Where do I start with CMMC compliance?
At long last, the CMMC proposed rule will be released on December 26, 2023!
If you have not prepared to pass the CMMC Assessment, there is no time like the present! (And if we may be so bold, we suggest preparing for the journey with some music to get you in the right frame of mind!)
Where does a contractor in the Defense Industrial Base start?
Rally the troops, and choose a leader: CMMC compliance is a team effort. A common misconception of the CMMC program is that it contains all technical controls and requires little coordination with staff not directly involved with IT. However, the CMMC program controls involve much more than technical configurations: human resources, building security, administration and operations, accounting, and even external service and cloud providers fall in scope.
Leadership starts at the top.
Communication and alignment: Management must make clear that conforming to the requirements of CMMC is a priority. Kick off an all-hands meeting to align and educate the entire organization and include goals, defined roles and responsibilities, and communication channels. It is key to have one person designated to serve as the lead to coordinate your team’s efforts. In one company that MNS Group works with, the head of business development led the compliance implementation for the company. Why that role to lead the effort? Lost opportunity. This individual had a lot to lose if the company did not become compliant in time to win the contracts that provided the bulk of his department’s income, and he possessed the skills to educate, encourage, and track the various departments to contributions. Whoever in your organizations secures the honor, they will require the support of the management team.
The good news is that if you are working with MNS Group, we are able to assist your team with our CMMC Certified Professionals and Assessors (CCPs and CCAs), with implementation and support toward compliance.
Determine the level you need to comply with.
Your contract and the type of information your company handles determines the level and number of controls your organization must meet. Every defense contractor will need to meet at minimum Level 1. The CMMC 2.0 model consists of three distinct levels, each representing a different set of cybersecurity practices and processes:
Level 1 – Foundational: This level is focused on the protection of Federal Contract Information (FCI) and encompasses the basic safeguarding requirements for this information as outlined in Federal Acquisition Regulation (FAR) 52.204-21. It includes 17 practices that are fundamental to cybersecurity, largely aligning with basic cyber hygiene practices. At this level, companies are required to perform annual self-assessments.
Level 2 – Advanced: Level 2 aligns with the protection of Controlled Unclassified Information (CUI) and is based on a subset of the security requirements specified in NIST SP 800-171. Level 2 applies to you if your company handles CUI; you are already subject to DFARS 252.204-7012 requirements and have been since late 2017.This level includes a total of 110 practices and focuses on the implementation of intermediate cyber hygiene practices to protect CUI. Level 2 requires companies to undergo an independent third-party assessment every three years to ensure compliance.
Level 3 – Expert: This level is intended for companies that are part of the defense industrial base and are handling critical national security information. Level 3 is based on a subset of the security requirements from NIST SP 800-172, along with additional practices and processes from other sources to protect CUI and reduce the risk from Advanced Persistent Threats (APTs). Compliance with Level 3 requires a government-led assessment every three years. The final rule is expected to have greater detail on this level.
Target your efforts based on the level at which your organization must comply.
If your company handles, creates, stores, or transmits CUI- who handles it? Where is it accessed, processed, or stored? How does it flow and move through the organization? The environment where CUI exists helps determine your scope. A System Security Plan (SSP) documents what controls are in place. The smaller the environment, the less expensive compliance efforts will be. Some companies find that an enclave for the CUI is a smart solution.
An enclave is a way for organizations to limit the endpoints that need to be secured, making compliance efforts more streamlined resulting in less expensive and sometimes faster compliance. All contractors to the DoD will have Level 1 controls in-scope applied organization wide- even if your CUI is confined to an enclave.
Understand your company’s current state of compliance.
How is your company currently protecting sensitive information? There are technical controls as well as practices and policies that determine the answer to this question.
Technical controls and configurations are based on policy and documentation of your organization. In our experience, most organizations do not have the necessary documentation to meet the controls in full. A self-assessment or gap analysis is a way to identify which areas need focused attention to meet those controls fully.
There are a variety of ways to approach a compliance status check.
- Internal self-assessment. An individual or a team could complete a self-assessment using a checklist. There are a few online that are available
- Upside: low cost
- Downside: time intensive, nowhere to store documents, no guidance, can be confusing to laymen
- Internal using a GRC tool (a couple examples are IntelliGRC, or FutureFeed,)
- Upside: easy to use interface, stores documentation, can be used by multiple team members, creates a Plan of Action and Milestones (POA&Ms)
- Downside: usually outside of skill area of inhouse team, time intensive, annual fee, remediation steps may not be clear
- Hire a CMMC professional to performs a Gap Analysis
- Upside: modest time resources required from your internal team, working with subject area experts trained to identify company needs and ask the right questions, clear plan and deliverables with action items and next steps.
- Downside: costs
Once your system has been reviewed, you will have a score. Once you have a score, there will be steps needed to remediate the gaps that were identified. If you use a GRC tool or have hired a CMMC professional, the identified POA&Ms will guide efforts to close the gaps. There may be a LOT of POA&Ms, with an overwhelming amount of information.
How soon does your business need to be ready? When do your current contracts renew? What guidance has been offered from the primes you subcontract to? Knowing this will assist you to pace your remediation efforts from the gaps that were identified. During the course of your Gap Analysis, it may be clear that an enclave may be an efficient way to narrow scope and make faster gains toward compliance.
In our experience the top thing that contributes to low SPRS scores is poor or missing documentation. There are many options that can be purchased to give your team some assistance to undertake this daunting task.
Grouping tasks into projects helps. There are many considerations, including who participates from your internal team or if you outsource tasks. What budget has been allocated for the effort? There may be purchasing decisions that may need to be made for things like monitoring, staff training, or consulting.
Schedule a readiness or mock assessment
Think you are ready? Consider conducting a readiness or mock assessment prior to the CMMC Assessment.
For CMMC levels 2 and 3, you will need to have an assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO). During the assessment you will need to prove that you are meeting the objectives of the controls, and the assessors will refer to in your System Security Plan (SSP). The CMMC Certified Assessor will examine compliance through interviews, documentation, and demonstration. Having a mock assessment familiarizes your team with the assessment process, making the actual CMMC Assessment less daunting. Understanding the format, types of questions, and expectations can significantly reduce anxiety and uncertainty and improve the assessment process. Failing a CMMC Assessment can have serious consequences, including the inability to contract with the Department of Defense (DoD). A mock assessment helps in avoiding such penalties by ensuring you are well-prepared.
Get in Line
With few certified third-party assessors (50 today), and more than 70,000 contractors who will need an assessment, schedule with a C3PAO early. C3PAOs can be found on the CyberAB marketplace. MNS Group is a C3PAO, and we would be happy to assist you in getting on our waitlist.
Wherever you are in your compliance journey, MNS Group is here to help! Contact us today.