The Department of Defense has awarded almost $329 billion in contracts so far this year. These lucrative contracts can be highly competitive. You need to give your business every advantage.
Becoming CMMC compliant helps ensure you can compete. Achieving compliance takes many businesses a year or more, though. A well-designed strategy will help promote your success.
Keep reading to learn more about the cybersecurity standard and get a CMMC compliance checklist that will put you on the right track.
What Is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) program is a cybersecurity assessment standard from the Department of Defense (DoD). The DoD designed the standard to ensure that defense contractors were protecting sensitive defense information.
Types of Information that Require Protection
Sensitive defense information includes:
- Federal Contract Information (FCI)
- Controlled Unclassified Information (CUI)
FCI is information not intended for public release that is provided by or created for the government as part of a contract. Examples include:
- Contracts and subcontracts
CUI is more sensitive than FCI. The CUI designation covers information such as:
- Personally identifiable information
- Proprietary business information
- Military technical specifications
NIST 800-171 is a federal standard that covers the requirements for protecting CUI. CMMC aims to bring all defense contractors in line with NIST 800-171. It expands the requirement for certification to organizations that only handle FCI.
Deadline for CMMC Compliance
CMMC compliance isn’t currently included in federal contracts. The implementation process was delayed when the DoD changed its approach.
The Pentagon revised the original proposal for CMMC. They submitted CMMC 2.0 to the White House for review in July 2023. A 60-day period for industry comments will begin in November or December.
The final rule is expected in the fall of 2024.
Determine Your CMMC Level
CMMC 2.0 has three levels of compliance. Understanding which level applies to your organization is critical. The standards for each CMMC level get progressively tighter.
The required security practices fall under 14 CMMC domains. The domains range from access control and training to risk assessment and incident response.
Level 1: Foundational
Companies that don’t handle CUI fall under Level 1. CUI requires a higher level of security than FCI.
Level 1 compliance means that you follow basic cybersecurity practices. Unlike the other two levels, a third-party assessment usually isn’t a requirement for Level 1. You should conduct an annual self-assessment instead.
Level 2: Advanced
Level 2 applies to most defense contractors who handle CUI. It builds on the requirements of Level 1 by adding more extensive security controls. Level 1 includes 15 security practices, but Level 2 includes 110.
CMMC requires most organizations that fall under Level 2 to have a third-party assessment every three years.
Level 3: Expert
Very few defense contractors will fit the qualifications for Level 3. Level 3 demands the toughest security measures to protect the most sensitive information. It covers more than 110 practices that draw on NIST 800-172 in addition to NIST 800-171.
Level 3 certification requires a government-led assessment every three years.
Choose a Point Person for CMMC Compliance
Successful CMMC compliance requires having someone on your team who owns the process. One of this person’s most important responsibilities will be to establish a timeline for CMMC. They will take on various other tasks, including:
- Meeting with stakeholders to ensure participation
- Ensuring that deliverables are on schedule
- Overseeing the purchase of technology resources as needed
- Ensuring that protocols are followed
The timeline and compliance plan will be specific to your organization.
Create an Asset Inventory
You need to identify all systems, data assets, and people that interact with CUI. You should define where CUI goes in and out of your IT environment. You need to specify where it is stored, accessed, and processed.
The more you can limit your exposure to CUI, the easier compliance will be. Fewer endpoints to secure and fewer people to train save you time and money. Try to narrow your scope as much as possible before implementing any new controls.
Draft a System Security Plan
You will need to show your System Security Plan (SSP) as part of your Level 2 or Level 3 CMMC assessment. The SSP describes the security controls you have in place to meet your security requirements. It includes your hardware, software, and personnel.
The SSP should be as comprehensive and detailed as possible. A well-crafted SSP can serve as a road map for your CMMC compliance process. It will change as your organization makes progress.
Write Plans of Action and Milestones if Necessary
You may identify the need for a control that you haven’t been able to implement yet. In that case, you can put a Plan of Action and Milestones (POA&M) into your SSP. A POA&M specifies the resources you need to accomplish the goal as well as milestones leading to completion.
If you have too many POA&Ms, you won’t pass a third-party assessment. You may earn a conditional certification with a few POA&Ms for low-level controls. You’ll need to complete all POA&Ms for full CMMC compliance.
Conduct a Self-Assessment
You’ll want to find any weaknesses in your security measures before the official audit. NIST 800-171A provides a framework for self-assessment. You can also use the assessment guides for Levels 1 and 2 provided by the DoD.
The assessment should cover all the relevant CMMC domains. The process starts by determining your assessment objectives. You can then define the methods and objects that will help you complete each objective.
If the assessment identifies weaknesses, you can add them to your POA&Ms. Update the POA&Ms regularly as you make progress on correcting deficiencies.
GET HELP WITH YOUR CMMC COMPLIANCE CHECKLIST
CMMC compliance will soon be a requirement for all defense contractors. The complexity of the requirements depends on the type of information your business handles. Your CMMC compliance checklist provides the roadmap for your organization.
CloudZen Partners can help you with all the tasks on your list. Our experienced team provides comprehensive CMMC 2.0 assessment and solutions services. Our proven approach will help your organization achieve CMMC compliance in 8 weeks or less.
Schedule a call with CloudZen Partners today to start designing your CMMC compliance checklist.