Note: This blog post is an adaptation of a presentation given by SecureStrux Governance, Risk and Compliance Practice Lead Tony Buenger at the California Polytechnic Institute on October 20, 2021.
The Path to Certification
Like any other cybersecurity framework, CMMC has a general path to certification that all organizations follow. In some cases, these steps will look familiar to organizations working in the DoD, and for others, many of these requirements will be brand new. In either case, it's important to note that CMMC focuses on organizing cybersecurity compliance around "maturity," This approach essentially means that the CMMC Assessment Board will assess organizations on a unified standard based on how they implement and manage IT infrastructure.
While some of the particulars may change depending on maturity levels and working relationships within the DoD, by and large, these steps are helpful for most businesses.
Steps for CMMC Certification
- Understand the CMMC Model: We've written about this before, but CMMC calls for specific steps and milestones on a certification path. More importantly, you should plan for the process to take at least six months, if not longer, depending on your infrastructure.
- Identify Scope: The reason you are seeking certification is that you will most likely handle either Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). You should have a scope of work that details which systems will support and protect this information. Without a proper scope, you may have to assess your entire business and IT infrastructure, exponentially increasing the length of audits and costs.
- Identify Required Maturity Level: Two primary factors drive which Maturity Level you seek certification for: your contract with the DoD and the types of information you will protect. A Maturity Level of 1 is required to handle FCI and a Maturity Level of 3 is required to handle CUI. However, other factors related to the DoD agency and contract will impact your minimum level.
- Identify and Close Security Gaps: At this point, it's crucial to assess the actual state of your data-handling infrastructure. An internal assessment can help you get a birds-eye view of significant issues. External consultations with RPOs or Third-Party Assessment Organizations (C3PAOs) can help drive CMMC-specific consultations to prepare. In the case of internal assessments, you can rely on the CMMC Assessment Guide and NIST SP 800-171A as a blueprint to identify scope, data, stakeholders and other assets. For external assessments, you can rely on experienced and objective professionals to provide clear and accurate feedback.
- Select a C3PAO from the CMMC-AB Marketplace: CMMC certification requires an audit and report from a certified C3PAO, but you have the freedom to choose the organization you want to work with. Using the CMMC-AB marketplace, you can search for and browse companies that are verified C3PAOs, which allows you to avoid fraudulent C3PAOs and work with companies that fit your needs.
- Conduct an Assessment with the C3PAO: At this stage, after preparing for your assessment and selecting and consulting with a C3PAO, you can begin your assessment. The C3PAO will conduct the central aspects of your audit and complete a report based on their findings.
- Remediate Issues: Depending on the C3PAO report, you may have to remediate systems that aren't up to scope for CMMC certification. You can often avoid this occurrence with careful assessments before your certification audit, but it's not uncommon for other issues to come up. In these cases, it's up to you to address the issues before the C3PAO can sign off on certification.
- Submit Assessment Results and Receive Certification: Once your audit clears you for CMMC authorization, the C3PAO will submit their report to the CMMC-AB for final certification.
Digging Deeper into Each Step
The truth is that each step of this process deserves an essay unto itself. For this introduction, however, we'll discuss some general preparation steps that you can take:
- Don't wait to understand your systems better. A lack of understanding will not only make certification more difficult, but it will also make successful certifications cost more in time and resources.
- Shop for a C3PAO earlier rather than later. A C3PAO can be a valuable partner for your pre-certification assessments as well as for any remediation work needed. Having an expert in the field on your side earlier in the process can make a significant difference.
- Pay close attention to contract requirements. Your DoD contract will specify how far you need to take CMMC certification—because of that, understanding your contract or the terms of an RFP will help you know which of your systems will need to undergo assessment for certification.
- Maintain good cyber hygiene practices regardless of CMMC. There is no reason to have substandard cybersecurity irrespective of compliance. Conduct regular testing, set clear cybersecurity policies and use risk management and data governance practices to drive your IT decisions. Following that, adjusting to different requirements under CMMC will be much easier.
Work with SecureStrux on CMMC Preparation
SecureStrux is a Candidate CMMC C3PAO, ISO 9001 certified, INC 5000 Fastest Growing and award winning Best Places to Work company. Furthermore, ee have experienced CMMC professionals, including a CMMC Registered Practitioner (RP) and a Provisional Assessor (PA) who has experience in going through DIBCAC-led CMMC Level 3 certifications.
Our CMMC professionals are available to assist, coach, engineer, and partner with you to successfully prepare and pass your CMMC Level 1 - 3 certification.
To learn more, complete the form below and contact one of our experts.