5 Steps to CMMC Compliance
February 15, 2023
Although DoD contractors handling Controlled Unclassified Information (CUI) are currently required to achieve CMMC Level 2.0 compliance by May 2023, many companies have compliance questions that remain unanswered.
Join InfoDefense for a live webinar to learn about the latest updates on DoD requirements, when CMMC requirements are expected to appear in DoD contracts, and the 5 steps that are necessary to achieve compliance:
Join InfoDefense for a live webinar to learn about the latest updates on DoD requirements, when CMMC requirements are expected to appear in DoD contracts, and the 5 steps that are necessary to achieve compliance:
Managing Director & Founder, InfoDefense
We're going to go ahead and get things started. I have the pleasure of introducing your speaker today, Kevin Wheeler, who is the Founder and Managing Director of InfoDefense. InfoDefense is a managed security services provider that specializes in helping small and medium DoD contractors achieve and maintain CMMC compliance. His firm is a registered C3PAO candidate with the CMMC Accreditation Body. And he's worked with more than 100 companies for the last five years on CMMC and NIST SP 800-171 compliance.
Kevin personally has more than 25 years of information security, IT audit and compliance expertise. He actively serves on the Advisory Council of the C3PAO Stakeholder Forum as one of 11 members on its Board of Directors nationwide. He's the co-author of a book on IT auditing and previously served as a VP at Bank of America responsible for network authentication and encryption technologies. And he was also an enterprise security strategist at Symantec.
And he is very frequently asked to speak on various CMMC panels at conferences around the country. So with that said, Kevin is going to talk to everyone today on “Five Steps to CMMC Compliance.” Kevin, I'm going to turn it over to you. And I'll let you go ahead and take it away.
The Five Steps to CMMC Compliance:
Great. Thank you, everybody, for joining us today, this is the first of a great number of webinars we'll be doing on how to get to a point of full CMMC compliance.
For organizations, there are a lot of defense contractors right now that are struggling with this, frankly, and so we want to make sure that we provide the information that's necessary, and if need be, if you want to reach out to us and even have a one-on-one call, we're happy to have conversations, and we'll talk about that more later on.
So in this webinar, we're going to talk at a very high level about “The Five Steps to CMMC Compliance.”
Why is CMMC so Important?
So, we get questions all the time from defense contractors. So why is CMMC so important? The short answer to that question is CMMC is so important because our enemies are stealing our technology. And even though information is classified, top secret information is protected. For the most part, a lot of very sensitive information within the Defense Industrial Base (DIB) is currently not being protected properly.
So you can just see from the slide here, where there are many different pieces of warfighting equipment that our adversaries have currently created that look very similar to the ones that our military uses.
So, a few facts on CMMC. CMMC was originally issued for public release in January 2020. There was a CMMC 1.0 in November of 2021. That was changed over to 2.0 and that delayed implementation. To some extent, the purpose of CMMC is to secure the Defense Industrial Base.
It's based on NIST SP 800-171, which is referenced in DFARS 252, that 204-7012. There has been a requirement since December 31, 2017 for organizations that handle Controlled Unclassified Information to be compliant with NIST SP 800-171.
So in reality, the majority of what you're seeing with CMMC is the third-party attestation or the third-party certification of those controls that have been in place for the past five years.
Now, unfortunately, there are a lot of organizations that have not implemented those controls at this point. Many that didn't even know that it was necessary.
The Latest CMMC Guidance from DoD:
So in the next piece, I want to get into a little bit as for what's happening right now with with CMMC.
So the original guidance we were getting from the Department of Defense was that by May of this year, that they would begin requiring CMMC certification within contracts. What the Department of Defense has decided to do (and actually I think it's the government in general and not just the Department of Defense) is that they're working on rulemaking right now. They were looking at doing what's called an Interim Rule, which would allow CMMC to be put in contracts. What they decided was to do a Notice of Proposed Rulemaking. And what that means is that they are basically making plans for the rule, and then there'll be feedback, and then they'll implement the rule.
So it gives a little bit more runway for organizations that haven't started on CMMC compliance or haven't gotten too far.
