Since the initial announcement of CMMC, suppliers working in federal supply chains have been anxious to take the steps required to achieve CMMC compliance. Unfortunately, it's been a "hurry up and wait" situation.
The Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) is starting to approve Certified 3rd Party Assessor Organizations (C3PAO) as authorized C3PAOs. As more candidate C3PAOs become authorized C3PAOs, Organizations Seeking Compliance (OSC) will be able to step up their compliance efforts and get a CMMC assessment.
The process to achieve CMMC compliance is as follows.
CMMC Compliance Checklist
- Evaluate your readiness for a CMMC assessment by a C3PAO.
- Perform remediation to fix the gaps in compliance.
- Hire a C3PAO to perform a CMMC assessment of your company.
1. Evaluate Your Readiness for a CMMC Assessment by a C3PAO
Your first step on the path to CMMC compliance is to take stock of the "as is" IT environment — the current security in managing Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). You can perform a self-assessment or hire an outside consulting company to do this for you.
1.1 CMMC Levels
The CMMC framework contains 5 maturity processes and 171 cybersecurity best practices progressing across 5 maturity levels. The CMMC maturity processes institutionalize cybersecurity activities to ensure they are consistent, repeatable, and of high quality.
The CMMC practices provide a range of mitigation across the levels, starting with basic safeguarding of information at Level 1, moving to the broad protection of CUI at Level 3, and culminating with reducing the risk from Advanced Persistent Threats (APT) at Level 4 and Level 5.
It is expected that most small businesses will need to meet either Level 1 controls or Level 2 controls of CMMC.
There is a direct correlation to the NIST 800-171 requirements and the Level 3 controls of CMMC.
NIST 800-171, which became effective December 31, 2017, is the foundation for CMMC. Both NIST 800-171 and CMMC were created to strengthen the cybersecurity defenses of the Defense Industrial Base (DIB).
Level 1 - Safeguard Federal Contract Information (FCI)
Level 1 Practices
Level 1 Supporting Documentation
Level 2 - Serve as transition step in cybersecurity maturity progression to protect CUI
Level 2 Practices
Level 2 Supporting Documentation
Level 3 - Protect CUI
Level 3 Practices
Level 3 Supporting Documentation
Level 4 - Protect CUI and reduce risk of Advanced Persistent Threats (APT)
Level 4 Processes: Reviewed
Includes a review of past practices for effectiveness. This also includes notification of higher-level management of status or issues on a periodic basis.
Level 4 Practices: Proactive
Practices protection of CUI for APTs. It includes NIST SP 800-171B and enhanced detection and response capabilities.
Level 5 - Protect CUI and reduce risk of APTs
|Requires an organization to take corrective action towards improving process implementation across the organization.||Increases the depth and sophistication of cybersecurity capabilities.|
1.2 CMMC Requirements
There are 17 CMMC requirements, or capability domains.
1. Access Control (AC)
2. Asset Management (AM)
3. Audit and Accountability (AU)
4. Awareness and Training (AT)
5. Configuration Management (CM)
6. Identification and Authentication (IA)
7. Incident Response (IR)
8. Maintenance (MA)
9. Media Protection (MP)
10. Personnel Security (PS)
11. Physical Protection (PE)
12. Recovery (RE)
13. Risk Management (RM)
14. Security Assessment (CA)
15. Situational Awareness (SA)
16. Systems and Communications Protection (SC)
17. System and Information Integrity (SI)
1.3 Determine the CMMC Level of Compliance You Will Need to Meet
Typically, prime contractors are notified by the Department of Defense (DoD) directly that they need to comply with CMMC. Flow down clauses within the contract will stipulate that any subcontractors of the prime also need to comply.
The DoD is in the process of migrating from NIST 800-171 to the CMMC framework and by 2026, all new DoD contracts will require CMMC. No existing contracts will have CMMC requirements inserted into them.
If a contract requires CMMC, it will be included in the RFP in section C ("Description/specifications/statement of work") and section L ("Instructions, conditions, and notices to offerors or respondents").
If there are future contracts for which you plan to bid, you will want to be certified to the level of cybersecurity required by the contract, RFI, or RFP. You can also base your decision as to which level to certify on internal business goals.
Most companies seeking CMMC compliance will only need to be certified to Level 1, 2, or 3. Very few companies will need to meet CMMC security requirements for Levels 4 or 5. The CMMC-AB expects that 60% of the assessments performed will be for Level 1.
1.4 Refer to the CMMC Publications Issued by the Government
You can refer to the CMMC publication itself, issued by the Department of Defense. Version 1.0 was released on January 20, 2020, and minor updates were made on March 18, 2020, with the release of Version 1.02. The appendices to the CMMC publication provide a matrix of the model, mapping out the CMMC requirements.
The Office of the Under Secretary of Defense for Acquisition & Sustainment, OUSD(A&S), has also provided the following helpful materials.
A spreadsheet listing the CMMC requirements for each of the five levels
1.5 Hire a Consulting Company to Prepare You for a CMMC Assessment
You can hire an outside company, such as Corserva, to perform a pre-assessment of your IT environment and determine your CMMC readiness.
Corserva is a CMMC-AB Registered Provider Organization™ (RPO) and we are listed on the CMMC-AB Marketplace.
As an RPO, Corserva is authorized by the CMMC-AB to provide pre-assessment consulting services to DoD contractors and other Organizations Seeking Certification (OSC).
Corserva has created an easy process to enable you to get ready for a CMMC assessment and protect your government contracts. These are the steps we follow:
- Identify the relevant requirements of CMMC you will need to meet.
- Perform an "as is" gap analysis of your processes and security controls, identifying areas to be corrected.
