How to Manage CMMC Compliance for Your Business

Posted on January 11, 2021 - by Justin Gratto - in Building Your InfoSec Program

cmmc compliance

If your company wants to compete for contracts from the U.S. Department of Defense, you’ll need to achieve compliance and meet all the requirements for the Cybersecurity Maturity Model Certification.

The CMMC represents a unified approach to cybersecurity in the defense industry. It seeks to define clear technical requirements for contractors, subcontractors, or other organizations within the defense industrial base that handle confidential unclassified information (CUI) or federal contract information (FCI) within their own business.

Drawing from three different technology standards, the CMMC is a sweeping set of security compliance requirements. Here’s the essentials you need to know to start preparing and managing your compliance.

What is the CMMC framework?

The CMMC framework was designed to be a comprehensive and scalable standard for contract and subcontract defense companies to protect information categorized as CUI. CUI is sensitive information (But not classified information, which carries even more security requirements.) The framework is intended to help the Pentagon verify the implementation of required cybersecurity policies and procedures.

The CMMC is a new certification standard developed by the DoD and first published in January 2020. Starting in December 2020, CMMC became official department policy with contracts starting to include the new cybersecurity requirements.

If you’re getting questions about CMMC compliance or expecting to see these requirements in your contracts, here’s what you need to know:

1. Identify What Certification Level Your Company Needs

The CMMC established five levels of certification to determine the maturity of an organization’s cybersecurity infrastructure, and thus its ability to safeguard CUI and FCI.

A spokesperson for the department stated most contractors will initially only need to meet Level 1 of CMMC compliance. The DoD will specify what level a company must have achieved to qualify for a contract in its Requests for Information and Requests for Proposals.

These five levels are tiered, so you must achieve compliance with the preceding level before advancing:

  • Level 1 – Basic Cyber Hygiene. Your company uses essential best practices across your organization, including those for email security and password policies.
  • Level 2 – Intermediate Cyber Hygiene. Your company must have documented policies and procedures that specifically address the safeguard and control of con. At this level, you’ll have to meet 55 additional cyber hygiene practices laid out in the NIST cybersecurity framework, plus 17 basic cyber hygiene practices related to protecting FCI.
  • Level 3 – Good Cyber Hygiene. At this level, you’ll need to satisfy any remaining requirements in NIST SP 800-171. You’ll also be expected to regularly review policies or processes while demonstrating the ability to manage specific activities related to CUI and FCI.
  • Level 4 – Proactive Cybersecurity Practices. Level four introduces additional practices from Draft NIST SP 800-171B and introduces requirements for protecting against advanced persistent threats (APTs).
  • Level 5 – Optimized Capabilities. Companies at this level must demonstrate standardized, optimized, and sophisticated capabilities for managing APTs across the entire enterprise.

The levels in CMMC compliance loosely resemble the implementation groups in the CIS Controls framework, which also map to the NIST cybersecurity framework.

2. Configure Your Existing Security Environment

Having identified the level of compliance your company must achieve, start with the infrastructure that already exists. A risk assessment is often the ideal starting point for this. During this risk assessment phase, your security team should also:

  • Define what CUI or FCI you hold, then identify where it’s stored or processed, and how it’s transmitted.
  • Identify applicable NIST 800-171 controls.
  • Bring existing policies into alignment with the cybersecurity compliance requirements.
  • Document your current CUI environment and security strategy.

3. Build a Plan of Actions & Milestones for Compliance

With some 123 different controls, CMMC compliance requires project management for a phased rollout. A Plan of Action & Milestones (POA&M) describes the current security posture of an organization plus the vulnerabilities that have been uncovered in the system. It then lays out a course for corrective action to bring your infrastructure into alignment with compliance requirements.

FedRAMP provides excellent guidance on developing a POA&M and can be used to prepare for a CMMC audit.

4. Contact a Certified Assessor

Federal contractors have always been required to maintain strict cybersecurity standards when handling CUI and FCI. However, the CMMC introduces a new requirement for contractors seeking certification: third-party accreditation with a certified assessor.

Any cybersecurity expert with experience working for companies within the defense industrial base can help you prepare for the audit and certification. However, the final assessor must be accredited by the CMMC Accreditation Board for your certification to be considered valid.

Approaching a certified assessor early in your preparation process can help you identify resources to prepare.

5. Stay Up to Date with the Latest Developments of the CMMC

Cybersecurity is not a set-it-and-forget-it project, and nowhere is that truer than the CMMC.  As a very new program, the CMMC is expected to take up to five years to fully implement. Since its initial publication in January 2020, the standard has already seen numerous drafts and updates.

To increase your ability to maintain CMMC compliance, make sure you have a process to stay up to date with the latest developments. If your team can get in the habit now of staying current with changes, you may be the one who beats out a competitor for a new contract.

Prepare for the CMMC with Securicy

Not sure where to start? Consider backing up your team with expert advice and an information security management platform. With a centralized solution, you’ll be able to create, manage, and implement your policies from a single hub across your entire organization.

Going forward, companies operating within the defense industrial base will need to demonstrate compliance with the CMMC to win contracts from the DoD. Although many details are still developing, savvy companies are starting to assess and align their cybersecurity strategies now. By also doing so, you’ll ensure that your company stands at the forefront when new requirements start showing up in your contracts.

Get custom information security policies generated for your business in minutes. Securicy guides you through creating, implementing, and managing a cybersecurity program.

Try Securicy Free

About the author

Justin Gratto is a Canadian Army veteran, experienced information security professional, and the Senior Director of Product at Securicy. