire organization. For a segmented CUI environment like cuick trac™ most controls should apply only to specific sub-networks rather than every system in your organization's IT infrastructure.
This process involves identifying all the laws and other regulations that apply to your organization's contract. Applicable laws can include both domestic and international cybersecurity and data privacy laws, as well as industry-specific regulations and contract requirements from both partners and clients. This practice typically requires significant due diligence to find the requirements that apply to your company's specific situation.
Your system for documenting these requirements should build on supporting components, resulting in a hierarchical structure that provides strong governance. This system should also manage requirements with an approach that integrates documentation into the implementation of these tasks. This strategy will help provide an understanding of the documentation that helps an organization make well-informed decisions regarding security risks, including management involvement, staffing resources and technology purchases.
Contractors often view data governance as an obstacle rather than an asset, resulting in their failure to properly scope documentation. However, it's vital that such documentation is concise and clearly written, while showing a CMMC compliance requirement is adequately met. Avoid writing a single policy document that attempts to meet all documentation requirements, including high-level security concepts, configuration and work assignments. This approach will only serve to create confusion across all operations.
Implementing these standards involves operationalizing your organization's cybersecurity and data privacy programs by combining people, processes and technology in the right way. Addressing the applicable NIST 800-171 and CMMC requirements by implementing the necessary actions allows an organization to bring its policies and procedures to life. This step also includes identifying the parties responsible for each CUI control, along with the roles and responsibilities of each team member. This approach ensures that requirements don't fall through the cracks or are implemented improperly due to a misunderstanding on the part of the individuals responsible for those controls.
This step populates the Plan of Action and Milestones (POAM) and System Security Plan (SSP) with details specific to your organization. The POAM is essentially a list of NIST SP 800-171 control deficiencies that currently exist for the organization. The SSP documents the people, processes and technologies comprising the CUI environment as well as the location for this information.
These are both living documents central to documenting a NIST SP 800-171 compliance program, so they must be regularly updated to reflect changes in the CUI environment. They're also key documents for the CMMC audit, so an auditor will ask for them early in this process. Failure to provide these documents is considered non-compliant with CMMC, which can result in negative consequences such as a False Claims Act (FCA) violation.
Many methodologies currently exist for helping an organization manage risk, including FAIR, ISO 31010, OCTAVE and NIST 800-37. These methodologies share common traits such as the requirement to assess the effectiveness of the implemented controls in addition to the extent to which those controls reduce risk and demonstrate maturity level. No system for assessing business and technology processes can ever be perfect, so it's important to select the one that best matches the way an organization functions. As a result, CMMC auditor will accept a separate risk methodology for making operational, strategic and tactical decisions, since each methodology has its own pros and cons for a particular application. The end goal of defining and achieving the desired level of risk taking is the most important thing to remember with this practice.
All phases of the Secure Development Lifecycle (SDLC) must manage risk, whether the solution you’re developing is an application, service or system. The scope of this process must include the SDLC’s direct assets in addition to those of its supporting components. In some cases, this can include the assets of third-party providers that relate to the availability, confidentiality, integrity and safety aspects of data protection.
Gathering metrics is a key task in monitoring CMMC controls. Metrics provide a snapshot of a control’s performance for a particular instant in time, but they also provide broader benefits such as the analysis of long-term trends. Your organization can use this trend analysis to identify ways of improving its security posture.
This process requires you to define the Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) with critical importance to your organization, which can provide valuable insight into its security controls. The KPIs and KRIs of each organization primarily depend on the priority of each control, which is affected by factors such as contractual and regulatory obligations.
Cuick trac™ by Beryllium InfoSec is a secure virtual environment for handling, storing, and processing CUI that also includes the documentation needed to comply with NIST SP 800-171 requirements. We can also provide a cybersecurity risk assessment of your company’s people, processes and technology to identify your CMMC risks.
Learn why so many small to medium size defense contractors choose cuick trac™ as their DFARS 252.204-7012 & NIST SP 800-171 compliance solution.