At this point, it looks like it's going to be 2024, possibly early 2025, before we'll start seeing it in contracts.
Now that said, don't look at that and say, “yeah, I’ve got all this time,” because whether your organization is small or large, it'll take you time to get to the point where you’re fully compliant.
Five Steps to CMMC Compliance:
So, the five steps to CMMC compliance include:
- Assessing CMMC compliance status:
What is your current status in relation to the CMHC standards and NIST SP 800 Dash 171?
- Develop a Plan of Action and Milestones (POA&M).
This is used to address any of the deficiencies that are discovered.
- And then creating what's called a System Security Plan (SSP).
And we'll talk about that in more detail. That's something that's going to be required today and will be required when you get your certification.
- From there, you'll need to address those security deficiencies.
You’ll need to ensure that you're remediating and getting to a point of full compliance by implementing security capabilities.
- And then lastly, you'll have to gather and maintain evidence of compliance.
The expectation is that you will remain compliant with CMMC from the point of certification on. And it also makes it a lot easier to be certified if you have all of the compliance evidence that you can hand to the assessor.
CMMC Preparation Effort:
So let's talk about what it takes to get to a point of full compliance with CMMC.
The first thing I'm going to say is it takes a lot more time and effort, and unfortunately, funds than most organizations anticipate.
The Gap Analysis, you can usually you can get it done pretty quickly and get it done within two weeks, if you're focused on it.
The Plan of Action and Milestones (POA&M), you're looking at about two months of making decisions as to what technologies are going to be implemented and how you're going to address remediation.
And then, in the case of the System Security Plan (SSP), usually that takes four months up to a year to create the system security plan. Typical system security plans are documents that can be up to 100-150 pages long. So a lot of documentation that goes into those System Security Plans.
Now that said, the thing that takes the most time is Remediation, which is actually implementing all of the security controls that are required. Each one of those security controls typically requires a separate project. And each one of those projects can take months. And so you're looking at a minimum of 12 months, typically. But it really is gonna depend on on the security posture of the organization itself. So it could be less, but oftentimes it's much longer than that.
And then as far as Evidence Collection, usually that's about a three-month effort going through just making sure that that all of the compliance evidence is collected properly.
1. Assess CMMC Compliance Status:
And so let's talk about assessing CMMC compliance status. So I have good news. InfoDefense has a no-cost, self assessment tool that we offer. And many of you may already have it. But this is a good place to start is to use the self-assessment tool that we that we do provide. And we're in the process of enhancing it right now. So if you want to get the newest version of it, please feel free to reach out to us. We're going to provide some links in the chat. And then there's also links in the presentation itself. That we will share once we're done.
NIST SP 800-171 Gap Analysis:
So with NIST SP 800-171, there's a total of 14 practices. There's 110 control requirements within the standard itself, and there's some very thorny ones, and we'll talk about that later.
As far as you know, the ones that people get tripped up on most frequently. So, one of the things that's really important as you go through, let's talk about this, the way our assessment tool is set, and if you're doing an assessment, you're going to want to start with the first requirement, and then down through all of the requirements.
NIST SP 800-171 Assessment Objectives:
When you're looking at any one of the requirements, right now we're looking at 3.11, which is the first requirement within NIST SP 800-171. This screenshot is actually taken from NIST SP 800- 171 A. We'll provide the web reference for that. And it's also in the presentation. So what you're going to do is look at that, and then also look at the assessment objectives. And then the other thing you're going to need to look at is in the actual NIST SP 800-171 standard.
There is also Appendix II addresses some additional controls that are required as part of being compliant with the standard itself. So those are called NFL controls or Non-Federal Organization Controls.
And for the most part, it's policies and procedures. So we'll find that a lot of the deficiencies that we've seen have been in the area of documentation, specifically policies and procedures.
Submit Your SPRS Score:
Once you have your assessment complete (and by the way, we can help with this if you need help with it). Once you have your assessment complete, you're going to want to submit your SPSS score to a system called PIE, for the Supplier Performance Risk System (SPRS) and then the SPRS score is a score that is actually derived from a DFARS rule that was released back in 2020.
