<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=573132769549581&amp;ev=PageView&amp;noscript=1">

Cybersecurity Maturity Model Certification (CMMC) Explained

How to Prepare for Successful CMMC Compliance

The Cybersecurity Maturity Model Certification (CMMC) is a new requirement for Department of Defense (DoD) contractors. It's how the DoD certifies a contractor's ability to protect the Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) within the supply chain system.

The new certification is part of an increased effort to promote the adoption of cybersecurity best practices for DoD operations. That way, the whole supply chain can become more successful at repelling and responding to cyber threats.

Cyber war is a war that the Department of Defense fights every day. Strong and sophisticated as their cyber weapons are, the DoD can’t fight this cyberwar on their own. The entryways to the US defense ecosystem spread out to every business that supplies it with the materials and brain power that it needs to design, build, launch, and maintain its activities.

Enemies will stop at nothing to steal away the advantage that America wields as a global technology leader. That means that if your business is part of the DoD supply chain, you have been called into service to protect the government data that you store and transmit.

DoD Suppliers are Accountable for Cyber Security

The DoD depends on external suppliers and contractors for a wide array of tasks and projects. During the process, the DoD and contractors exchange sensitive data, which must be protected. Inadequate data safety measures have resulted in significant homeland security risks that have put our military members in jeopardy. CMMC replaces self-certification of compliance with NIST SP 800-171, not because the NIST standards were ineffective, but because self-certification didn’t work.

Under DFARS and DoD rules and policies, the DoD has implemented cybersecurity controls for both contractor and subcontractor levels to protect Controlled Unclassified Data (CUD) that is transmitted, stored, or processed. If a contractor or subcontractor fails to comply and maintain compliance with the guidelines, they will be unable to bid for DoD contracts.

Security is Now Equally as Important as Cost, Delivery and Quality for DoD Vendors

Going forward, cybersecurity will be equally as important as cost, schedule and performance for companies that want to keep and gain more DoD contracts. By the time CMMC is thoroughly rolled out in 2025, a successful CMMC audit by a third-party organization will be a requirement to doing business in any tier of the DoD supply chain.

The CMMC has been in effect since January 21, 2020. As of right now, there is no definite indication for how long CMMC will last. However, the DoD indicates certification will be valid for three years. So, it is ideal for contractors to get certified as soon as possible.

We’ve created this resource to help you navigate through your CMMC journey.

🎥 Related: [Video] Getting Started with CMMC Compliance:
Assessment First Steps That Answer What, Where & How

CMMC Asset 3

What is the CMMC?

Cybersecurity Maturity Model Certification is how contractors will communicate and verify cybersecurity standards.

Compliance is designed to completely protect all points in the Defense Industrial Base (DIB). Five levels of CMMC compliance measure and assess cybersecurity practices and processes, certifying a contractor's ability to protect the Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) within the supply chain system.

Each CMMC level builds on the previous level and includes both technical and non-technical requirements. While a successful audit is a step in the compliance process, the ultimate goal of CMMC is to enable organizations to meet new threats as they evolve so that organizations never let down their guard.

CMMC Asset 4

 

The CMMC builds upon previous requirements outlined in:

    • NIST SP 800-53
    • NIST SP 800-171
    • DFARS 252.204-7012
    • AIA NAS9933

How Far Down the DoD Supply Chain Does CMMC Stretch?

The DoD has implemented cybersecurity controls through CMMC for both contractor and subcontractor levels. Your contract will specify the CMMC level that you will need to achieve and maintain, as well as the data that needs to be protected. Most companies will need Level 3. (see diagram)

Your entire organization does not need to comply with CMMC if you have other customers outside of the DoD. In fact, limiting compliance to just the part of your network and organization that handles FCI and CUI will help you to limit costs when it comes to the actual audit.

What Does CMMC “Maturity” Mean?

In the IT world, we use the word “maturity” to describe how well an organization’s technology is being used to meet business objectives and keep operations running smoothly and efficiently. The lowest level can be described as chaotic with the highest described as strategic. The levels build on each other.

