Preparing for CMMC
Cybersecurity Maturity Model Certification (CMMC) assessments focus on the successful implementation and documentation of practices required for certification. While contractors must reach a specific end goal, there is no one approach every contractor must take to comply with or prepare for CMMC. One method of meeting a practice is equal to another as far as the assessment is concerned. This means that there are many ways to ‘do’ CMMC. Given the diversity of the Defense Industrial Base (DIB), flexibility is probably wise. It seems unlikely one prescription would work for everyone. However, between this open-ended-ness and the CMMC 1.0 overhaul of 2021, there is a shortage of accessible and practical material on how to ‘do’ CMMC. Most articles are outdated, too generic, or too brief to be valuable. We’re trying to change that.
This blog outlines the steps contractors can take, regardless of their unique conditions or approaches, to begin ‘doing’ CMMC.
1. Familiarize Yourself with CMMC
The first question many DoD contractors have when confronted with CMMC is whether they must comply with CMMC. The answer is pretty simple. If you are a defense industrial base (DIB) member, assume that you are subject to CMMC. With few exceptions (COTS acquisitions, micro-purchases, and waivers), CMMC will be mandatory across the DIB.
After confirming that you are subject to CMMC, the first step is to understand what CMMC is, its purpose, timeline, and assessment process. Beyond XQ’s CMMC resources, consider following the Department of Defense (DoD) CMMC website (see Model Overview, the FAQ page, and the Glossary) and the CMMC Accreditation Body, or Cyber AB, website for information and updates. Another resource you may enjoy exploring is Reddit’s CMMC page. Be aware, however, that the information provided on the Reddit forum is not necessarily accurate or reliable.
2. Determine Relevant Maturity Level
The next step is determining which of the three CMMC maturity levels applies to your organization. Maturity level determines what practices are required of you.
To do so, you need to know what types of information your organization processes, stores, and transmits across its environment. If you are subject to FAR 52.204-21 or work with federal contract information (FCI), you are likely subject to CMMC Level 1. If you are subject to DFARS 252.204-7012 or work with controlled unclassified information (CUI), you are likely required to obtain CMMC Level 2 Certification. If you work with CUI on particularly high-priority programs, you may be subject to Level 3 requirements. If you don’t know what type of data you work with or if you are FAR/DFARS compliant, try reviewing your contracts or bids. The information should be listed there.
3. Identify Scope
The scope is about what is tested. The assessment scope includes the people, processes, and technology where FCI or CUI are processed, stored, or transmitted in your environment.
For Level 1 Assessment, an enterprise-wide scope may be practical. FCI is a broad category, and the 17 practice requirements are manageable. Keeping your environment in scope may make sense if your organization is not particularly large or you aren’t confident FCI is separated throughout your environment. See CMMC Self-Assessment Scope Level 1 for more information.
However, implementing and documenting practices for Level 2 is more work. Doing so for an entire organization could be prohibitively time-consuming and costly. Thankfully, only those parts of your organization linked to FCI or CUI are required to achieve certification.
If only part of your organization focuses on FCI or CUI related work, it is possible to limit the scope of your assessment. CUI assets - the people, devices, and organizational processes that handle CUI - are the only assets assessed against CMMC practices.*
After identifying and recording organizational assets using the below rubric, determine how to segregate CUI assets into an enclave separated from the rest of your organization. If you can create a clear boundary between these and other assets, you may be able to drastically reduce the effort required to achieve compliance and obtain certification.
As the below rubric might suggest, scoping can be a little complicated! CMMC Assessment Scope Level 2 is a vital resource, but you can also check out our scoping blog.
4. Assess Current Security Posture
Pre-assessing your security posture is essential in preparing for CMMC. During a gap assessment or gap analysis, an organization will review its current policies, procedures, and systems in relation to the CMMC requirements. They will identify areas that need improvement and develop a plan to address those gaps before the official assessment, increasing their chances of passing.