And so if you haven't done so already, you definitely want to submit your SPRS score, which requires your CAGE code and then also signing up for the system. And then if you haven't done it already, and you're making progress towards remediation, it's always a good idea to go ahead and re-submit the SPRS score, so the DOD can see your progress over time.
Common Reasons for Inaccuracies:
So here are some common reasons for inaccuracies in assessing your score. We see these quite often, because we do a lot of assessments for our customers.
Number one, and I mentioned it earlier, inadequate policy standards and compliance related documentation is one of the biggest things.
So in addition to policies and procedures, you've got to have some configuration standards for technologies that you're running to minimum baseline security standards.
For those, in addition to that, you'll also need to have the System Security Plan (SSP) and a Plan of Action and Milestones (POA&M), you'll need to have any third-party service providers, you'll need to have a compliance responsibility matrix if they're providing compliance-related responsibilities.
So that's for Managed Service Providers (MSPs). That would also be for cloud service providers or any external service provider.
And then also, one thing that's really important is to make sure that you understand the flow of Controlled Unclassified Information (CUI) in your environment. So to go ahead and do what it's called in the industry is a CUI Flow Analysis. That traces the flow of Controlled Unclassified Information (CUI) from the point of where it comes into your organization, to the point where it goes leaves the organization and it includes all the systems and all the people that touch it.
And then the second item that we see often is security monitoring, where we have somebody who's actively reviewing security logs for devices in a centralized location, and getting alerts on those and then responding to those alerts with a Security Information and Event Management (SIEM) system.
And then also the Incident Response (IR) capabilities. If you discover an anomaly, how is that responded to.
And then the next two are very thorny issues that organizations really struggle with.
One of them is the confusion between FIPS-compliant and FIPS -alidated encryption modules. So even people in the industry get confused about this, but oftentimes, vendors will say, ‘Well, we have FIPS-compliant encryption in our firewall,’ for example, but it hasn't been validated by third party. So NIST has a website, which you can go to and I will provide the link to that where you can actually search the cryptographic modules to ensure that they're FIPS validated. Now FIPS-validated encryption is a requirement of CMMC.
And then the last thing is for cloud service providers. This comes from actually from DFARS 252.204-7012, you'll need to make sure that your cloud service providers that have any Controlled Unclassified Information (CUI), that they are FedRAMP authorized. And there's also a place where you can search for FedRAMP authorized service providers as well. And if they are not the FedRAMP authorized, you have to prove equivalency. So the requirement is actually equivalency. Which means that they have to either provide an attestation by a CMMC Third-Party Assessment Organization (C3PAO) for FedRAMP. Or you've got to you've got to have your assessment team actually assess that equivalency. That's a big thing if that’s required.
2. Develop a Plan of Action & Milestones (POA&M):
So the second thing is to develop a Plan of Action and Milestones (POA&M). And we call them “poems.” And if you ever hear that term, that's a Plan of Action and Milestones.
So the Plan of Action and Milestones is a plan that's used to use to manage remediation of security deficiencies that are discovered during the Gap Analysis.
You're going to want to make sure that you have timelines and responsible parties for each one of those items, but you can download a template for this that's in Word format from the NIST SP 800-171 website. But it's probably best if you put it into Excel, or a tool that's meant for tables. So the ones we use internally, this is a of one of ours, we actually use Excel for it.
NIST CMMC Resources:
And this is something that's really important to note, but NIST has a bunch of resources for CMMC compliance. And they are published on the NIST SP 800-171 website for Rev 2, which is the current revision.
And you can see there, here's a screenshot of the NIST website. And the area that is in the red box are their resources. So there's an SSP Template, there's a POA&M template, there's also mappings as well that have been done.
So these are great resources that you can get from NIST and they're 100% free.
3. Create a System Security Plan (SSP)
So once we we've completed the Plan of Action and Milestones (POA&M), now we'll go ahead and move our plan into what's called a System Security Plan (SSP).
