4 Ways to Jumpstart CMMC Compliance
In 2020, the U.S. Department of Defense (DoD) announced its Cybersecurity Maturity Model Certification (CMMC) program. The cybersecurity model was established to standardize cybersecurity across the federal government’s defense infrastructure.
CMMC measures a contractor’s cybersecurity capabilities, focusing on the security of controlled unclassified information (CUI) and federal contract information (FCI) in their possession. The security program applies to more than 300,000 existing contractors and any enterprise seeking to work for the Department of Defense.
The maturity model combines aspects of cybersecurity standards such as NIST, FAR, and DFARS into a single framework. Any organization wanting to do business with the DoD must not only comply but have that compliance certified. As a result, ignoring CMMC compliance could impact a company’s ability to do business with a defense contractor or subcontractor.
Starting your CMMC compliance journey using the following four steps means a better protected and more resilient enterprise for countering increased cybersecurity risks.
- Understand the CMMC Levels
- Perform a Risk Assessment
- Create a Mitigation and Security Plan
- Conduct an Internal Audit
With these four steps, your business can establish an enterprise-wide system for CMMC compliance and certification.
Understand the CMMC Levels
CMMC separates capabilities into five levels beginning with basic controls and ending with advanced methods to mitigate risk. The five levels are:
- Level 1. Perform designated capabilities at a basic cybersecurity level and safeguard FCI.
- Level 2. Transition to documented processes that can be repeated to protect CUI.
- Level 3. Protect CUI through written plans that demonstrate effective cybersecurity management.
- Level 4. Show ability to measure effectiveness and take corrective action to protect against advanced persistent threats (APTs)
- Level 5. Optimize standard processes with sophisticated technologies to prevent APTs
Companies should look over the certification levels to identify which one best matches their business objectives. Although every company should strive to implement the most comprehensive security plan possible, achieving the highest level of cyber protection requires a significant commitment of financial resources. Before committing to a level, consider the following questions:
- What goods and services will be provided to the Defense Department?
- Are the defense contracts essential to operations?
- Are federal contract information or confidential, unclassified information already part of doing business?
- Does the company plan to increase its DoD presence?
Once the level of compliance is determined, organizations can look at the security controls and processes needed to pass certification.
Perform a Risk Assessment
Most companies already have some security controls and processes in place. Those in healthcare have HIPPA requirements, and any business that accepts credit cards as a form of payment has PCI-DSS standards to follow. Performing a risk assessment can help determine if these controls are effective and what additional safeguards should be in place.
Data mapping can help identify what CUI is already in use. Mapping involves:
- Finding where all CUI is being stored.
- Determining how CUI is used in daily operations.
It’s essential for CMMC compliance that businesses know when classified information enters the business and what happens to it while in their possession. That may involve third parties such as professional services firms or cloud-based providers. Companies must install security controls to limit CUI access by third parties and determine if they are in CMMC compliance. If not, organizations will need to require them to become CMMC compliant. If they are unwilling or unable to comply, consider finding replacements.
Develop a Mitigation Plan and System Security Plan
Risk assessments will determine what goes into a Plan of Action and Milestones (POAM) and a System Security Plan (SSP). A POAM is a mitigation plan for cybersecurity risks, and an SSP outlines how security controls will be implemented. Mitigation plans identify how a company plans to improve weak controls and create new processes to control and secure CUI. Reducing the risk probability may involve such actions as:
- Training employees
- Performing due diligence on vendors
- Establishing new policies to restrict access to CUI
- Harden business continuity plans
- Creating incident response plans
- Devising new procedures to ensure ongoing security testing
Documenting progress is a critical part of a POAM. That information must be available for audit and ongoing maintenance, which will require that a company’s security and IT teams work together to achieve compliance.
SSP defines a company’s IT environment, including its infrastructure and operational systems. These are detailed plans on how security controls will be put into place to protect CUI. Because of the level of detail involved, multiple SSPs may be required to address all aspects of a company’s infrastructure. SSP and POAM are two components that can help organizations achieve CMMC compliance.
Conduct Internal Audits
Companies receive certification through external audits performed by certified CMMC assessors; however, internal audits should be performed first to ensure certification during the external audit. Internal audits can identify weaknesses to be addressed before seeking certification. The cost for a certification audit depends on the assessor, but all qualified auditors must be certified by the CMMC Accreditation Body. This group was created for the sole purpose of certifying companies to perform external audits. The cost for an external audit varies according to the vendor.
Failing an external audit is not only costly, but it can be time-consuming. Internal resources will be required to correct and strengthen processes. Finding an assessor that can perform an audit may be difficult as the certification process for accreditation only began in 2021. And each external audit costs money.
Find A CMMC Compliance Partner
Achieving CMMC compliance can be overwhelming given the 100s of controls and practices involved. Many of these requirements will require technical solutions. For example, penetration and vulnerability testing are best performed using automated tools. Deploying new technology may be required to meet some requirements, which can be costly if the wrong solution is selected.
Advantage Industries has been serving organizations in and around Washington DC for over 20 years. Our experience has helped commercial enterprises and government agencies deploy new technologies to harden their cybersecurity defenses. As a full-service IT support company, our professional expertise includes managed services, network security, project management, and CMMC assistance. Let us use our experience and expertise to help you achieve CMMC compliance.
