CMMC Compliance Checklist – Update Sept. 2024
If you contract with the U.S. Department of Defense—or if you plan to in the future—you need to be aware of Cybersecurity Maturity Model Certification (CMMC). This DoD initiative will soon become a requirement for all contractors. Announced in 2019 and updated in 2021 (CMMC 2.0), this model safeguards sensitive government information by requiring contractors to implement enhanced cybersecurity practices.
So what is CMMC compliance, and what do you need to do to prepare?
What Is CMMC Compliance?
The CMMC framework identifies different levels of cybersecurity maturity. Your level will depend on the sensitivity of the information you handle. The more sensitive the information, the greater the cyber maturity you’re expected to demonstrate.
Consulting Support for CMMC Compliance
At Core, we offer a modular approach to certification. We break the requirements down into two broad categories: organizational and technical. We provide NIST/CMMC training for your employees, your management, and your IT Team or MSP (if you outsource your IT needs).
We also help you with your guided self-assessment.
We will help you develop your System Security Plan (SSP), Plan of Action and Milestones (POAM), Roadmap, and budget. Core Business Solutions is a NIST/CMMC registered practitioner organization (RPO). Click to view CBS CMMC Consulting Offering Sheet Link.
What are the Steps for Achieving CMMC Compliance?
Conduct a Gap Analysis
Once you know the requirements you’ll face, you can find the gaps in your security. CMMC requires advanced cybersecurity practices; most contractors will have significant gaps to fill before becoming compliant.
It’s about more than just filling the gaps. You should expect to demonstrate these requirements as persistent, habitual behaviors.
Third-party assessors typically consider two or three forms of evidence: documentation, interviews, and testing. When supplying documentation, organize it well before the assessment date. This will help the assessor develop a better understanding of your compliance.
It also helps you demonstrate process maturity, and the time saved can lower the cost of your assessment. The more prepared you are, the more efficient an auditor can be, which makes the audit faster and less expensive.
The assessor will check for things like the creation dates of your policies, and any information on procedural updates. The assessor will also want to see how you communicate these within your organization.
Contractors can save time and reduce costs by providing documentation to the assessor in advance of the assessment date.
Execute a Mock Review
After you find areas of non-compliance in your gap assessment and mock audit, it’s time to fix the issues. An experienced, registered provider organization (RPO) like Core Business Solutions should handle this process.
A mock review provides several benefits, including:
-
- Enable a trained professional to examine your compliance status.
- Verifying the appropriate handling and classification of CUI and FCI.
- Identifying any remediation steps to consider before certification.
- Assuring you of readiness for the formal CMMC assessment process.
Implement the Necessary Remediation Steps
Once you’ve identified areas of non-compliance through your gap analysis and mock audit, it’s time to remediate (cybersecurity speak for “fix” or “remedy”) the problems you found. A service provider like Core Business Solutions can provide cost-effective remediation assistance to fit your business.
A good remediation plan includes a clear timeline for the needed fixes. It also lists the estimated cost for each fix. This will help you set priorities and figure out what tools, training, and resources you need.
Thoroughly document your compliance efforts as you formalize your processes and controls, enhancing your preparedness for the formal assessment.
The CMMC Assessment Process
If your organization cannot self-attest, you will need to hire a C3PAO. A C3PAO is a Certified Third-Party Assessment Organization. They will conduct your formal CMMC assessment.
Assessment will typically begin with an introductory session. The assessor will meet with your designated stakeholders to provide an overview of the process and outline the expectations.
The assessment may take a full day or more to complete. The assessor will evaluate your practices against each applicable CMMC guideline. Your organization will receive a pass or fail grade for each area.
After completing the assessment, the assessor will prepare a recommendation report. The assessor will discuss these findings with you and your organization. After that, they will send them to the CMMC-AB for approval.
The CMMC-AB will conduct a final quality assurance review before you receive your certification. The certification lasts for three years.
What Are the 3 Levels of CMMC?
The original CMMC model contained five cybersecurity maturity levels, which the DoD downsized to three. The updated version no longer requires a third-party assessment for companies that only need Level 1 maturity.
The three levels of CMCM are as follows:
- Level 1: Foundational. This CMMC level applies to contractors who handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI).
- Level 2: Advanced. This CMMC level applies to contractors who handle CUI. A third-party assessment will almost certainly be required.
