4 Steps to Jumpstart Compliance with CMMC
Last year, the Department of Defense (DoD) launched the Cybersecurity Maturity Model Certification (CMMC) program. The program makes it mandatory for the 300,000+ DoD contractors and subcontractors to meet new, more stringent cybersecurity standards, as well as undergo third-party assessment and certification.
Complying with CMMC will extend beyond cybersecurity teams into both compliance and supply chain risk management. Ignoring CMMC compliance could affect your company’s ability to do business with defense, their contractors, or subs of defense contractors.
Starting your CMMC compliance journey now means you will be better protected and resilient to ever-growing cybersecurity risks. In this white paper, you’ll learn:
- Key questions to answer to determine the certification level your organization needs
- Best practices for prioritizing your compliance efforts, mapping CMMC requirements to existing compliance obligations
- Understand how you can work with the rest of the enterprises to develop a strong CMMC compliance response
Here are the 4 steps to jump-start your compliance with CMMC:
Step 1: Understand the CMMC Level You Need
Your CMMC compliance journey begins by understanding the certification level that suits your organization. The compliance program is a tiered program with 5 certification levels. Your certification level depends on the maturity expectations, based on the sensitivity and magnitude of DoD data you interact with as you do business with DoD.
- Level 1: Basic
- Level 2: Intermediate
- Level 3: Good
- Level 4: Proactive
- Level 5: Advanced and Progressive
The NIST 800-171 cybersecurity framework spells out the compliance requirements for each organization based on your level of engagement and the sensitivity of the DoD data you interact with when working with DoD or DoD contractors. The framework seeks to protect controlled unclassified information (CUI).
For every organization, the starting point is understanding which certification level is appropriate for you. If you only supply essentials like foodstuffs to a few DoD units, you most likely need level 1 certification. However, if your contract involves construction or supply of highly- sensitive security installations, you need level 5.
Your level of compliance determines the contracts you may bid for. If you are under-compliant, you will be barred from bidding on some contracts. If you are over-compliant, you will have invested in security risk management solutions you may not need.
As an organization, begin by doing an audit of your cybersecurity posture. Representatives from your IT security team, business operations, procurement, and compliance departments, together with senior managers, should come together to ask the following questions:
- What do we want to supply to the DoD?
- Are defense contracts significant to our business? How?
- Do we handle DoD confidential CUI?
- Do we anticipate changes in our engagements with DoD to warrant changes in our CMMC compliance requirements?
Step 2: Perform a Risk Audit
Once you know the CMMC compliance level you require, the next step should be carrying out a risk audit. This will involve listing the controls and processes you have already implemented in your organization.
You may realize that the cybersecurity measures you have implemented to secure your business processes match the NIST 800-171 requirements. If you are HIPAA or PCI-DSS compliant, you may have already met the general CMMC compliance standards.
In your assessment, aim at proving the effectiveness of your cybersecurity controls and processes. It is of no use having processes and controls that exist on paper, but do not achieve the level of protection they are intended for.
In your assessment, you also consider the CUI in your possession and the third parties you share it with. If, for instance, you share the CUI with a cloud services provider, they will need to get MMC certification independently since they also handle CUI even if they do not get it directly from DoD.
If the third parties you share the CUI with fail to protect it, they will expose DoD. This may affect your engagement with DoD if they trace back the source of compromised data to your business. Ensure the vendors you contract are CMMC certified to safeguard your defense contracts.
Step 3: Developing Your Mitigation and System Security Plans
Your risk assessment report will inform your Plan of Action and Mitigation (POAM), as well as your System Security Plan (SSP). The POAM maps out your mitigation strategies, while the SSP spells out the measures you will take to implement your security requirements.
POAM lists actionable requirements for strengthening your weak points in your cybersecurity posture. The actions may be:
- Training third party employees who handle CUI when working for you
- Assessing the compliance level of vendors who handle CUI on your behalf
- A policy limiting vendors handling CUI
- Developing an incident handling policy and mechanism
- Stronger business continuity strategies
- New procedures, such as increasing the frequency of vulnerability testing and improving your software patch management
Achieving your POAM may require continuous documentation and auditable maintenance of your organization’s controls and processes, in addition to your third-party vendors. Your security, compliance, and audit teams should shoulder this responsibility collectively.
SSP describes your IT environment, linking the cybersecurity elements to CUI protection. Part of SSP involves implementing the remediation identified in your POAM.
Step 4: Auditing
After implementing your remediation, test to ensure your controls and processes are effective. In case of any performance gaps, act on them to ensure you are fully compliant with CMMC certification requirements.
Ensure the assessor you choose is CMMC accredited. Also, implement your remediation to ensure the assessment is efficient. This will help you avoid low scores in your audit that may force you to take repeat assessments. Remember, these tests are costly, and you would not want to retake them unnecessarily.
Once your assessor certifies your compliance level, you qualify to apply for DoD contracts in line with your certification level. However, test the effectiveness of your controls and processes regularly to align them with emerging cybersecurity issues such as increased and more complex threats. That way, you will have ready documentation to show your compliance level is up-to-date and effectively protect CUI.
Are you looking for sound infrastructure services and support that allows you to get the best out of your resources and provide the security you need to protect your business? Reach out to Intelice Solutions.
At Intelice Solutions, we offer easy, comprehensive, innovative, and intelligent IT support to help our customers achieve the highest standards of success. Call us today to explore our services.