5 Key Steps to Prepare for CMMC
In response to the volatile state of security threats, the U.S. Department of Defense (DoD) recently announced the Cybersecurity Maturity Model Certification (CMMC) requirement for their contractors and sub-contractors. This means contractors within the Defense Industrial Base (DIB) supply chain must meet the cybersecurity standards developed by the DoD.
While this new program is important and necessary, we realize some may find this task daunting and/or confusing. That's why ProArch has compiled a step-by-step process to help you prepare for CMMC.
We will revise this blog as more information about CMMC is released, so check back for new information!
1. Assess current operations control compliance gaps with NIST 800-171
The CMMC program supports and builds on NIST 800-171. Before you can meet the requirements of CMMC, you need to first assess your current operations and identify any gaps that need to be filled per NIST requirements. If you have already implemented NIST 800-171, good news! You have 110 of the 130 CMMC Level 3 requirements completed.
Requirement CA.2.158 (3.12.1 of the Defense Federal Acquisition Regulation (DFARS) states that contractors must "periodically assess the security control in organizational systems to determine if the controls are effective in their applications." There are 130 control requirements for CMMC level 3 so knowing where you stand is key. Get assistance to perform this analysis if your internal staff doesn’t have the bandwidth or ability to do so.
2. Document Plan of Action & Milestones (POAM)
DFARS CMMC requirement CA.2.159 3.12.2 (Plans of Action3.12.2 of DFARS) of CMMC calls for the development, documentation, and implementation of a POAM. The POAM should outline how your organization will remediate the deficiencies found during Step 1 of the process.
For contractors with a more robust IT infrastructure and team, this may be an easy task. For others, it will require assistance from a third-party. Either way, remember that it’s not enough to just have a POAM. You must fully implement controls documented in your POAM to be compliant.
3.Implement the Required Security Controls
Executing remediation of the POAM to achieve full compliance with NIST 800-171 is critical for preparing for a CMMC audit. Start with controls that have the least impact on users (audit logging) and leave the most impactful for last (multi-factor authentication). Before you get started, evaluate your team's skill level across the 17 security domains. Using an MSSP like ProArch will help make CMMC a smoother and faster transition for the organization.
4.Document policies and procedures in a System Security Plan (SSP)
In the event of a CMMC audit, the SSP is likely the first thing you will be asked for. Requirement CA.2.157 3.12.4 mandates that all contractors must develop, document, and periodically update their SSP.
It’s important to remember that achieving CMMC is an ongoing effort. As the security landscape changes, your cybersecurity defenses need to as well. All SSPs should reflect the current state of control implementation.
CMMC isn’t one-and-done. It calls for a proactive approach to cybersecurity. This means you need to implement a plan to leverage internal or external resources to maintain and automate compliance. Compliance requires recurring risk assessments, penetration testing, and vulnerability management.
This is why many DoD contractors use a consultant to confirm adherence to these mandatory practices laid out by the DoD. If your SSP is compliant and maintained, audits will be easier and faster for your team. Compliance frameworks are ever-changing. As the threat landscape continues to get more complex, new requirements will continue to be added.
Here's what it comes down to: Any gaps in your security controls are an immediate risk to national security. According to the DoD, “CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.”
The best way to prepare for CMMC is to tackle these 5 steps. Meeting and maintaining compliance guidelines will ultimately protect your business and your DoD revenue, while also safeguarding important data and saving time when annual third-party assessments come due.
As a Registered Practitioner Organization, ProArch can guide you through the full journey to achieving CMMC compliance. From uncovering security gaps and remediation to on-going compliance management, we do it all. Take a look at our CMMC consulting services including gap analysis, SSP development, vCISO, and security control implementation.