When was the last time you assessed your CMMC readiness? If your organization does business with the U.S. government, CMMC should be near the top of your priority list. But if this topic is new to you—or if you don’t know where to begin—we’re here to help.
First things first: the U.S. Department of Defense (DoD) launched the Cybersecurity Maturity Model Certification (CMMC) 2.0 to help safeguard sensitive Federal information. In the DoD’s own words, CMMC is “a comprehensive framework to protect the defense industrial base from increasingly frequent and complex cyberattacks.” It’s based heavily on the NIST 800-171 standard.
All Defense Industrial Base (DIB) organizations or companies that do business with the government must comply with CMMC by approximately May 2023 based on the latest estimates from the DoD. One huge stumbling block to compliance is that many organizations simply don’t know where their weaknesses are. We spoke with CMMC experts Vincent Scott, Founder, Defense Cybersecurity Group (DCG) & Chief Security Officer, STI Technologies and Amanda Gorski, Founder & CEO, GSec LLC & Cybersecurity Consultant about where organizations can start when it comes to CMMC readiness.
All Defense Industrial Base (DIB) organizations or companies that do business with the government must comply with CMMC by approximately May 2023 based on the latest estimates from the DoD. One huge stumbling block to compliance is that many organizations simply don’t know where their weaknesses are. We spoke with CMMC experts Vincent Scott, Founder, Defense Cybersecurity Group (DCG) & Chief Security Officer, STI Technologies and Amanda Gorski, Founder & CEO, GSec LLC & Cybersecurity Consultant about where organizations can start when it comes to CMMC readiness.
“It’s endemic to the human condition that we don't evaluate cyber risk very well because it's not something we can see,” says Scott. “If we were to see people wandering into our offices and opening our CEO’s file drawer and rifling through it, the CEO would lose his mind and say, ‘Who's on the front desk?’ But when that happens virtually, and we can't see it, we don't have that same reaction because we can’t touch it. So we tell ourselves it’s not a real threat.” CMMC is the chosen enforcement mechanism of the DoD to drive down cyber risk across its supply chain by mandating and enforcing a series of information security controls across its supply chain.
Here are their top six ways to ramp up CMMC readiness so your organization won’t fall prey to cybercriminals.
Don’t let perfect be the enemy of the good. Start now, even if you think you lack the expertise to do so.
“Too many companies are waiting to start working towards CMMC readiness,” says Scott. “But even the longest journey has to start with one small step. If you're in the DIB, eventually someone is going to knock on your door and ask for your certification, whether that's a government contracting officer or prime contractor from a supply chain security perspective. When that happens, you won’t be able to say, ‘Hang on,’ and then run off and achieve compliance overnight.”
Understand the level of CMMC you are aiming to achieve. There are three levels of compliance. Level 1 applies to everyone and is related to the protection of Federal Contract Information only. Level 2 is for only those companies that process, handle, or store Controlled Unclassified Information or CUI. That is, in general, the level we are talking about here. Finally, Level 3 is Advanced and largely to be defined. We understand that it will be based on NIST 800-172 and will provide for additional needed controls. The general belief is that companies who were already selected by the government for a DIBCAC High assessment, will likely be required to attain Level 3. Before you get started, take the time to study the CMMC 2.0 requirements thoroughly and make sure you understand them. Don’t spend hours searching the web for tidbits of information. Instead, go right to the sources of truth.
CMMC is based on NIST 801-171. The NIST has published a resource center that provides the foundational documents you need to get started; a System Security Plan or SSP and a Plan of Actions and Milestones or POAM. There are links to the documents you need in the sidebar on the right side of the page.
“Those are facts, and those are from the source, and they are concrete,” said Amanda Gorski, Founder & CEO, GSec LLC & Cybersecurity Consultant.
And to find out what’s required for CMMC 2.0, just visit the CMMC Documentation page on the website for the Acquisition and Sustainment Office of the Under Secretary of Defense. There, you’ll find a model overview, scoping guidance, and assessment guides that can help you gauge your current level of CMMC readiness.
Assessment Objectives are contained in the NIST 800-171A and the CMMC Assessment Guides. Many companies, when preparing for CMMC, use the list of 110 security requirements in NIST 800-171 as the basis for their program and tracking. This is a mistake. You need to use the 320 assessment objectives instead. Each security requirement/control/practice is broken down into a series of assessment objectives. These are what the assessors will use to evaluate your program and at times they expand the requirements so you must be using them as the basis for your program.
“It’s really important to look at the assessment objectives regularly, or you're going to be missing a lot of points,” explains Scott. “A lot of companies out there, especially when they’re just getting started and don't know much about it, will set processes and solutions in place that respond to the controls and think they’re done. But you’re going to be assessed against the assessment objectives, so keep them always in mind. And any tracking you do, whether you’re using a tool or putting it in a spreadsheet, should be at the assessment objective level.”
Achieving CMMC compliance will most likely require you to go above and beyond what you’re already budgeting to protect your systems and data. First, understand the people impacts of these requirements. Is your team right sized to meet the challenge? Once you’ve thoroughly reviewed CMMC requirements and understand how that will impact the people on your team, then make a list of the technology solutions you’ll need to support your compliant processes. Shop around for prices and factor these totals into your overall IT budget to ensure you’ll be able to deliver on, or at least be on track for CMMC before May 2023.
Don’t just “set and forget” your new cybersecurity technology. Establish a process for tracking your progress against CMMC 2.0 objectives, and make sure your entire team sticks to it.
“Cybersecurity is something we do, not something we have, and it is definitely not just a tool we buy. Build your program around CMMC requirements, but when those are in place it is not over,” explains Scott. “Nearly all of these security requirements, like configuration management or incident response, require you to continue to do things consistently over time. So track your progress but understand that when those controls are in place this transforms into tracking your security activities on an ongoing basis. Stop tracking and you will stop being compliant.”
It’s also a good idea to think more broadly than simply achieving CMMC readiness. When advised to read NIST 800-171, it wasn’t just a suggestion to skim it. Read all of it—including the fine print. The appendices of this standard mention additional policies and procedures you should already have in place before you seek NIST 800-171 compliance certification.
“As you put policies and procedures in place, make sure you’re not just hyper-focused on NIST 801-171 and CMMC 2.0,” advises Gorski. “Dig down a little deeper and make sure you’re tracking your Non-Federal Organization (NFO) controls in the same place. That way, you can help ensure progress across the board while streamlining your administrative work.”
This is a good approach to take when reading requirements for CMMC or any other regulation. It’s tempting to gloss over the details while focusing on the major elements of a standard. But keep in mind that a certification assessor can fail your organization based on safeguards you should have had in place before you even commenced your journey towards CMMC readiness.
We hope you’ve found these six tips helpful. For a much deeper dive into what it takes to achieve CMMC compliance, tune in to our August 25 webinar, “CMMC Readiness Starts Here.” You’ll have the chance to hear more from Scott, Gorski, alongside a highly expert panel in CMMC.