The defense of sensitive information against cyber threats has been highlighted as a critical aspect of business operations, particularly for organizations working with the U.S. Department of Defense (DoD) and its supply chain. In this blog, we will refresh on the essentials of CMMC and then review how your organization can take proactive steps to ensure compliance and cybersecurity readiness going into a CMMC assessment handled by certified C3PAO’s.
What is CMMC, again?
The Cybersecurity Maturity Model Certification (CMMC) was developed by the DoD with the core goal of strengthening the cybersecurity capabilities of its contractors and subcontractors. It is a mandatory framework that replaces the previous self-assessment process. CMMC includes three levels of maturity, each indicating an increasing level of cybersecurity sophistication from the base level of one (1) to the highest maturity of level three (3). The current CMMC version is 2.0 which demonstrates the framework is still evolving. At this point, however, organizations must achieve the appropriate level based on the sensitivity of the data they handle, whether the organization handles Controlled Unclassified Information (CUI) at Level 2 compliance, or Federal Contract Information (FCI) at Level 1 under CMMC 2.0.
Important Update: Based on recent events, the Final CMMC Rule making process is expected to conclude in 2023. It is more likely to have final rules by early 2024 at this stage. In any case, the perspective of the DoD is that CMMC is ready to roll-out as 2.0, and organizations should not delay implementation at this time. Enforcement is projected to be fast and furious based on information gained from industry experts and those closest to the process. Seriously, act now!
What Steps Are You Taking?
- Identify Your Actual CMMC Requirements: Before overcommitting to a specific level, determine the CMMC level required for your organization imposed by your DoD contracts or partners. While not all contracts have CMMC requirements written in at this time, having a conversation with your DoD partners will reveal what level they’re expecting once compliance is enforced. The majority of groups we’ve encountered fall into the CMMC Level 2 category and you need to take reasonable steps to make a decision on which level to target in compliance, based on contractual obligations and as part of your business’s strategic planning.
- Complete A Cybersecurity Assessment: Posturing your current state of security, as it pertains to CMMC, is of the utmost importance early on. CMMC currently allows a self-assessment opportunity, however, it is expected to instead have an unbiased 3rd party, such as a group with on-staff CMMC certified practitioners, to complete a thorough initial assessment and produce an actionable roadmap for your organization to follow. Choosing a partner who can also provide consulting services and remediation assistance will fast-track your state of readiness before moving into CMMC assessment stages while providing key insight to your CMMC readiness staff.
- Develop Actionable Remediation Plans: With a clear understanding of your organization's current state and the targeted CMMC level, create achievable sprint-based remediation plans. These plans will need to outline the necessary changes, improvements, and investments required to meet the required cybersecurity maturity levels imposed by CMMC. This creates manageable goals that you can directly work on or provide direction to a third party to help you achieve compliance.
- Implement a Security Awareness Training Program: Employees play a critical role in maintaining a secure environment. Provide CMMC aligned cybersecurity training and awareness programs to all personnel, ensuring they understand the importance of compliance and best practices to safeguard sensitive information. In addition to your typical security awareness training options, add a layer of CMMC audit readiness reviews and practice times. This allows your audit staff to know how to answer questions completely and thoroughly when the time comes.
- Focus On Protecting CUI/FCI: Deploy CMMC security controls and best practices to protect CUI, first and foremost. Use this focal point to your advantage when reviewing the controls. There are some resources available to help guide the translation of controls into tangible outputs when implementing the controls. Knowing where your FCI and CUI is, who manages it, and how it moves is incredibly important to this process.
- Perform an Audit-Readiness Gap Assessment: (Yes, a second assessment) Prior to submitting your application for the CMMC assessment with a C3PAO, (Certified Third-Party Assessor Organization), perform an audit-readiness gap assessment. Highlight final remediation, broken down by CMMC controls aligned with NIST 800-171, and push hard on finalizing implementation. Make sure you can demonstrate completeness of the controls through discussion, evidence collection, and ongoing procedures in practice. Perform a mock-audit review with your cybersecurity partners to ensure those who will be sitting in the audit are prepared to answer questions and able to provide evidence easily.
- Spend Extra Time with Remediation: The CMMC assessments do not allow POA&M’s, (Plan of Action and Milestones), to be carried into the audit. Any improvement projects you've created that are meant to remediate findings and close any gaps you have will be deemed inappropriate to have in the assessment.
- Engage with the Community: Staying up to date on CMMC changes is paramount to your success at this stage of the rollout. Connect with the groups and individuals who are both preparing for the assessments, and those who are helping organizations prepare, to gain the most insight into how to achieve CMMC certification.
Pro tip: Partner with security implementation experts that will provide simplified solutions to close the identified gaps. You don’t have to do this alone!
Keep in mind that all parties are still figuring out what CMMC success looks like in the end. Having a clear plan, focusing on key gaps to close, and incrementally improving, is the right way to proceed. Start now, implement the controls with knowledgeable partners, and re-assess your posture to be fully ready.
- Right-size your security controls implementation to create simplified solutions and protect the CUI/FCI first.
- Stay up to date with any changes made to CMMC.
- Break down remediation plans into manageable chunks of work. Stick to completing them well before the audit with the C3PAO.
- Engage in a community of professionals, cybersecurity consulting and solution engineering companies, like Seiso, to support you along the way.
- Assess, remediate, and re-assess. You cannot bring improvement projects into the audit. Everything must be ready for review.