Now a System Security Plan is a lengthy document typically, plus all of the references from the System Security Plan, it can get to if we had to print it, it can get to a ream of paper, when it's all said and done. The document itself oftentimes is upwards of 100 pages, and then the references would also add to the body of the full document.
So, there's three sections, which is actually defined in the standard.
Section 1: System Identification:
This includes the roles and responsibilities and contact information for individuals who are responsible for the system and for the information within the system.
Section 2: System Environment:
This is a description of the System Environment that includes a System Architecture, as well as how CUI flows within the organization. We talked about the CUI Flow Analysis that gives you an opportunity to define your CMMC scope and defend that CMMC scope to an assessor when they come in. And so that's something you're gonna want to make sure that the CMMC scope is well rationalized within the SSP or within a separate document that's referenced from the SSP.
And then there's an overview of controls that your organization has implemented, things like how access controls are applied, how security awareness training works, all of the different types of controls that your organization has to protect Controlled Unclassified Information and the organization as a whole.
Section 3: CMMC Compliance:
This includes a narrative of all 110 controls. It's usually a few paragraphs for each control as to how that control is being met, as well as which controls, technologies or processes have been applied to address that control requirement. And now, you would have plan controls in the System Security Plan to describe how that remediation is going to be addressed. And there is also a template for that on the NIST SP 800-171 website.
4. Implement Security Capabilities:
Then from there, you're going to implement security capabilities.
So this is really where you have to build out a security program, because CMMC basically provides the underpinnings of a full security program, which is just an ongoing function within your company that will need to be there.
If you have a really small organization, this is an area where you can usually have a third-party service provider help you with it, sometimes your Managed Service Provider (MSP), we also have services. And so for smaller companies, there are different ways to address CMMC requirements. So usually it's outsourcing more for smaller organizations.
Cyber Security Program Elements:
So here's some of the security program elements. So at this point, we should already have our Plan of Action and Milestones (POA&M) in place. We should also have our System Security Plan (SSP). We should have a detailed security network and system diagram, that's part of the System Security Plan. We should also have completed the CUI Flow Analysis that I had discussed earlier.
We'll also need to make sure we implement all of the documentation required for the Security Policy Standards and Procedures.
And then implement different security technologies. And I'm not going to go through each one of these items. These are all requirements within CMMC. So everything here is a requirement. Everything from security awareness to mobile device management, if you have mobile devices that have access to CUI.
So needless to say, this is a long effort. And it takes a lot of time and there's a lot of technology that goes into it.
And if you're building the team or the function within your organization, you're looking at hiring a minimum of three security professionals to fill three distinct roles, compliance, security, and usually an architecture/engineering function.
If you're a smaller organization, you can look at Managed Service Providers (MSPs) who can provide these services for you. And that will save you a lot of money and it will be a lot less expensive than implementing these on your own.
5. Gather CMMC Compliance Evidence:
From there, this is an important step, once we have everything in place, we're going to want to go ahead and gather CMMC compliance evidence.
So those are things like screenshots and records in relation to your compliance reports, logs, pictures, etc. that you would need to organize. So you're gonna want to organize them in a referenceable format. We’ve created a sample folder structure and an Excel document to be able to reference those documents. And then each one of the documents is referenced in the way that you see with the document on the screen. If you want an access to this, we're happy to provide it to anybody at no cost.
CMMC Certification Process:
Okay, so let's talk about the CMMC certification process. So when certification happens, first, you'll need to hire a CMMC Third-Party Assessment Organization (C3PAO) that is actually going to provide that certification.
So, we’re one of the registered C3PAO organizations, and we're on our way to becoming an authorized C3PAOs. There's about 200 or 300 other C3PAOs that are out there as well.
Once you get your CMMC certification, it will last for three years. According to what DoD is saying at this point, every year, an organization’s management will need to attest that they are still maintaining CMMC controls. And that will be done through the SPRS system.
And so it requires a comprehensive security program that is ongoing. This is not the same as some of the other requirements where you create the documentation, for instance, for a quality standard, and then come back to it.
Once re-certification comes, this is something you have to do continuously. Remember, we do have adversaries. And so, the continuous management of security is required.
