What is CMMC Compliance? (With Requirements Audit Checklist)
The U.S. Department of Defense (DoD) has required Defense Contractors to comply with new cybersecurity regulations since 2017 and built the Cybersecurity Maturity Model Certification (CMMC) to verify the Defense Industrial Base (DIB). However, what is CMMC compliance? Many Defense Contractors within the DIB have the same question despite all the webinar’s and newsletters DoD has communicated.
It’s apparent that the DoD, DIB, and other stakeholders continue to speak past each other resulting in a stagnant attempt to bring Defense Contractors up to an acceptable level of cybersecurity standards.
What is CMMC?
So, what does CMMC mean? The CMMC definition is a cybersecurity framework using established accepted standards created by the DoD and National Institute of Standards and Technology (NIST) to put protections in place for safeguarding Federal Contract Information (FCI) as well as Controlled Unclassified Information (CUI) shared with Defense Contractors. CMMC definition can be characterized as a maturity model to provide a pathway for Defense Contractors to implement a secure non-federal computing environment that hosts national security information.
CMMC certification is a result of passing a CMMC assessment and is also intended to perform as a verification mechanism to validate that Defense Contractors are complying with the law. DoD implemented this program after numerous incidents of data loss by Defense Contractors as well as realizing that self-assessments and attestation was failing and nearly no prime contractors nor subcontractors were complying with the regulations.
What is CMMC compliance?
CMMC compliance was previously broken down into five levels where CMMC Level 1 established basic cyber hygiene using foundational cybersecurity requirements defined in DFARS 242.204-7012 clause and a subset of requirements derived from NIST SP (Special Publication) 800-171.
CMMC Level 1 was intended to allow organizations to create the building blocks to move onto CMMC Level 2 and subsequently to levels 3, 4 and 5. CMMC Level 2 defined additional CMMC requirements that would mature DIB contractors’ ability to protect against cyber threats, which would then enhance risk management and resiliency capabilities across the DoD.
Contact Us for A CMMC Level 1, Level 2, Level 3 Compliance Solutions
Recently, DoD has streamlined the CMMC process calling it CMMC 2.0. There are many changes to the program though the most obvious change was the elimination of CMMC levels 2 and 4. Therefore, there are currently only three levels (Level 1, 2, and 3) under the new CMMC framework.
New CMMC Level 1 requirements remain unchanged and require only a self-assessment and attestation. Whereas, CMMC Level 2 and 3 will require CMMC assessments to be performed by Certified Third-party Assessment Organizations (C3PAO). CMMC Level 2 now completely aligns to NIST SP 800-171 requirements with a 110 security controls.
CMMC Level 3, as of now, is not fully defined completely though assessments for this level will be performed by the DoD through the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
The CMMC framework will become the cybersecurity standards to safeguard and verify that the entire Defense supply chain remains protected. DoD Contractors should be aware that they have been required to be compliant with DFARS 242.204-7012 clause and NIST SP 800-171 since 2017 when it was written into law.
How to become CMMC compliant?
1. Scope and define your organizational security boundary
Before anything else you, your team, and consultants should review your network architecture and services and identify where and/or where possibly could CUI or FCI be stored, processed, or transmitted within your environment. Following the CMMC scoping guide the DoD would like Organizations Seeking Certification (OSC) to categorize assets in to several categories for the purpose of scoping CMMC requirements.
DoD has outlined 5 asset categories which include the following:
Controlled Unclassified Information Assets
These assets are allowed to work with CUI and will be assessed against CMMC requirements.
Once you have identified all assets and categorized them it will be clear what assets will require NIST 800-171 controls to be implemented. At this point you could also consider network and other segmentation strategies that would be helpful to isolate risk-based assets that you don’t intend to or can’t use with CUI.
This isolation will help minimize your audit and level of effort to achieve compliance with CMMC. Finally, you also have to determine what levels of CMMC you want to comply with. For instance, if you currently have no CUI then you may only want to focus on becoming CMMC Level 1. However, if you have future contracts or your prime contractor is requiring you to be prepared for CUI you may need to focus on preparing for CMMC Level 2.
2. Identify and review CMMC compliance requirements your organization needs to meet
Now that you have identified what CMMC levels you need to achieve, your team should begin to get familiar with the NIST 800-171 controls. NIST 800-171 is derived from NIST 800-53 control catalog that has been around for quite a while within the DoD. We are confident that implementing these controls is possible because they have been implemented by Defense Contractors and DoD agencies in the past.
