Everything You Need To Do to Get Ready for CMMC

Brian Seeling
October 7, 2019

The Cybersecurity Maturity Model Certification (CMMC) is the latest security measure introduced by the Department of Defense in its bid to enhance the Defense Industrial Base security. Though still in its development stage, once completed, the CMMC will insert appropriate cybersecurity control levels on DoD contractor systems.

In 2015, the DoD published the Defense Acquisition Federal Regulation Supplement authorizing all private DoD contractors to adopt cybersecurity standards. While some contractors have complied, others have put off the compliance. The worst case is where DoD contractors claim to be compliant, but in the real sense, they’re non-compliant.

To ensure that all DoD contractors observe appropriate levels of cybersecurity controls, the DoD released the Cybersecurity Maturity Model Certification, CMMC. This guide provides you, the DoD contractor, with everything you need to know about CMMC, including how to prepare for CMMC.

Understanding the Cybersecurity Maturity Model Certification

In its final form, the CMMC will bring together the existing cybersecurity control requirements such as the ISO 27001, ISO 27032, NIST SP 800-171, and NIST SP 800-53. A combination of these requirements will create more detailed and coordinated cybersecurity standards. In the long run, the CMMC will have secured the DoD’s supply chain by eliminating the existing cybersecurity defects in their Defense Industrial Base.

How to Prepare for CMMC

CMMC will touch 18 cybersecurity domains including;

  • Risk Assessment
  • Access Control
  • Identification and Authorization
  • Incident Response
  • Configuration Management
  • System and Information Integrity

The areas are categorized based on their capabilities. The CMMC acknowledges that not all information shares the same levels of sensitivity, and not all contact participants have the same clearance levels. Because of this, the cybersecurity maturity model certification will map the processes across five maturity levels.

CMMC Requirements

Below are the five CMMC levels and their respective requirements;

  • Level 1 - Basic Cyber Hygiene :: will include the basic cybersecurity processes performed by all companies. To get this level certification, you must implement 17 NIST SP 800-171 Rev1 controls.
  • Level 2 - Intermediate Cyber Hygiene :: entails the universally accepted best cybersecurity practices that are documented. To get this certification, you must implement another 46 NIST SP 800-171 Rev1 controls.
  • Level 3 - Good Cyber Hygiene :: covers all managed NIST SP 800-171 Rev1 controls. You must implement the final 47 NIST SP 800-171 Rev1 controls to pass this audit.
  • Level 4 - Proactive :: entails all advanced and sophisticated cybersecurity processes that are reviewed, resourced, and enterprise-wise improved. To pass this level audit, you must implement 26 NIST SP 800-171 Rev B controls.
  • Level 5 - Advanced/Progressive :: this level entails the highly-advanced cybersecurity practices that are optimized and still under continuous enterprise improvement. As a DoD contractor, you must implement the final 4 NIST SP 800-171 Rev B controls to pass this level audit.

CMMC Audit Preparation

As you have seen above, each CMMC level requires the implementation of different NIST SP 800-171 Rev1 and NIST SP 800-171 Rev B controls. As a DoD contractor, you have the responsibility to implement the necessary controls depending on your desired level of certification.

If you have implemented all the NIST SP 800-171 Rev1 controls, then you’ll automatically pass the audit up to Level 3. If you are yet to enforce any of the controls, you can prepare for the cybersecurity maturity model certification by doing the following;

Do it Yourself

If you have the resources, you can use the Self-Assessment Handbook-NIST Handbook 162 provided by NIST to achieve the desired CMMC level. The National Institute of Standards and Technology (NIST) provided the handbook to help all DoD contractors. The book, however, only covers NIST SP 800-171 Rev1, hence suitable for certification up to Level 3.

Outsourcing to a CMMC Consultant

If you don’t have the expertise or the resources to achieve the NIST SP 800-171 Rev1 or REV B requirements, then you should outsource to an expert CMMC consultant. There are many Managed Security Service Providers, MSSP, in the country that offer CMMC consultant services.

However, it’s your duty as a DoD contractor to ensure that you’re working with a trustworthy consultant. When hiring a third party consultant, always remember that it’s your responsibility to ensure that your company meets the essential cybersecurity measures. Outsourcing has the advantage that it saves you time and money, and ensures that your company stays CMMC compliant.

Gap Analysis

The first step towards compliance is the Gap Analysis, which involves determining how far or close you are to meeting the minimum CMMC requirements. During Gap Analysis, the MSSP will discover any ineffective system setup that doesn’t meet the criteria. This is achievable by taking a closer look at your network and procedures.

Some issues revealed during Gap Analysis include;

  • Measures controlling information access
  • The training of information system administrators and managers
  • Data record storage
  • Implementation of security controls measures
  • Incidence response plans in place

Understanding the above helps you know what changes your company needs to undertake to CMMC level requirements.

Remediation Plan

Using the findings of the gap analysis, your MSSP will provide you with a remediation plan. Depending on the results, the method may be inexpensive and straightforward network fixes or a more extensive network development to help you meet the standard NIST cybersecurity requirements.

Ongoing Monitoring and Reporting

Once your network systems are CMMC level compliant, your MSSP should have tools to monitor your system for any cases of security breach continuously.

Documentation

As proof that you have implemented the necessary NIST SP 800-171 Rev 1 or REV B controls, the MSSP should provide you with documentation. You need to present this documentation to the CMMC auditors to allow them to certify you as a DoD contractor.

What Are the Benefits of Passing CMMC Audit?

One of the easiest ways to make substantial revenue is by winning DoD contracts. Since CMMC certification is now one of the mandatory requirements, you must pass the audit on the first round. Therefore, consider working with an experienced CMMC consultant who will help you meet the demands of your desired CMMC level.

Hire the Most Reliable CMMC Audit Preparation and Assessment Services

Over the years, Peerless Tech Solutions has assisted dozens of DoD contractors throughout the country meet the complexities of CMMC and NIST SP 800-171 controls. We offer the benefit of working closely with the DoD. We learn about the current cybersecurity standards the DoD utilizes in cybersecurity maturity model certification firsthand.

If you want to learn more about implementing NIST cybersecurity controls, feel free to contact us.

New call-to-action

 

If you would like to learn more about Cybersecurity Maturity Model Certification, be sure to check out our guide. It includes everything you need to know about CMMC in order to get ahead and stay ahead of your competition.

The Complete Guide to Cybersecurity Maturity Model Certification

You May Also Like

These Stories on CMMC

Subscribe by Email

No Comments Yet

Let us know what you think