When combined with cybersecurity, maturity denotes increasing capability to manage cyber risks. CMMC levels go from basic to advanced. You can see in the diagram below how the levels build on each other.

the-five-cmmc-levels-accent

The Five CMMC Levels Are as Follows:

  • Level 1: Basic Cyber Hygiene - The DoD contractor must comply with 17 controls from NIST 800-171.
  • Level 2: Intermediate Cyber Hygiene - The DoD contractor must comply with 48 additional controls from NIST 800-171.
  • Level 3: Good Cyber Hygiene - The DoD contractor must comply with the final 45 controls from NIST 800-171.
  • Level 4: Proactive - The DoD contractor must comply with 11 controls from NIST 800-172 as well as an additional 15 "Other" measures.
  • Level 5: Advanced or Progressive - The DoD contractor must comply with the final four controls from NIST 800-172 as well as an additional 11 "Other" measures.

What is the CMMC Assessment Process?

Asset 3

CUI Discovery

What Data Are You Protecting?

In order to protect Controlled Unclassified Information, you need to determine exactly where it’s stored and how it’s transmitted. Simple as it sounds, this step is tripping up many companies because they can’t identify the information in the first place, or they don’t know where it resides in their network.

Controlled data includes things like contract information, names, PO numbers, technical data, and the like. Your contract should tell you exactly what information you need to protect so if this is not clear, ask them for clarification.

Once you identify the data, you can set the scope for compliance. While it’s not a bad thing to increase the cybersecurity stature for your whole organization, you can save costs on your CMMC audit and ongoing management of compliance when you can focus CMMC activities on just the DoD controlled data.

Asset 2

Gap Analysis

How Are You Protecting the Data Today?

Whether you complete this step through a self-assessment or engage a CMMC consultant for a facilitated assessment, you need to determine where you’re strong and where you have gaps in security practices and processes. What happens with the gap analysis is that you go through all of the required controls and you give them each a yes or a no.

Most businesses that are down a few tiers in the supply chain will ultimately need to meet Level 3 requirements. At Level 3 you need to have the controls in place; they need to be documented; and you need to provide two evidences for it.

The gap analysis will tell you exactly what you need to do to meet requirements. You’ll use this information to create a remediation plan. If you need to submit a self-assessment, a gap analysis will meet that requirement.

Asset 4

Remediation Plan

Your Action Plan to Prepare for Your Audit

A remediation plan is your task list to prepare for your third-party audit. Don’t expect this task list to be a shopping list of hardware and software that you need to buy. In fact, many companies don’t need to purchase any additional equipment to prepare for CMMC compliance.

Security controls are both technical and non-technical barriers to network intrusions. Practices and processes associated with the controls detail exactly how controls are implemented.

For example, to identify and authenticate users, you may have Multi-Factor Authorization set up which is a technical control. You also could have a policy (non-technical) that prohibits employees from using the same password for different accounts. Practices and processes detail how these two controls are going to be implemented and managed.

🔎 Related: 3 Most Common Advanced Technologies Businesses Need For Their CMMC Remediation Plan

Yes – The Control is in Place

If your gap analysis found that you already have the security control in place, your remediation plan will indicate if you need to document it (Level 2), and provide the evidences for it (Level 3).

 No – The Control is Not in Place

When a control is not present, the remediation plan will include a recommendation for adding it, documenting it, and supporting it with evidences.

In addition to security controls, your remediation plan may include suggestions on how you can limit the scope of compliance by segmenting your network, and confining compliance to those operations and people who are fulfilling the DoD contract.

CMMCAsset 5

Preparing for Your CMMC Audit

Once you have your remediation plan, your job is to make your way through your list and add the controls that are missing, document them, and decide on what evidence you’ll use for verification. Timing is important because you need to be able to show that controls have been in place for a while. You can’t do that if you wait until the last minute.

For CMMC Level 3, you’ll need to prepare two evidences for each control.

For example, an access control policy might have a screenshot of a technical policy in place on the server, and the second evidence could be an interview with an employee responsible for enforcing that policy.

CMMC Assessment Guidelines: What to Expect When It’s Time for Your Audit

The first thing that a CMMC Assessor will need to know is the scope of the assessment. If part of your Remediation Plan was to limit where Controlled Unclassified Information is stored, how it’s transmitted, and who handles it, then your assessor will have less territory to cover, and you’ll save on assessment costs.

