Preparing for CMMC Assessment, Part One

Cybersecurity Maturity Model Certification (CMMC) assessments focus on the successful implementation and documentation of practices required for certification. While contractors must reach a specific end goal, there is no one approach every contractor must take to comply with or prepare for CMMC. One method of meeting a practice is equal to another as far as the assessment is concerned. This means that there are many ways to ‘do’ CMMC. Given the diversity of the Defense Industrial Base (DIB), flexibility is probably wise. It seems unlikely one prescription would work for everyone. However, between this open-ended-ness and the CMMC 1.0 overhaul of 2021, there is a shortage of accessible and practical material on how to ‘do’ CMMC. Most articles are outdated, too generic, or too brief to be valuable. We’re trying to change that. 

This blog is part one of a two-part series outlining the steps contractors can take, regardless of their unique conditions or approaches, to begin ‘doing’ CMMC. Today’s blog outlines steps one through three. 

1. Familiarize Yourself with CMMC

The first question many DoD contractors have when confronted with CMMC is whether they must comply with CMMC. The answer is pretty simple. If you are a defense industrial base (DIB) member, assume that you are subject to CMMC. With few exceptions (COTS acquisitions, micro-purchases, and waivers), CMMC will be mandatory across the DIB. 

After confirming that you are subject to CMMC, the first step is to understand what CMMC is, its purpose, timeline, and assessment process. Beyond XQ’s CMMC resources, consider following the Department of Defense (DoD) CMMC website (see Model Overview, the FAQ page, and the Glossary) and the CMMC Accreditation Body, or Cyber AB, website for information and updates. Another resource you may enjoy exploring is Reddit’s CMMC page. Be aware, however, that the information provided on the Reddit forum is not necessarily accurate or reliable. 

2. Determine Relevant Maturity Level 

The next step is determining which of the three CMMC maturity levels applies to your organization. Maturity level determines what practices are required of you.

To do so, you need to know what types of information your organization processes, stores, and transmits across its environment. If you are subject to FAR 52.204-21 or work with federal contract information (FCI), you are likely subject to CMMC Level 1. If you are subject to DFARS 252.204-7012 or work with controlled unclassified information (CUI), you are likely required to obtain CMMC Level 2 Certification. If you work with CUI on particularly high-priority programs, you may be subject to Level 3 requirements. If you don’t know what type of data you work with or if you are FAR/DFARS compliant, try reviewing your contracts or bids. The information should be listed there. 

3. Identify Scope

The scope is about what is tested. The assessment scope includes the people, processes, and technology where FCI or CUI are processed, stored, or transmitted in your environment.

For Level 1 Assessment, an enterprise-wide scope may be practical. FCI is a broad category, and the 17 practice requirements are manageable. Keeping your environment in scope may make sense if your organization is not particularly large or you aren’t confident FCI is separated throughout your environment. See CMMC Self-Assessment Scope Level 1 for more information. 

However, implementing and documenting practices for Level 2 is more work. Doing so for an entire organization could be prohibitively time-consuming and costly. Thankfully, only those parts of your organization linked to FCI or CUI are required to achieve certification. 

If only part of your organization focuses on FCI or CUI related work, it is possible to limit the scope of your assessment. CUI assets - the people, devices, and organizational processes that handle CUI - are the only assets assessed against CMMC practices.* 

After identifying and recording organizational assets using the below rubric, determine how to segregate CUI assets into an enclave separated from the rest of your organization. If you can create a clear boundary between these and other assets, you may be able to drastically reduce the effort required to achieve compliance and obtain certification. 

As the below rubric might suggest, scoping can be a little complicated! CMMC Assessment Scope Level 2 is a vital resource, but if you’re looking for more help, come back next week. After part two of this list, we’ll post a more detailed guide on scoping.  

*Assets are any tangible or intangible resource used to support and/or enable organizational operations, including but not limited to information, systems, equipment, personnel, and facilities (see NIST Glossary for more).