Where Do I Start With CMMC?
The newly required Cybersecurity Maturity Model Certification (CMMC) has business leaders scrambling to find solutions to the most basic questions, such as: what even is CMMC, do I need to hire someone separate to handle my CMMC, and how does my company implement CMMC? In this article, we will walk you through a comprehensive list of steps of how to approach CMMC so you can tackle compliance prior to looming deadlines.
Though intimidating, implementing CMMC can be split up into several quick and easy steps:
- Finding the right CMMC consultant
- Determining the scope
- Running a gap analysis
- Completing implementation
- Confirming successful CMMC implementation & reporting
- Remaining CMMC compliant
This guide will walk you through each of those steps and provide insight into completing each accurately and effectively.
Finding the right CMMC Consultant
As you begin your CMMC journey, we recommend researching potential consultants prior to making a decision to hire a firm. As CMMC is a highly specialized compliance framework, you will want someone that has taken special training to provide CMMC consultation services. These groups and individuals can be found in the CMMC Marketplace provided by The Cyber AB. Particular roles within the marketplace such as RPs, RPAs, CCPs, and CCAs (Individuals) as well as RPOs and C3PAOs (Companies) have gone through various levels of training to provide CMMC specific consulting services. While it is possible to do a full CMMC implementation completely internally, it is much more commonplace for companies to hire an RPO to do a thorough implementation, or at least provide consulting services.
Once you have decided on a company and/or individual to perform your CMMC implementation and consulting services, it is time to plan your approach.
Determining the Scope
Accurate scoping is the single most critical component to efficient and accurate CMMC compliance. The goal of proper scoping is to determine what people, technology, facilities, and External Service Providers (ESPs) will work on contracts that require CMMC compliance and the data associated them. The scoping requirements will vary depending on the Level of compliance (1-3) that is required in the contact. The DoD CIO has provided scoping guides for all three levels of CMMC and are the best source to use when performing scoping:
When in doubt, it is advisable to work with an RPO to determine the scope of your CMMC needs, as inaccurate or improper scoping can lead to significant increased overhead costs, or, in the cases where an audit is required, failure of the audit or rescheduling of the audit upon prescreening.
Running a Gap Assessment
Once the scope of your environment is established as either an enclave or an enterprise, you can then run a gap assessment. The goal of a gap assessment is to establish how much security is present in the environment prior to any changes being made. Depending on the size of your scope and the CMMC compliance level you are attempting to obtain, there is potential that some of the required security practices will already be in place. The most straight forward way to understand if you are meeting a CMMC specific practice is to reference the assessment guides provided by the DoD CIO:
Using these guides, which were adapted from NIST 800-171A, you can review each practice objective and establish if you have met each objective and practice to the best of your ability. It is worth noting Organizations Seeking Certification (OSC) are not required to complete a gap assessment at any level, however, the more complex the CMMC level or environment, the most useful a gap assessment will become. Once you complete your gap assessment, it is time to move on to the true implementation.
Completing Implementation
After establishing which objectives and practices are and are not currently in place, you must create a plan for implementing the missing pieces. Typically, this involves creating a Plan of Action & Milestones (POA&M). The goal of a POA&M is to establish a couple of key metrics and steps to follow during your implementation. For each unmet objective, list who is responsible for the implementation, the steps which will be taken during the implementation, and key dates in the implementation process. Some enterprise level companies also include cost estimates on the POA&M to outline financial responsibilities during this process.
With a full plan in place, it’s time to start the implementation. The implementation timeline can vary widely depending on the results of the initial gap assessment.
Confirming Successful CMMC Implementation & Reporting
Depending on the level of CMMC your company is attempting to obtain, this step will vary in length and complexity. For CMMC Level 1, an annual self-attestation to a successful CMMC Implementation through the DoD’s SPRS System is sufficient. The CMMC Level 2 self-assessment implementation follows a similar procedure to Level 1, however, a full assessment on a triennial basis and continued annual reporting to SPRS is required. CMMC Level 2 C3PAO assessment requires you to reach out to a third-party company in the CMMC Marketplace and receive an official third-party assessment on a triennial basis which is stored in eMASS by the third-party as well as your own annual attestation in SPRS. Finally, CMMC Level 3 must be completed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) on a triennial basis after you have received your CMMC Level 2 certification from a C3PAO. On top of the triennial DIBCAC assessments, you must also report your self-attestation and Level 2 C3PAO Assessed status on a yearly basis to SPRS.
To simplify these requirements, refer to the following chart based on information provided by the DoD CIO:
Remaining CMMC Compliant
Maintaining compliance includes a rigorous schedule of consistent self-attestation and performing assessments at various yearly intervals. If any of these are not continuously completed, your CMMC status will be revoked. Beyond this, the higher levels of CMMC compliance come with their own periodic requirements which are established during the implementation phase. In addition to these attestations, it is also crucial to ensure you are doing the work! Talking the talk without walking the walk will come to bite you if an incident occurs and it is discovered that a control is not being met or is an auditor is able to find gaps in your framework.
Components of CMMC compliance can be completed independently, especially for organizations tasked with Level 1 requirements only. However, if you are looking for comprehensive consulting services from CMMC assessment preparation to compliance managed services, Stratus Services is prepared to help you every step of the way.