- Create a list of remediation steps you will need to take before hiring a C3PAO to perform a CMMC assessment.
The end deliverable to you is a clear set of corrective actions to take before your CMMC assessment.
Get started today by requesting a quote.
2. Perform Remediation to Fix the Gaps in Compliance
Once you have performed an assessment of your company's compliance to the desired level of CMMC, you will have a list of CMMC practices that you are currently not meeting.
Keep in mind that, unlike NIST 800-171 compliance, you need to correct all deficiencies before you can meet the compliance requirements of CMMC.
So, you can create documents such as System Security Plans (SSP) and Plans of Action with Milestones (POA&M) to help you with planning. But creating these documents is not sufficient to achieve CMMC compliance.
2.1 Process Changes and Technology Changes
When protecting CUI, processes are just as important as technology. It is likely your list of remediation steps will include process changes to be made as well as technology changes.
You should take a lifecycle approach to security where you define your security policies and specify approved procedures to manage CUI within an IT platform.
Moving forward, you need to make sure you are monitoring and validating the IT systems, then periodically perform a management review. Create a plan to make sure you stay in compliance.
Because of Corserva's experience in IT consulting, we can make specific technology recommendations to you as to the most effective way to correct deficiencies, saving you time and money on CMMC compliance.
In addition, there are several best practices that will guide you on the road to CMMC compliance.
2.2 Isolate CUI
Since CMMC focuses on the protection of CUI, it makes sense to limit the exposure.
Determine where you currently store CUI within your company and its systems. Look for ways to reduce the amount of CUI you have. If a prime contractor or other contractor sends you CUI, try to limit the amount of CUI you receive to only the data required for you to do your work.
The less CUI you have, the easier it will be to protect it.
2.3 Use FIPS Encryption
For an IT system to be CMMC compliant, it must use FIPS validated cryptography to protect data at rest and in transit.
A platform that uses FIPS validated cryptography has been submitted to the National Institute of Standards and Technology (NIST) for validation and certification. NIST maintains a list of FIPS validated cryptographic platforms you can search on to verify a system is compliant.
2.4 Avoid the Shopping Cart Approach
It can be tempting to purchase a compliance tool as a quick solution. But the best technology in the world won't help you if it's not configured properly. CMMC compliance is about technology and processes.
Use caution before purchasing any type of self-analysis tool intended to identify gaps in your CMMC compliance. A survey version of the documents already provided by the government won't help you if you don't have the expertise in-house to use the tools.
2.5 Hire an IT Consulting Company to Perform Remediation
Once you have determined what remediation needs to take place before your CMMC assessment, you can hire an outside IT company, such as Corserva, to execute the process and technology changes needed.
Request a quote for CMMC consulting services to get ready for a CMMC assessment.
3. Hire a C3PAO to Perform a CMMC Assessment
Companies working in federal supply chains can achieve CMMC compliance by successfully passing a CMMC audit. These audits can only be performed by Certified 3rd Party Assessor Organizations (C3PAO).
C3PAOs are authorized by the CMMC-AB to perform assessments.
Unlike with NIST 800-171, there is no option for self-attestation with CMMC. You cannot achieve CMMC certification on your own.
3.1 Research and Hire a C3PAO
The CMMC-AB Marketplace lists C3PAO companies. Only the companies listed here as authorized C3PAOs are approved by the CMMC-AB to perform assessments.
Companies listed in the CMMC-AB Marketplace as candidate C3PAOs have begun the process to become an authorized C3PAO, but not yet completed the process.
Use the CMMC-AB Marketplace to research potential C3PAOs. Only hire a C3PAO that is listed as an authorized C3PAO on the Marketplace.
The CMMC-AB is the only organization that can qualify a C3PAO to perform CMMC assessments. Note that the CMMC-AB does not perform assessments directly. Instead, C3PAO companies are certified by the CMMC-AB to perform assessments.
Your company, as the Organization Seeking Compliance (OSC), hires the C3PAO to perform your CMMC assessment.
The cost for a CMMC assessment will depend upon several factors including to which level the certification is needed and complexity of your IT infrastructure.
The DoD has provided estimated assessment costs, as part of the Defense Federal Acquisition Regulation Supplement (DFARS) Case 2019-D041.
3.2 CMMC Assessment Process
Once you've hired a C3PAO company, you will schedule the assessment with the C3PAO.
The process for a CMMC assessment is as follows:
- Hire a C3PAO to perform the assessment.
- The C3PAO performs the assessment of your company.
- The C3PAO creates an assessment report.
- If there are no deficiencies, the C3PAO issues a CMMC certificate.
- The C3PAO submits a copy of the assessment report and CMMC certificate to the DoD. The CMMC certificate is valid for three years.
- Once the C3PAO submits the CMMC certificate to the DoD, your requirement for CMMC compliance has now been met.
To be eligible for a contract, your CMMC certification will be needed at the time of the award.
There are no fines for non-compliance; however, you will be unable to participate in DoD contracts.
Corserva is a CMMC-AB Registered Provider Organization™ (RPO)
Corserva can prepare you for a CMMC assessment by a C3PAO, greatly reducing your costs and efforts to achieve CMMC compliance.
Pre-assessment readiness services
Technical remediation to correct gaps in compliance
Customized security programs
Corserva is a CMMC-AB Registered Provider Organization™ (RPO) and we are listed on the CMMC-AB Marketplace.
As an RPO, Corserva is authorized by the CMMC-AB to provide pre-assessment consulting services to government contractors.
Get started today. Talk to a CMMC compliance expert by requesting a quote for CMMC consulting.