CMMC – Where do I start?
This is the first of five tutorials with tips on getting ready for CMMC, a new cybersecurity standard for defense contractors. Let’s start with an overview of CMMC and how to get started with navigating the certification process, since “where do I start” is the first question we always get asked by clients.
What is CMMC
CMMC stands for Cybersecurity Maturity Model Certification and it is replacing NIST 800-171 as the cybersecurity requirement for members of the Defense Industrial Base. Until CMMC is fully implemented, NIST 800-171 will still be the required standard, and companies are expected to be in compliance with NIST 800-171 until they are compliant with CMMC.
The big difference is that NIST 800-171 allows contractors to self-attest to their compliance while CMMC requires third-party verification of compliance. Also, NIST 800-171 includes 110 controls for all contractors regardless of the products and services they provide while CMMC includes five possible levels of cybersecurity maturity that contractors may achieve, starting with just 17 required controls to achieve level 1.
Accordingly, for companies that only need to comply at level 1, it will be a relief compared to trying to comply with NIST 800-171’s 110 controls. Also, the 17 required controls for Level 1 are mostly focused on cyber hygiene and less challenging to achieve than the more advanced controls required by higher levels. The next tutorial will dive in deeper on Levels 1 and 2 of CMMC.
What’s with all the acronyms?
There are a dizzying number of acronyms associated with CMMC – a few important ones include OSCs, CAs, RPs, RPOs and C3PAOs (which are not to be confused with friends of R2D2).
Organizations Seeking Certification (OSCs) are DIB contractors looking to be certified. OSCs need to start with an understanding of the sensitivity of the data they handle on projects completed for DoD contracts. OSCs should familiarize themselves with what might be classified as Federal Contract Information (FCI), Controlled Unclassified Information (CUI), and Controlled Technical Information (CTI) as a starting point. We will discuss each of these categorizations in further detail later but for now, it’s just important to understand how they affect your required level of maturity. If you only handle FCI, then you will just be required to comply at Level 1. If, however, you also handle data designated as CUI, then you must comply at Level 3.
Developing an understanding of each of those categories of data and figuring out whether either exists in your system is a great starting point.
CAs, RPs and Garden Variety Consultants
The CMMC accreditation board is busy developing training for individuals that wish to participate in helping companies through the assessment process. Certified Assessors (CAs) will perform the assessments of OSCs that will result in a recommendation to the C3PAO and then the CMMC accreditation board on whether the OSC should pass.
Registered Practitioners (RPs) are individuals who have been trained to help companies prepare for the assessment. RPs will walk companies through a review of their policies, procedures, existing and required technologies, and provide recommendations for configuration changes and other process and policy improvements that will move the company towards a successful certification.
Consultants with prior NIST 800-171 or other related experience, who do not hold the RP certificate from the CMMC-AB may also help an OSC prepare for CMMC. Also, an individual who is a CA may provide consulting advice to an OSC. It is very important to understand, however, that anyone who helps an OSC prepare for a CMMC assessment can NOT be a part of the assessment team. In fact, no one from the associated company can participate in the assessment process as it’s considered a conflict of interest. A final note on this topic is that individuals may apply for and receive training as both a CA and an RP but again, that individual cannot offer both services to the same client.
More acronyms: SSP and POA&M
Okay so you’ve figured out whether you have FCI or CUI or both or neither and you have made a decision regarding whether you need help getting ready for an assessment. Now what?
If you don’t already have one, you should start a System Security Plan (SSP), to track modifications and improvements to your security posture. Essentially, any major updates, investments and remediations should be recorded and reviewed by the appropriate authorities within your company. Employees who work on security, a record of policies and procedures, network diagrams, administrative roles and other pertinent cybersecurity information should be recorded in your SSP.
A number of vendors have popped up specifically around provision of CMMC documentation portals that may also serve double duty as a robust environment for you SSP. For the purposes of NIST 800-171 and/or CMMC, the SSP must also include specific details regarding handling of FCI, CUI and CTI.
The Plan of Action and Milestones, (POA&M), is your shopping list of things that must be done going forward. A POA&M should include due dates and task assignments to individuals within your organization in order to be the most effective. Also, as items are completed, it is important to update both the POA&M and the SSP. The ultimate goal for the limited scope of CMMC is to have a robust SSP and zero items on your POA&M.
So that’s a quick overview at 50,000 feet of the overall process involved. In the next chapter we will dig in a bit more on Levels 1 and 2 and what you can and cannot do with those certifications. Thanks for reading and see you soon.
Slide 7 from public briefing 20200131Cybersecurity Maturity Model Certification (CMMC) CMMC Model v1.0. 31 January 2020
Want to learn more about CMMC? Check out these helpful articles and infographics >>