If you contract with the U.S. Department of Defense—or if you plan to in the future—you need to be aware of Cybersecurity Maturity Model Certification (CMMC). This DoD initiative will soon become a requirement for all contractors. Announced in 2019 and updated in 2021 (CMMC 2.0), this model safeguards sensitive government information by requiring contractors to implement enhanced cybersecurity practices.
So what is CMMC compliance, and what do you need to do to prepare?
What Is CMMC Compliance?
The CMMC framework identifies different levels of cybersecurity maturity. Your level will depend on the sensitivity of the information you handle. The more sensitive the information, the greater the cyber maturity you’re expected to demonstrate.
Conduct a Gap Analysis
Once you know the requirements you’ll face, you can find the gaps in your security. CMMC requires advanced cybersecurity practices, and most contractors will have significant gaps to fill before becoming compliant.
But it’s about more than just filling the gaps. You should expect to demonstrate these requirements as persistent, habitual behaviors.
Third-party assessors typically consider two or three forms of evidence: documentation, interviews, and testing. When supplying documentation, organize it well before the assessment date. This will help the assessor develop a better understanding of your compliance. It also helps you demonstrate process maturity, and the time saved can lower the cost of your assessment. The more prepared you are, the more efficient an auditor can be, which makes the audit faster and less expensive.
The assessor will check for things like the creation dates of your policies, and any information on procedural updates. The assessor will also want to see how you communicate these within your organization.
Contractors can save time and reduce costs by providing documentation to the assessor in advance of the assessment date.
Execute a Mock Review
Once you’ve completed your gap analysis, you can execute a mock CMMC assessment to test your readiness. An experienced, registered provider organization (RPO) like Core Business Solutions should handle this process.
A mock review provides several benefits, including:
- Enable a trained professional to examine your compliance status.
- Verifying the appropriate handling and classification of CUI and FCI.
- Identifying any remediation steps to consider before certification.
- Assuring you of readiness for the formal CMMC assessment process.
Implement the Necessary Remediation Steps
Once you’ve identified areas of non-compliance through your gap analysis and mock audit, it’s time to remediate (cybersecurity speak for “fix” or “remedy”) the problems you found. A service provider like Core Business Solutions can provide cost-effective remediation assistance to fit your business.
A well-crafted remediation plan sets a realistic timeline for the required fixes, and it outlines the estimated cost for each one. This will help you set priorities and figure out what tools, training, and resources you need.
Thoroughly document your compliance efforts as you formalize your processes and controls, enhancing your preparedness for the formal assessment.
The CMMC Assessment Process
Unless your organization can self-attest, you’ll need to hire a C3PAO (Certified Third-Party Assessment Organization) to conduct your formal CMMC assessment.
Assessment will typically begin with an introductory session. The assessor will meet with your designated stakeholders to provide an overview of the process and outline the expectations.
The assessment may take a full day or more to complete. The assessor will evaluate your practices against each applicable CMMC guideline. Your organization will receive a pass or fail grade for each area.
After completing the assessment, the assessor will prepare a recommendation report. The assessor will then discuss these findings with you and your organization before sending them to the CMMC-AB for approval.
The CMMC-AB will conduct a final quality assurance review before you receive your certification. The certification lasts for three years.
What Are the 3 Levels of CMMC?
The original CMMC model contained five cybersecurity maturity levels, which the DoD downsized to three. The updated version no longer requires a third-party assessment for companies that only need Level 1 maturity.
The three levels of CMCM are as follows:
- Level 1: Foundational. This CMMC level applies to contractors who handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI).
- Level 2: Advanced. This CMMC level applies to contractors who handle CUI. A third-party assessment will almost certainly be required.
- Level 3: Expert. Only a handful of defense contractors will need to comply with this specialized cybersecurity maturity level.
For a breakdown of the difference between FCI and CUI, see our previous article.
How Do I Become CMMC Compliant?
Level 1 contractors must meet the requirements and submit a self-assessment score to the SPRS (Supplier Performance Risk System). This score must be affirmed by top management at the company. Contractors should take this self-assessment seriously. With the new Civil Cyber-Fraud Initiative from the Department of Justice, the federal government severely fines contractors who submit false cybersecurity claims.
Most Level 2 contractors must undergo an independent assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO). The CMMC Accreditation Body (CMMC-AB) has authorized these entities to handle the task.
When CMMC 2.0 was first announced, it appeared that some Level 2 contractors would no longer require a third-party assessment. But it has become apparent that such cases will be exceedingly rare—if any will exist at all.
The Preparation for CMMC Checklist
If you require CMMC compliance, you might be wondering where to start. This preparation checklist can help you avoid common pitfalls along the way.
Determine the Appropriate Certification Level
Most organizations will require either Level 1 or Level 2 certification. But how do you know which one applies to you?
Determine whether or not you handle CUI, and if so, where it exists in your processes. If you handle CUI, you will require at least Level 2. If you don’t, you likely only require Level 1.
Once you know where FCI and CUI exist in your processes, you can separate those processes from the rest of your workflow to limit the scope of your CMMC project. This makes the whole process simpler and cheaper—now you only need to secure one enclave, rather than securing your entire business.
Start by identifying the people, processes, and technologies that interact with FCI and CUI. Creating a data flow chart can help.
Look ahead at the requirements you’ll face.
If you need to achieve Level 1 certification, you’ll need to meet 17 Federal Acquisition Regulation (FAR) requirements.
If you need to achieve Level 2, you’ll need to meet all 110 practices of NIST SP 800-171. These are the same requirements that have already existed for DoD contractors as part of DFARS. NIST SP 800-171 is the basis for calculating your SPRS (Supplier Performance Risk System) score. You can think of these NIST requirements as your CMMC compliance checklist.
You should also figure out who in your organization will manage this process. Appoint an executive sponsor — an individual responsible for overseeing, executing, and maintaining all CMMC activities. If you have an IT department, they should also be involved.
Creating a Secure Environment
Your CUI and FCI need to exist in an environment that meets CMMC requirements. One simple way to do this: use a cloud service. Make sure your provider meets all Federal Risk and Authorization Management Program (FedRAMP) guidelines. FedRAMP provides a systematic, standardized approach to cloud service security authorizations.
Cloud-based solutions like CORE Vault come ready-made for CMMC compliance, allowing you to handle sensitive information through a virtual desktop accessible fro almost any device. For many contractors, this is the simplest, most effective path to compliance.
What Happens If You Fail a CMMC Assessment?
CMMC certification calls for advanced cyber protections. If you’re not working with CMMC experts to supply the right technical solutions, there’s a chance of failing your initial assessment. If the CMMC-AB declines to certify your organization, you will have 90 days to take corrective measures and resubmit the additional evidence for review. If you’re in this situation, Core Business Solutions can help.
The CMMC-AB will clearly identify areas of non-compliance, but it will not provide recommendations for making the necessary corrections.
Core Business Solutions Can Help With Your CMMC Certification Needs
As a CMMC-AB Registered Provider Organization (RPO), Core Business Solutions is fully qualified to assist you with the CMMC certification process. We recognize that most contractors don’t have the time, resources, or familiarity with the complicated guidelines to navigate CMMC on their own. Our solutions simplify compliance, removing the burden from your shoulders so you can focus on your business.
Our CORE Vault™ gives you everything you need to achieve CMMC certification in one cloud-based solution. This cloud-based enclave comes ready-made to store and share FCI/CUI in a compliant environment. You will also receive the CORE Security Suite, including automated forms, customizable policy templates, and a score calculator to assess your readiness level. Our CMMC experts will provide all the support you need for full compliance.
Get started today!