Below is the second installment of our guide on preparing for CMMC. If you missed the first post, see Preparing For CMMC Assessment, Part One

4. Assess Current Security Posture

Pre-assessing your security posture is essential in preparing for CMMC. During a gap assessment or gap analysis, an organization will review its current policies, procedures, and systems in relation to the CMMC requirements. They will identify areas that need improvement and develop a plan to address those gaps before the official assessment, ‌increasing their chances of passing.  

Due to the formal and final nature of CMMC Third-Party Assessment Organization (C3PAO) assessments, pre-assessments are particularly important for Level 2 contractors. However, contractors aiming for Level 1 can benefit, too. After all, Level 1 practices also need to be assessed. A preliminary assessment will help Level 1 contractors fill in the gaps required to pass the Level Self-Assessment. 

To determine the ‘gap’ between your level of compliance today and what is required, use

• CMMC Assessment Guide Level 1 if you are seeking Level 1 certification

• CMMC Assessment Guide Level 2, NIST SP 800-171, and NIST SP 800-171A if you are seeking Level 2 certification 

Ascertain if your organization meets practice requirements by going through each listed assessment objective and ‘answering’ its determination statement. As you go through the process, make sure to collect evidence. 

• Find and record evidence of all met controls

• Where you believe a control is not applicable (N/A), include a statement explaining why

• For controls you do not meet, develop a plan to address the gap.

Record the above information for each in-scope information system. While you can conduct a gap assessment internally, many Level 2 contractors may hire Cyber AB - registered support, like a Registered Provider Organization (RPO), for help preparing for the assessment. Level 1 contractors are also allowed to hire consultants, but because Level 1 organizations conduct their own assessments, they must ultimately validate the work themselves. 

There are also templates available for those working through this step alone. Though not officially sanctioned, readers may find this CMMC preparation and self-assessment spreadsheet from the CMMC Center of Awesomeness helpful. NIST has also provided a CUI System Security Plan (SSP) template.

5. Close the Gaps 

After a gap assessment, addressing any identified gaps in compliance is vital. The specific actions will depend on the assessment findings. Still, some common steps include:

i. Develop a plan: Create a plan to address each gap identified in the assessment, including a schedule for completion and a list of resources needed.

ii. Implement policies and procedures: Develop or update policies and procedures to ensure compliance with the CMMC framework.

iii. Provide training and education: Provide training and education to employees on properly handling and protecting sensitive information in accordance with CMMC requirements.

iv. Update or upgrade technology systems: Update or upgrade technology systems to ensure that they meet the necessary security requirements.

v. Monitor progress: Regularly monitor progress towards compliance and update the plan as necessary.

vi. Follow-up assessments: Once the gaps have been remediated, it may be necessary to conduct follow-up assessments to ensure gaps have been closed. 

It is important to have a well-defined process that aligns with the organization's objectives, budget, and resources to address the gaps identified. You or your support team may use a POA&M to remediate deficiencies. Compliance Forge’s Kill Chain document may be helpful here. 

6. Collect Documentation

This step is especially relevant to Level 2 contractors, although Level 1 contractors will benefit from collecting documentation, as well. Your C3PAO will require significant documentation for assessment. After resolving CMMC compliance gaps, ensure that you have comprehensive documentation for every applicable control. This includes creating a Data Flow Diagram (DFD) showing how CUI flows between you, the DoD, and subcontractors; an asset inventory; one or more system security plan(s) (SSP); plans of action and milestones (POA&Ms) for compliance gaps; a network diagram showing where CUI is stored, processed, or transmitted; an incident response plan (IRP); documentation outlining organizational roles and responsibilities; and documentation of recurring risk assessments. 

Below is a list of recommended documentation (up to Level 2). 

7. Hire a C3PAO/Conduct Assessment 

Level 1 and Level 2 organizations diverge at the last step. Level 1 contractors can jump straight into self-assessment, while Level 2 contractors need to find, hire, and schedule a formal assessment by a C3PAO. You can find C3PAOs on the Cyber AB Marketplace. After hiring your C3PAO, you will work together to plan, scope, and conduct the assessment (see Introduction To CMMC Level 2: Requirements and Assessment for more information). 

The CMMC process can be overwhelming, but XQ is here to help! Tune in tomorrow to explore scoping in greater detail.