As they go through your assessment, the Assessor will be looking at specific Assessment Objectives that will have a set of determination statements. Determination statements are a set of parameters that explain the performance or function of the objective. In other words, these tell the Assessor what they’re looking for to determine how effective the control is.

Each Assessment Objective will have assessment objects. These are the evidences that you prepared beforehand. They can include documentation, mechanisms deployed by hardware and software, activities, and behaviors.

The methods that the Assessor uses to verify each assessment object will require access to your systems, people, documentation, and facility. Methods will include a combination of:

  • Examining – Looking to see if an assessment object is in place.
  • Interviewing – Talking to people about the behaviors they use when handling CUI.
  • Testing – Triggering or demonstration of a control to see how it responds.

The Assessor will determine if each control is MET, NOT MET or NOT APPLICABLE. Because each CMMC Level builds on the one below it, you must meet every requirement in each level that applies. For example, if your goal is Level 3 then you must meet every requirement in Levels 1 and 2.

When you’ve done the work to prepare for your CMMC Assessment, you shouldn’t need to worry about the outcome. In fact, the security posture for your whole organization may mature as a result.

How Much Do CMMC Audits Cost?

The cost of your audit will depend on the CMMC Level for which you’re being assessed, the complexity of your network, and other factors that can increase or decrease the time it takes to complete an audit.

Once attained, your certificate is valid for three years with ongoing management.

Staying CMMC Compliant

If you’re new to regulatory compliance, you might think that once you’ve passed your audit you can relax but compliance – and cyber security – is an ongoing process that has to be managed. As with anything, managing compliance takes resources.

The DoD supply chain is extremely diverse, made of up large companies that have their own IT departments to small businesses that utilize a local IT provider. No matter the size, companies can benefit from the services of an MSSP (Managed Security Services Provider) to bring them the knowledge and tools that are needed to efficiently manage cyber security and CMMC compliance.

MSSP’s can augment your in-house resources and act as an extension of your team. Because they bring advanced tools and extensive knowledge of cyber security to your company, you’ll find that you’re not only able to attain CMMC compliance, but you can become better at managing your overall cyber risk.

Whether you rely on in-house or outsourced cyber security expertise, the objective is not just to maintain compliance, but to know how to respond to possible intrusions and keep up with evolving threats.

🔎 Related: IT Managers: How to Tell Your Boss You Need a CMMC Consultant

Registered Practitioners
Your CMMC Guides to CMMC Compliance

The DoD understands that businesses are going to need some help in preparing for and passing CMMC audits so through the CMMC Accreditation Body, programs have been created to train individuals and organizations to provide CMMC consulting.

RPO Registered

Registered Provider Organization (RPO)

Registered Provider Organizations (RPO) are companies that have at least one trained CMMC consultant (RP) who can work with businesses to prepare for CMMC audits. RPOs have passed an organizational background check and have agreed to the CMMA Accreditation Body code of conduct. They also demonstrate skill in CMMC awareness as part of IT service delivery.

CMMC-rp-logo

Registered Practitioner (RP)

Registered Practitioners (RP) are consultants who are trained in CMMC methodology and have agreed to maintain the highest standard of professional conduct. They advise companies by providing services such as gap analysis, remediation plans, and other activities that pertain to audit preparation.

How Accent Computer Solutions Can Help Your Business Prepare For CMMC Compliance

Although it may seem daunting, Cybersecurity Maturity Model Certification (CMMC) does not have to be a strenuous process.

As a CMMC Registered Provider Organization (RPO), we help companies implement and maintain the controls of CMMC so they can bid on contracts with the Department of Defense and its supply chain. With over 30 years of experience helping companies with compliance requirements, so you can expect to be promptly prepared for any CMMC certification level as quickly and painlessly as possible.

The DoD recognizes that security is an utmost concern, and should never be substituted for cost, schedule, or performance. The Department is committed to keeping sensitive data safe and protecting all parties involved in the contract process.

We are committed to getting your company certified to your desired level.

Need help with CMMC compliance? Let's chat and see if we're the right fit to help guide you along your journey to certification. Contact us today!

 

CMMC Consulting & Guidance You Can Trust

Accent Computer Solutions is a proud Registered Provider Organization (RPO) with Registered Practitioners (RP) on staff

RPO Registered
CMMC-rp-logo

Request a Free CMMC Consultation