As we work with our clients to walk through 800-171 assessments, we understand how daunting the process is to prepare for CMMC Assessments.
Those interested in helping their organization, subcontractors, or client organizations prepare for assessments can use this step-by-step process to prepare.
Understand the difference between FCI and CUI to ensure you are aiming for the correct CMMC Maturity Level. For instance, it appears most companies that only handle FCI will need to achieve Level 1, but a company that handles CUI will need to achieve at least Level 3. Levels 4 and 5 focus on reducing the risk of advanced persistent threats (APTs) and intend to protect CUI associated with DoD critical programs and technologies.
Get a clear picture of where the FCI or CUI data resides within your infrastructure and who has access to it. Drawing a clear boundary or implementing an enclave to limit the storage, access, and handling to a limited scope within your organization is key to properly scoping the assessment. Investing in a restructuring to move to an enclave approach now will most likely save your organization time and money in the long run. You’re reducing the footprint of the intensely focused cybersecurity capabilities within your organization.
Perform a methodical comparison of the cybersecurity domain practices, as well as the maturity of the policies and procedures, processes, and plans associated with the CMMC level you want to achieve (based on the scoped boundary of data and personnel). There are assessment tools and how-to guides available from a large list of vendors – some are free and some are pay-for-play. However, these resources cannot provide advice on mitigation that could save a lot of time and money. Let’s face it, you don’t know what you don’t know. Consider using a Registered Practitioner (RP) or a Certified Professional (CP) to help you prepare. You can find their Registered Practitioner Organization (RPO) or Certified Third-Party Assessor Organization (C3PAO) on the CMMC-AB Marketplace.
The results of the preliminary assessment should generate a few things:
A POA&M (Plan of Actions and Milestones), a gap assessment, or otherwise named document outlines the items for remediation and helps you prioritize where to focus your efforts based on identified business risks. The decision for prioritization should be based on your appetite for risk and your budget. This is a conversation to involve stakeholders and garner support at all levels, including senior management.
An SSP (System Security Plan) is an in-depth document defined in NIST 800-171R2 as, “A document that describes how an organization meets the security requirements for a system, or how an organization plans to meet the requirements. In particular, the system security plan describes the system boundary; the environment in which the system operates; how the security requirements are implemented; and the relationships with or connections to other systems.” In other words, this is the Master Plan for your infrastructure security. Specific things to expect in your SSP are:
– Inventory of digital and physical information that qualifies as FCI, CUI, IP, or any other categories you seek to capture
– Inventory of users roles and responsibilities, services on behalf of the users, devices and systems that access or handle the data, and external system connections
– The methods and processes used in controlling CIA of the data
– The capability of the controls in place, including the plan to address the associated weaknesses
– A graphic representation of the organizational data location and flow (Visio)
Once you have these assessment results, it is up to your organization (and the consultant, if applicable) to prioritize the items on the gap assessment to give you the most bang for the buck. At this stage, you may realize implementing an enclave for your data and personnel makes sense if you hadn’t considered it before. The goal is to implement remediation that checks the most boxes according to your risk appetite and budget. Some companies may find moving to something like Microsoft GCC High or implementing a remote access system for subcontractors alleviates a lot of the scope creep that happens when you have it on paper in front of you.
The final step in your CMMC assessment preparation is to turn the POA&M into actionable projects, allocating personnel and financial resources according to budget. Your consultant should be able to assist with this as well, either as outsourced project management or setting up projects with your internal team. At this time, based on the allocated resources and plans for implementing the remediation projects, you should reach out to a qualified C3PAO to get the assessment on the calendar for your target readiness date. Don’t forget, the C3PAO can provide their readiness assessment to help you agree on the scope and timeline.
As your business considers its gaps keep in mind, with the adoption of CMMC, cybersecurity will be an allowable cost. This is the time to begin building budgets to upgrade your cybersecurity program to the necessary level and calculate how those costs could affect your rates. The shift recognizes the critical nature of cybersecurity and serves as an incentive for vendors to quickly comply with CMMC.
You should not take on CMMC compliance on your own. Edwards Performance Solutions has a full cybersecurity team already accredited as Registered Practitioners, and our organization is fully embedded in the CMMC Ecosystem as an RPO, C3PAO, LPP, and LTP. We’ve adapted our robust assessment and consulting services to address CMMC requirements and help your company conduct a gap analysis. Edwards is equipped to help you build a roadmap for moving toward compliance with our CMMC Quick Look Assessments. We also provide virtual instructor led training on various CMMC topics. Let us know how we can help you.