Despite COVID, deployment of requirements for CMMC compliance are moving forward, and so must contractors’ preparations to meet them.
While many businesses have halted operations during the ongoing COVID-19 pandemic, the Pentagon has been steadily moving ahead with its implementation of the Cyber Maturity Model Certification (CMMC) program for Department of Defense (DoD) contractors. Although the timeline has shifted slightly, contractors should be preparing for certification now if they wish to continue bidding on potential contracts.
While the CMMC requirements and auditing process continue to evolve, the following five step roadmap can help companies plan ahead and ascertain which certification level they must prepare to meet. As early as the end of 2020, those contractors who do not satisfy the certification requirements will not be eligible to bid on contracts from the DoD.
1 | Study the Technical Requirements
The first step is to gain a full understanding of the technical requirements of the CMMC. In addition to the certification levels, the CMMC covers 17 sections contractors must attain for compliance. These sections include:
- Access Control
- Asset Management
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Security
- Recovery
- Risk Management
- Security Assessment
- Situational Awareness
- Systems and Communications Protection
- System and Information Integrity
These are adopted from earlier cybersecurity frameworks, such as NIST SP 800-171. Each of these “domains” – as referred to by the CMMC – should be addressed by contractors, with the ability to demonstrate verifiable compliance and adherence. If contractors do not have one or more of these domains implemented within their cybersecurity protocols, they must develop policies, procedures, and systems to fulfill the requirement prior to going through the certification process.
2 | Determine Internal vs. Outsourced Compliance Assistance
Not all DoD contractors will have the infrastructure, resources or capabilities internally to attain CMMC compliance. In these instances, organizations will need to outsource certain aspects of CMMC compliance to selected vendors and partners. In these instances, it is very important to thoroughly vet vendors and ensure that they are also CMMC compliant. This includes some of the larger cloud providers like Microsoft or Amazon.
For organizations that want to leverage their internal resources, it is equally important to ensure their capabilities meet the CMMC compliance and framework standards. Reviewing prior assessments based on the NIST framework will serve as a guide, as well as working with specialized pre-certification providers.
3 | Conduct a Readiness Assessment and Gap Analysis
Once the first two steps have been taken, contractors should identify gaps or vulnerabilities by conducting a readiness assessment and gap analysis. This not only highlights which parts of the CMMC compliance may be lacking, but it will also serve to give organizations a baseline read of which CMMC level they are closest to, or have already achieved. They can then work from this foundation to continue to higher certification levels based on their organizations’ needs, and desired contract bid requirements.
Firms should reference the NIST 800-171 framework to conduct this analysis, as it outlines several key questions that will need to be addressed, including:
- How is data stored?
- How is data and information access being controlled?
- Are there incident response plans in place?
- Are these current? Effective?
- What training do IT staff and other personnel go through? Is it adequate?
- How are security protocols implemented and maintained?
The gap analysis will identify key vulnerabilities, gaps or areas for improvement and facilitate the development of a remediation plan. This will be of value in developing a CMMC compliance and certification roadmap. A remediation plan should include:
- Activities necessary to address and resolve security issues
- Allocation of resources required to mitigate problems and close security gaps
- A timeline for the organization, with projected completion dates and milestones
- Insights into how security vulnerabilities were uncovered
- Quantification of risk levels, established priorities, and estimated remediation costs
4 | Invest in Cybersecurity Monitoring
Higher CMMC certification levels require a more sophisticated cybersecurity framework and layers of protection across networks. More complex projects require higher CMMC levels. These projects may include more sensitive information or higher-value assets that require stricter protections. At these levels, organizations must be able to report cybersecurity incidents and intrusions – meaning there must be systems in place to identify and contain threats, as well as collect information on the attack type and threat actors. To successfully meet these requirements typically calls for additional technologies and threat detection/monitoring systems deployed across an organization’s network stack. This is an added investment for many firms, either selecting to bring these systems in-house, or leveraging managed service providers with cyber expertise to conduct these functions.
5 | Review System Security Plans (SSP)
Lastly, DoD contractors should make sure they have a System Security Plan (SSP) in place. This is also adopted from earlier frameworks, and mandates that the SSP is regularly updated, particularly when substantial changes to an organization’s security profile or processes occur. The SSP must encompass a wide range of information and company details, such as existing policies, protocols, employee security roles, network schematics, and administrative functions.
For organizations dealing with Controlled Unclassified Information (CUI), SSP’s must also document information regarding the various systems in the contractor’s environment that either houses or transmits CUI. SSP’s should detail the flow of information between systems, including authentication and authorization processes. The review of SSP’s is part of the contract award process going forward, and an integral part of the CMMC certification.
The items outlined above are only a small part of the overall processes that will help meet CMMC certification standards. By building on existing cybersecurity policies and controls already in place, organizations can achive higher certification levels. Like any cybersecurity audit, a key factor will be the ability to document the security and control measures that are being utilized. The more details, plans, and tools that can be demonstrated throughout the audit process in a clear and succinct manner, the better the evaluation will go. Proactive preparation and self-assessments will strengthen an organization’s position prior to the CMMC audit and create more contracting opportunities.
Contractors should not view the CMMC certification process as an added hurdle to overcome, but rather as the next evolutionary step towards building cyber resilience. CMMC simply offers a more robust framework for firms that should be continuing to invest in and build upon their existing cybersecurity protocols.