- Level 3: Expert. Only a handful of defense contractors will need to comply with this specialized cybersecurity maturity level.
For a breakdown of the difference between FCI and CUI, see our previous article.
How Do I Become CMMC Compliant?
Level 1 contractors must meet the requirements and submit a self-assessment score to the SPRS (Supplier Performance Risk System). Top management at the company must affirm this score. Contractors should take this self-assessment seriously.
The new Civil Cyber-Fraud Initiative from the Department of Justice imposes heavy fines on contractors. These fines are for those who submit false cybersecurity claims.
Most Level 2 contractors must undergo an independent assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO). The CMMC Accreditation Body (CMMC-AB) has authorized these entities to handle the task.
When CMMC 2.0 was first announced, it seemed that some Level 2 contractors would not need a third-party assessment. But it has become apparent that such cases will be exceedingly rare—if any will exist at all.
The Preparation for CMMC Checklist
If you require CMMC compliance, you might be wondering where to start. This preparation checklist can help you avoid common pitfalls along the way.
Determine the Appropriate Certification Level
Most organizations will require either Level 1 or Level 2 certification. But how do you know which one applies to you?
Determine whether or not you handle CUI, and if so, where it exists in your processes. If you handle CUI, you will require at least Level 2. If you don’t, you likely only require Level 1.
Once you identify where FCI and CUI are in your processes, you can separate them from your workflow. This helps limit the scope of your CMMC project. This makes the process easier and much less expensive. Now, you only need to secure one area instead of your whole business.
Start by identifying the people, processes, and technologies that interact with FCI and CUI. Creating a data flow chart can help.
Plan Ahead
Look ahead at the requirements you’ll face.
To achieve Level 1 certification, you’ll need to meet 17 Federal Acquisition Regulation (FAR) requirements.
To achieve Level 2, you’ll need to meet all 110 practices of NIST SP 800-171. These are the same requirements that have already existed for DoD contractors as part of DFARS. NIST SP 800-171 is the basis for calculating your SPRS (Supplier Performance Risk System) score. You can think of these NIST requirements as your CMMC compliance checklist.
You should also figure out who in your organization will manage this process. Appoint an executive sponsor — an individual responsible for overseeing, executing, and maintaining all CMMC activities. If you have an IT department, involve them as well.
Creating a Secure Environment
Your CUI and FCI need to exist in an environment that meets CMMC requirements. The easiest way to do this is to use a cloud service. Make sure your Cloud provider meets all Federal Risk and Authorization Management Program (FedRAMP) guidelines. FedRAMP provides a systematic, standardized approach to cloud service security authorizations.
Cloud-based solutions like our CORE Vault are designed for CMMC compliance. They let you manage sensitive information through a virtual desktop. You can access this desktop from almost any device. For many contractors, this is the simplest, most effective path to compliance.
What Happens If You Fail a CMMC Assessment?
CMMC certification calls for advanced cyber protections. If you don’t work with CMMC experts, you might fail your first assessment. They can help you find the right technical solutions.
If the CMMC-AB does not certify your organization, you will have 90 days to fix the issues. After that, you can resubmit the additional evidence for review. If you’re in this situation, Core Business Solutions can help.
The CMMC-AB will emphasize areas where compliance is lacking. However, it will not give suggestions for fixing these issues.
Core Business Solutions Can Help With Your CMMC Compliance Needs
Core Business Solutions is a CMMC-AB Registered Provider Organization (RPO). We are fully qualified to help you with the CMMC certification process. We understand that many contractors lack the time, resources, or knowledge to handle CMMC guidelines by themselves. Our solutions simplify compliance, removing the burden from your shoulders so you can focus on your business.
Our CORE Vault™ gives you everything you need to achieve CMMC certification in one cloud-based solution. This cloud-based enclave comes ready-made to store and share FCI/CUI in a compliant environment. You will also get the CORE Security Suite.
This includes automated forms, customizable policy templates, and a score calculator. The score calculator helps you check your readiness level. Our CMMC experts will provide all the support you need for full compliance.
Core Business Solutions, established in 2000, is a Registered Practitioner Organization through the Cyber AB and has been providing consulting and technical solutions for NIST/CMMC for over 5 years. Rick Krick is the Director of Security Solutions for Core Business Solutions and directs our Cybersecurity Services solutions including CMMC. Rick has over 25 years of experience in Management System implementations, software development, IT services, and certifications.
