Companies can’t execute a project without knowing the expectations and forming a plan. Given the critical nature of CMMC compliance, proper planning and effort are necessary for success. If an organization needs to achieve CMMC status, these five steps can certainly assist in the preparation.
1. Assess Your Organization's Compliance Status
The DoD determines the required CMMC level through requests for information and requests for proposals. The type of contract an organization services will determine the required target level (levels range from 1-5). As a rule of thumb, if a contractor is currently compliant with NIST 800-171, this generally equates to CMMC Level 3. Most contractors will require Level 3 standards.
The lower-tiered levels require less maturity than the higher levels. Companies requiring CMMC Level 1 certification are verified as practicing basic cyber hygiene along with implementing safeguards set forth by 48 CFR 52.204-21. Each subsequent level contains the requirements of the levels below it as well as stricter standards.
CMMC Level 3 is for organizations that require access to, or generate, controlled unclassified information (CUI). This level proves a standard capability to protect and sustain an organization’s assets and CUI. At this level, however, organizations will have challenges defending against advanced persistent threats.
2. Develop a Plan of Action & Milestones (POA&M)
Reaching CMMC compliance is a large undertaking, particularly if an organization is not already compliant with NIST 800-171 standards. There are many complexities in becoming compliant, so an efficient plan with date-based milestones is essential. It should outline all of the contractor's current challenges and specific related action items. Tracking progress is key, so the more detailed the plan, the better prepared an organization will be.
3. Implement Security Capabilities to Address Deficiencies
Once a contractor successfully completes other steps to prepare for the CMMC, like an unofficial self-assessment, they will receive a gap analysis to guide them in implementing their missing security controls. Contractors should think of it as a sketch of action items for future compliance.
This step also requires documentation as the contractor implements each security control. Documenting these controls correctly the first time will reduce the time spent during the evidence-gathering phase that comes later in the process.
4. Create a System Security Plan
Contractors should develop a system security plan in such a way that a team member can determine:
- What controlled unclassified information exists within the organization.
- Where the data is stored.
- How the data is transmitted.
- What controls are in place.
This step should follow the NIST SP 800-171 3.12.4 guidelines. The security plan should also define system boundaries, environments of operation, the implementation of security requirements, and relationships with and connections to other systems.
5. Gather Evidence to Demonstrate Compliance
CMMC requires a third-party assessment. To make this process more efficient and cost-effective, companies should create a checklist of all the required practices, documentation and control management for the CMMC level they wish to achieve. They should also have evidence to support the effective operation of each control activity.
The objective is to reduce complexity for the auditor, which will then reduce frustration for the contractor. The auditor will require evidence of meeting compliance standards, so it is prudent for contractors to have any potential information easily accessible to avoid having to waste time and dig for it upon the auditor's request.
InfoDefense Can Help Complete Steps to Prepare for the CMMC
Regardless of a contractor's current security posture, it will take some effort to become CMMC compliant. Assessing the company’s current security posture and compliance level is the first step. Contractors can't know what adjustments, enhancements or improvements to make if they are unaware of what is in place already, and where the gaps are. After determining where they stand, they should create a plan with milestones to help keep them on track.
The next step is action. Contractors need to implement security measures to address gaps. Then they must create a system security plan to identify CUI within the environment and define how the data is protected at rest and in transit. The last step is to compile the data in preparation for the official assessment.
You may have a seasoned security team, but you need experts who deal with all aspects of compliance to get you to where you need to be. An expert in one security domain may not know what you need in a different domain. Thus, a compliance consultant is best suited to get you to CMMC compliance. InfoDefense has years of experience getting their customers to meet various compliance standards. If your company needs to achieve CMMC compliance but you don’t know where to start, contact InfoDefense today. We can help you complete the steps to prepare for the CMMC.