Update: As of November 2021, the requirements of CMMC v1.0 have been replaced by the requirements of CMMC v2.0. The article below outlines the requirements for CMMC Level 3 under CMMC v1.0. In the updated requirements, most contractors who previously required this level will now require CMMC v2.0 Level 2. Learn more about the updated model.
With CMMC assessments just around the corner, it’s time to start preparing for certification. If you contract with the Department of Defense (DoD), these cybersecurity regulations will apply to you. We’ve already looked at the best practices to prepare for CMMC Level 1. But what if your company requires CMMC Level 3?
At Core Business Solutions, we help small business across America achieve cybersecurity. Here are our tips to prepare for CMMC Level 3 assessment.
What is CMMC Level 3?
CMMC Level 3 applies to all DoD contractors who handle Controlled Unclassified Information (CUI). This is technical information provided by, or created for, the DoD.
This level of CMMC contains 130 security practices across 17 domains. 110 of these practices come from the previous requirements of NIST SP 800-171. The others are unique to CMMC.
You can divide these practices into two basic categories: technical controls and organizational controls.
Organizational Controls make up 40% of the requirements. These require management involvement. They include policies, plans, training, monitoring, and other non-technical controls like visitor logs and door locks.
Technical Controls make up the other 60%. This is where IT gets involved. Here, we move beyond what most small businesses can handle on their own. These controls involve network protection, encryption, and other specialized aspects of cybersecurity.
But remember: CMMC isn’t just about controls. It’s about process maturity.
To receive Level 3 certification, you must show these practices aren’t just performed and documented, but also managed. You might have all the right practices in place. But if your assessor doesn’t see you managing those practices, you won’t achieve Level 3.
Does CMMC Level 3 Apply to Me?
If you handle CUI, you require at least CMMC Level 3. However, government contracts don’t clearly label this information, so it can be difficult to identify.
As a rule of thumb: If it describes the technical aspects of a product or system, it’s CUI. Common examples include engineering data, technical drawings, and information systems vulnerability information. Read more about identifying CUI.
Another good rule of thumb: Look for a reference to DFARS 252.204-7012 in your contract. If you see this clause, then you handle CUI, and you will require CMMC Level 3.
Still not sure if you’ll require Level 3? We have an entire article to help you figure out which CMMC level is right for you.
Preparing for CMMC Level 3 Assessment
Level 3 preparation breaks down into four stages.
If you have DFARS 252.204-7012 in your contract, you’re required to perform a cybersecurity self-assessment based on NIST SP 800-171. Then you must submit your score to the Supplier Performance Risk System (SPRS).
This self-assessment will show you the gaps in your CMMC compliance. It will also help you define the scope of your project. How much work is there to do? How much information do you have to protect? With a thorough self-assessment, you can answer those questions.
Get management involved from the beginning. Remember: CMMC isn’t just about IT. Organizational controls make up nearly half of Level 3 requirements. These controls require policies and procedures backed by the authority and vision of top management. That leadership is an essential part of achieving CMMC.
At Core Business Solutions, we walk our clients through this guided self-assessment using our automated tools in the CORE Compliance Platform. Learn more about achieving CMMC with CORE.
This is where you create your Plan of Action and Milestones, or POAM. Your POAM documents what you need to do, what milestones you must achieve, and when you plan to achieve them.
At this stage, you also determine the scope and budget of your project. Your scope plays the biggest part in determining cost. If you can decrease the size and complexity of your project, you can decrease your overall budget.
Remediation means fixing (or “remedying”) the gaps in your compliance. Here, you make the actual upgrades to your policies, processes, and systems.
In addition to technical upgrades, you’ll also implement employee awareness training and security management reviews. These management reviews will be an ongoing part of your CMMC compliance.
Overall, this is the stage where your planning turns into action. This is also where you encounter the bulk of CMMC costs.
Before the actual third-party assessment, conduct a review. Think of this like the internal audit in ISO 9001. This is a practice run to make sure you’re ready for official assessment.
Remember to maintain your System Security Plan (SSP) and POAM, and to continue your regular security management reviews. Involve your employees in this process.
All together, these four stages should take between six and twelve months. Depending on the complexity of your business, it could take longer. But with these stages complete, you’re ready for an official assessment.
What Will an Assessor Look For?
When your official assessment takes place, you will need to demonstrate three primary things:
1. Demonstrate adequate protection of CUI. Your security practices should be up and running, doing their job to protect information.
2. Demonstrate effective compliance with all 130 practices. Your assessor doesn’t just want to see compliance. Your assessor wants to see maturity. The assessment will examine:
-How well you document the practices.
-How you follow the documentation.
-How you’ve implemented it.
-How you practice it.
-If you repeat it.
3. Demonstrate that your policies aren’t just a check-box. Security should become part of your company culture. The assessor will want to see your policies actively demonstrated, in place and in use.
CMMC is about maturity. You can’t wait to prepare until the last minute. Your assessor will want to see a working, mature system in place.
How Core Can Help
At Core Business Solutions, we specialize in helping small businesses achieve cybersecurity. We provide the tools, training, and consulting to make CMMC work for any company. We provide the assessment tools to help you discover your needs and the technical solutions to meet them.
As a Registered Provider Organization with the CMMC Accreditation Board, we’re an officially-recognized source of CMMC consulting and solutions. We also have a growing number of CMMC Registered Providers on staff, officially trained to help you implement the requirements.
Here’s a look at how Core Business Solutions can help your business:
- Our Registered Practitioner consultants help you learn the requirements of CMMC and apply them to your specific context.
- We provide online training for your leadership, staff, and IT professionals.
- We assist your company in preparation for the third-party certification audit.
- For CORE subscribers, we deliver the technical security solutions required for certification, such as vulnerability scanning, penetration testing, managed antivirus, and more.
- For CORE subscribers, we offer onsite and cloud-based network solutions for entire networks and separate enclaves.
Ready to start preparing for CMMC Level 3? Get a free quote today.