Due to the formal and final nature of CMMC Third-Party Assessment Organization (C3PAO) assessments, pre-assessments are particularly important for Level 2 contractors. However, contractors aiming for Level 1 can benefit, too. After all, Level 1 practices also need to be assessed. A preliminary assessment will help Level 1 contractors fill in the gaps required to pass the Level Self-Assessment.
To determine the ‘gap’ between your level of compliance today and what is required, use
CMMC Assessment Guide Level 1 if you are seeking Level 1 certification
CMMC Assessment Guide Level 2, NIST SP 800-171, and NIST SP 800-171A if you are seeking Level 2 certification
Ascertain if your organization meets practice requirements by going through each listed assessment objective and ‘answering’ its determination statement. As you go through the process, make sure to collect evidence.
Find and record evidence of all met controls
Where you believe a control is not applicable (N/A), include a statement explaining why
For controls you do not meet, develop a plan to address the gap.
Record the above information for each in-scope information system. While you can conduct a gap assessment internally, many Level 2 contractors may hire Cyber AB - registered support, like a Registered Provider Organization (RPO), for help preparing for the assessment. Level 1 contractors are also allowed to hire consultants, but because Level 1 organizations conduct their own assessments, they must ultimately validate the work themselves.
There are also templates available for those working through this step alone. Though not officially sanctioned, readers may find this CMMC preparation and self-assessment spreadsheet from the CMMC Center of Awesomeness helpful. NIST has also provided a CUI System Security Plan (SSP) template.
5. Close the Gaps
After a gap assessment, addressing any identified gaps in compliance is vital. The specific actions will depend on the assessment findings. Still, some common steps include:
i. Develop a plan: Create a plan to address each gap identified in the assessment, including a schedule for completion and a list of resources needed.
ii. Implement policies and procedures: Develop or update policies and procedures to ensure compliance with the CMMC framework.
iii. Provide training and education: Provide training and education to employees on properly handling and protecting sensitive information in accordance with CMMC requirements.
iv. Update or upgrade technology systems: Update or upgrade technology systems to ensure that they meet the necessary security requirements.
v. Monitor progress: Regularly monitor progress towards compliance and update the plan as necessary.
vi. Follow-up assessments: Once the gaps have been remediated, it may be necessary to conduct follow-up assessments to ensure gaps have been closed.
It is important to have a well-defined process that aligns with the organization's objectives, budget, and resources to address the gaps identified. You or your support team may use a POA&M to remediate deficiencies. Compliance Forge’s Kill Chain document may be helpful here.
6. Collect Documentation
This step is especially relevant to Level 2 contractors, although Level 1 contractors will benefit from collecting documentation, as well. Your C3PAO will require significant documentation for assessment. After resolving CMMC compliance gaps, ensure that you have comprehensive documentation for every applicable control. This includes creating a Data Flow Diagram (DFD) showing how CUI flows between you, the DoD, and subcontractors; an asset inventory; one or more system security plan(s) (SSP); plans of action and milestones (POA&Ms) for compliance gaps; a network diagram showing where CUI is stored, processed, or transmitted; an incident response plan (IRP); documentation outlining organizational roles and responsibilities; and documentation of recurring risk assessments.
Below is a list of recommended documentation (up to Level 2).
7. Hire a C3PAO/Conduct Assessment
Level 1 and Level 2 organizations diverge at the last step. Level 1 contractors can jump straight into self-assessment, while Level 2 contractors need to find, hire, and schedule a formal assessment by a C3PAO. You can find C3PAOs on the Cyber AB Marketplace. After hiring your C3PAO, you will work together to plan, scope, and conduct the assessment (see Introduction To CMMC Level 2: Requirements and Assessment for more information).
The CMMC process can be overwhelming, but XQ is here to help! For more support, explore our CMMC Resource Center!
*Assets are any tangible or intangible resource used to support and/or enable organizational operations, including but not limited to information, systems, equipment, personnel, and facilities (see NIST Glossary for more).