During your review, if you happen to be confused or the requirement isn’t clear enough please review our NIST 800-171 to 800-53 mapping [Need to clean-up a mapping spreadsheet for distro] so that you can search the derived 800-53 control for further explanation and implementation suggestions.
3. Create your System Security Plan (SSP)
In part of developing your CMMC program you, your team and service providers will develop an SSP that will outline implementation statements of how you intend to meet each control for all in-scope assets that will be assessed. An SSP is required and a vital document that is needed for an assessor to evaluate your compliance program.
Without a detailed SSP an assessor has no way of assessing your organization and you have no plan on how to implement the appropriate security controls on your end. As of 2017, all DoD contracts with the exception of a few are required to have an SSP per DFARS 7012 clause. Both small business and large are highly encouraged to create and leverage this document as a roadmap as it’s what you’ll be assessed against.
Taking a proactive approach by designing solutions around the requirements in the SSP will save you time and money by avoiding unnecessary technology and consulting purchases.
4. Implement you security implementation statements
After you describe how you will achieve each control and identified what process, technology, and/or facility resource you will use to accomplish this goal you will want to begin putting those items into smaller micro-projects, or use an agile process, and put a series of tasks into 2 to 3 week sprints. You will continue to perform these tasks with resources available.
This is a good methodology to utilize as it allows you to perform resource planning, but more importantly determine your resource constraints. Often times we hear from IT Directors and Chief Information Officers that executive leadership wants to move quickly; however, there is a lack of understanding of the level of effort it will take and resource capacity within their own organization.
This phase is so crucial as it will allow for focus and to gain leadership and stakeholders’ buy-in when it comes to resourcing and prioritization.
Your internal assessors should begin to put an assessment plan together on how each control will be evaluated. This should be done annually with the creation of an annual security assessment report. This is a requirement under NIST 171 and it’s a best practice in order to maintain your compliance program.
Internal assessors should follow the NIST 800-30 publication “Guide for Conducting Risk Assessments” practices using the examine, inspect, and test methodology for each control.
Creating a security assessment report when completed should look something similar to this example. [Post a example SAR on a landing page to pull from]. During your assessment phase, to optimize time you should be working with your IT and engineering teams to describe weaknesses and failures along with documenting the remediation(s) in the form of a Plan of Action & Milestone (POA&M).
Remediation at this phase should be fairly straightforward as you have described what the gap is and how you intend to fix it. Just as you did for the implementation phase, you will want to put these POA&Ms into logical sprints and assign to appropriate and available resources.
Once all remediation actions are completed you will want internal assessors to verify and document the corrected action in a revised security assessment report for documentation purposes to ensure change controls are being followed.
7. Seek and Prepare for a Third-party Assessment
Congratulations, it’s been a long road and you’re finally ready. Organizations seeking an Third-party assessment will need to hire a Certified Third-party Assessment Organization (C3PAO) that has been approved by the CMMC Accreditation Body (CMMC-AB). Please read here on how to prepare for a CMMC certification.
Need CMMC compliance support?
As the world’s threats evolve, so too must the world’s defenses. To meet these growing threats in a manageable and cost-effective way, Hyper Vigilance has created tailored solutions designed to fill the gaps in your company’s cybersecurity setup and get you prepared to become CMMC compliant.
Get in contact with our CMMC consultants at Hyper Vigilance for a free cybersecurity consultation and download our CMMC audit checklist below to get your business on the right path towards CMMC compliance.
Download our free CMMC compliance checklist
CMMC implementation can be difficult and time consuming for many organizations despite the maturity level your trying to achieve. Please download our rapid CMMC checklist to evaluate your CMMC Level 1 and 2 readiness.
Hyper Vigilance was the right choice to guide us through the cybersecurity process as we attempt to grow the business. They provide excellent service and we continue to look forward to working with the Hyper Vigilance team. We are very grateful for how they simplified the entire process and the efficiency during the transition to a secure platform!
Hyper Vigilance moved us from negative NIST score to almost full compliance in less than 1 month. The team is experienced, quick, efficient and works to find the best solution to maintain business operations while keeping security at maximum level. Communication and issue resolving is fast. Highly recommended.
We are required to comply with NIST 171 and CMMC to remain competitive for defense contracting, so we sought and received several quotes from reputable companies, and Hyper Vigilance was the top choice. They offered a higher level of assistance compared to others that were more expensive. The professionals at Hyper Vigilance have proved to be very knowledgeable, responsive, professional, and customer focused. The support they provide is very comprehensive and flexible, and have executed several innovative options/solutions to achieve our goal. Their technical professionals are always on the clock and are very responsive.