If you’re in the business of selling or providing services/goods to the United States Department of Defense (DoD), it’s essential that you familiarize yourself with CMMC and establish a readiness checklist.
The DoD has been concerned with safeguarding controlled unclassified information, often known as CUI, in its supply chain for some time. Contractors were working to implement CMMC Version 1.0 standards ahead of the release to meet the deadline.
However, they recently announced CMMC 2.0 in late 2021 which included key updated model changes and documentation with implications for government contractors.
CMMC 2.0 streamlines some of the complexities and challenges of CMMC 1.0 and requires compliance with fewer technical controls and less proof of program maturity in the planning and budgeting of resources to sustain the cybersecurity hygiene of the organization.
The most significant distinction between the versions is the consolidating of the levels from five to three in CMMC 2.0:
- Level 1 (Foundational) only applies to companies that focus on the protection of FCI (same as previous Level 1)
- Level 2 (Advanced) is for companies working with CUI (previous Level 3)
- Level 3 (Expert) is focused on reducing the risk from Advanced Persistent Threats (APTs) (previous Level 5)
With that being said, government contracting companies must take CMMC compliance seriously. It will come sooner than you anticipate and developing a CMMC compliance checklist is one of the first things you should do to ensure that you are CMMC ready.
Although CMMC is not yet required for all contractors, it is preceded by DFARS 252.204-7012 (included in defense contracts since 2016), which requires implementation of the same NIST 800-171 baseline of controls that CMMC is based on. CMMC 2.0 is expected to become a must-have requirement for all DoD contractors before bidding on DoD contracts, starting as early as May 2023.
CMMC Compliance Checklist 2.0
1. Identify Internal Stakeholders
There are a few internal stakeholders you’ll want to involve in your CMMC compliance efforts. Here are a few key players:
- The internal or outsourced IT and Information Security teams should be involved to ensure that all security controls are implemented and maintained.
- The legal team will need to be involved to ensure that any contracts you sign with the DoD are compliant with CMMC requirements.
- The Human Resources team will need to review current employee policies and update them to align with the CMMC requirements, as well as initiate the training identified in several areas of CMMC controls. This should be undertaken in alignment with the InfoSec team.
- The finance team should be involved to ensure any costs associated with becoming CMMC compliant are budgeted, prioritized, and accounted for.
2. Perform a Readiness Assessment
A readiness assessment, otherwise known as a gap analysis, assists contractors in locating any potential issues that may arise when applying new processes or procedures. Begin by examining the present state of your IT infrastructure.
3. Determine CMMC Level
Companies must first determine the CMMC level of compliance they will be required to achieve before adequately preparing for a CMMC audit and ensuring that their business is in full compliance.
Determine the CMMC certification level (1 – 3) that you’ll need. You must at least achieve Level 1 of CMMC 2.0, which can be done via self-attestation.
The level of CMMC required varies on the contract(s) you are currently under or will want to participate in, in the future.
- If you handle Federal Contract Information (FCI), you must comply with CMMC Level 1.
- If you handle Controlled Unclassified Information (CUI), you must comply with CMMC Level 2 or 3.
4. Determine the Scope of the Assessment
Understanding what categories of data (FCI, CUI, or both) your organization has, where it is processed, stored or transmitted in the organization, and how to reduce the footprint of that data can substantially reduce the amount of resources necessary to become CMMC assessment ready. This will likely be one of the most valuable exercises you do, so if you are unsure how to determine the most efficient and effective scope, seek the assistance of a CMMC consultant.
5. Prepare for a CMMC Assessment
The next step in preparing for a CMMC assessment is to identify the specific areas of cybersecurity controls that will need to be addressed. You can do this by performing a gap analysis to determine where your company falls short in terms of compliance.
Once you have identified the areas that need improvement, you can begin sourcing and implementing the necessary security controls to address those gaps.
It’s important to note that you will need to provide evidence of your compliance during an assessment. This means keeping detailed records or evidence of all security measures implemented within your organization.
Finally, create a checklist of actions that the company will have to take before hiring a C3PAO to conduct a CMMC assessment. This checklist of actions is also known as a POA&M, explained in more detail below.
6. Initiate Internal Review and Remediation
After conducting a CMMC assessment based on the desired level of maturity the business wants to achieve, your company should have a list of documents or processes that you may have to create, update, or adhere to based on priority. The prioritization is usually determined by the amount of resources available and the urgency of the missing controls that require remediation. (Examples listed below)
7. System Security Plan (SSP)
DFARS 252.204-7012 mandates DoD contracting companies working with the US government to document and update their System Security Plan regularly. This same requirement is included in CMMC through one of the corresponding NIST 800-171 controls.
The SSP is a critical document that outlines the security controls that will be implemented to protect your company’s systems and data, how they are implemented, and what policies and processes are in place to support those controls.
Without an SSP, you are at risk of being non-compliant with both DFARS 252.204-7012 and the CMMC requirements.
8. Plan of Action and Milestones (POA&M)
A Plan of Action and Milestones (POA&M) is a document that outlines the specific steps your company will take to remediate any security deficiencies identified in the gap analysis. This will help you track your progress and ensure that you are on track to become compliant, as well as serve as proof of the self-assessment and remediation efforts your organization has completed to date
9. Hire a C3PAO To Conduct an Assessment
To comply with CMMC regulations, some of the Level 2 contracting companies that operate in the defense supply chain must complete a CMMC audit conducted by a CMMC Third Party Assessment Organization, or C3PAO. As the Organization Seeking Compliance (OSC) that requires a CMMC Assessment. it is the responsibility of your company to select and hire a C3PAO to conduct your assessment.
C3PAOs are the only parties authorized to perform these audits by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and the Cyber AB (formally CMMC-AB) to conduct CMMC assessments.
CMMC does not allow for self-assessments for some contractors that handle CUI in the same way that DFARS 252.204-7012 does, meaning those companies cannot obtain a Level 2 CMMC certification on their own.
The cost of a third-party CMMC assessment is determined by several factors, including the the complexity of your IT infrastructure, the number of sites being assessed, and the size and location of your organization. The Cyber AB has a marketplace to find the authorized C3PAO’s in your area, located here on their website.
10. Receive the CMMC Assessment Report
An assessment report will be generated after a C3PAO has completed an evaluation of the company. If the report reveals no issues or problems, the authorized C3PAO will issue a recommendation to the Cyber AB that the OSC receive their Level 2 CMMC Assessment certificate.
A CMMC certificate is valid for three years. A company is considered to have satisfied its CMMC certification requirement after the Cyber AB awards the Level 2 Certification and the status is updated in the SPRS system used by the DoD contracting officers.
Stay Abreast of CMMC Updates
As we’ve already seen, CMMC is evolving and updates are being made to improve the experience of the defense contractors and the ecosystem of organizations and individuals who have been set up to assist in the process. Check the cyberab.org website frequently for updates to make sure your organization takes advantage of the most recent tools and resources provided.
As you can see, the CMMC compliance checklist is long and resource intensive. Plan the time needed to focus efforts on readiness so that you are not in the position of rushing through implementation and potentially paying a premium for prioritized service.
If you are uncertain how to navigate each step on the checklist, reach out to a Cyber AB approved professional to help. Preparing for CMMC in the most efficient and professional way will help ensure maximizing your return on investment.