CMMC Compliance Benefits:
So here are some of the benefits of actually obtaining CMMC compliance.
Well, number one is you can stay ahead of DOD requirements. This is one of those things where you don't want to be caught in a situation where you have contract requirements, and you're not CMMC compliant, because you will miss out on those contracts when that time comes.
Another thing that you'll gain from CMMC compliance is you'll increase your cybersecurity posture. So those ransomware incidents and other types of security incidents, you'll see less of those, because those attacks are becoming more and more prevalent, as we see in the news.
And CMMC compliance also demonstrates that cybersecurity is taken seriously, not just for your DoD or defense-related customers, but for other customers. This can be a competitive advantage both in the DoD space, but then also in the commercial space, or with other agencies within the government.
CMMC Compliance Next Steps:
So, from here, the first thing you need to do is to go ahead and do your Gap Analysis, if you haven't done one already. Then submit your SPRS score. And then create your POA&M and SSP. And then lastly, it would be to start to Remediate those security areas where you're not fully CMMC compliant.
If you have any additional CMMC compliance questions that you need answered, please consider booking a free, one-on-one consultation with an InfoDefense CMMC compliance expert.
Here are useful InfoDefense materials from the 5 Steps to CMMC Compliance Webinar:
These are helpful links to the online resources referenced during the webinar:
How is CMMC different from FISMA compliance or RMF?
So FISMA, NIST SP 200-171 and RMF are three different standards. Now FISMA is very similar. NIST SP 800-171 was created based on NIST SP 853, which is the basis for FISMA, so FISMA has around 350 security controls, whereas we have 110 controls in NIST SP 800-171. So, in essence, NIST SP 800-171 is easier to obtain and less rigorous than FISMA. And then RMF is a different animal that is complimentary more than anything.
Do firms need to do the steps of CMMC sequentially? Or is it possible to run it in a compressed timeline?
It is possible to run it in a compressed timeline. And I'll just give you an example. Oftentimes, organizations they're doing their SSP and their POA&M, and they're actually implementing at the same time. So you can shorten the timeline by running some of the items concurrently.
Now, that said, you've got to have the plans in place before you can start implementing and things like that. And that's obvious, right? But you don't have to have every plan in place, right. So, yes, you can shorten the timeline to some extent. That said, if you're starting from a point of relatively, minimal security controls and a low level of compliance, give yourself 15-18 months is what I would say, give yourself some significant time to get it done.
Because you're going to find that there are a lot of items that just take a lot longer than you would expect. And, remember, it's also going to change some of the cultural aspects of the organization. So if you implement things too quickly, you'll get what we call “organizational whiplash.” And so, we have services we provide, we can implement a lot of these things a lot quicker. But, does it make sense for the organization is the question. So thanks for that question. It's a good one.
Do we have to address the 320 assessment objectives within the SSP or outside of the SSP?
You don't necessarily have to list each one of them out and discuss how you're going to address it. I would address it in your narratives within the SSP. So if there is an assessment objective, for a procedure, definitely call out that procedure within your response. So I would address each of those 320 assessment objectives, but you don't have to necessarily address all of them separately is my point.
Did the DoD provide any guidance on Management Attestation to be submitted to SPRS?
Yes. So there is some guidance on management attestation. This isn't necessarily true for current SPRS scoring within the system, but for CMMC, DOD has said repeatedly that the expectation is that a C-Level or a manager with authority over the business will need to do the attestation in between the CMMC three-year cycle of assessments.
So, and there is one thing that's important to note, and this is something that the DoD is already starting to do. Organizations who materially misrepresent their scores, even today are subject to prosecution under the False Claims Act. There are criminal aspects to it and then there are civil aspects. What we've seen so far is mostly the civil aspects. But that's something that's important to know, they're trying to put more teeth into it, because of the NIST SP 800-171 compliance that was implemented back in 2017, only 18% of the Defense Industrial Base (DIB) is compliant right now.
And so, obviously, there was no teeth. And so that's one of the things they are really wanting to do is make sure that there's teeth there. So, thanks, another great question.