The DoD officially released version 1.0 of its Cybersecurity Maturity Model Certification (CMMC) approach. Now, DoD contractors are running full steam ahead to try and figure out what the next steps are. All Defense Contractors will be required to be certified at some level of CMMC to continue to do business with the DoD. This means they must all create a strategy and implement a plan on how to get there. To help you get the process started, we have created these steps for you to follow.
Identify your organization's level of compliance.
There are two parts to this step. The first part is to evaluate your organization's current compliance measures. You have to know your current cyber hygiene to make changes; this is the preliminary assessment. Some organizations already have some documentation in place regarding your practices concerning NIST SP 800-171 controls. You can and should leverage this documentation, so you’re not starting from scratch.
The second part is to determine where you need to be. The CMMC framework includes five cumulative certification levels. Some things to think about that help you determine which level you will be at are, do you have CUI? How do you know? Answers to these questions will help drive your decision making. If you don’t have CUI, odds are your type of contract will be limited to a level 1 or a level 2. If you have CUI, CMMC tells us you'll be at least a level 3 or more. The requirements from RFP sections L and M will help you determine where you need to be. Your prime on contracts may also make requirements for you to participate.
Get a Systems Security Plan (SSP) and a Plan of Action and Milestones (POA&M)
The System Security Plan is a living document that must be updated when an organization makes substantial changes to its security profile or processes. Typical information captured in the plan includes organization policies, employee security responsibilities, network diagrams, and administration tasks. For NIST SP 800-171 and CUI requirements, the SSP must document information about each system in a contractor’s environment that stores or transmits CUI. The SSP also details the flow of information between systems, as well as authentication and authorization processes.
Creating your SSP and POA&M is where the hard work starts. Use your self-assessment of NIST SP 800-171 to determine where the gaps are between your current compliance measures to your desired CMMC level. Use the gaps to create a plan of action. Identify the necessary people, process, and technology resources and break down your plan into a series of prioritized tasks. Doing so will help you more effectively manage your cyber risk.
Configure your existing environment
You may need to configure your existing environment or build a new environment to NIST SP 800-171 compliance. Many contractors are moving to Office 365 GCC High or other cloud providers to ease this process. There are physical security requirements as well such as storing CUI in a location that is controlled to ensure only authorized individuals have access. These are all things to consider and may take a significant amount of time to implement.
Establish A Budget
For many organizations, becoming CMMC compliant could be a significant effort requiring time and resources. Start preparing now. You may need to consider hiring new personnel to assist in the transition. Outsourcing your CMMC is another excellent option. This option can provide you with the resources and a team of professionals that spend every day working with compliance and can make the transition less stressful.
There is a large amount of work that needs to be completed to become CMMC compliant, but it is critical to your organization. Think of CMMC compliance as a byproduct of a robust security program. Focus on the plan, and compliance will come naturally. Don’t wait until the last minute to prepare. Start working on these steps now!
For more information about how your organization can get started with their CMMC compliance journey, talk to Mark! He is our in-house expert!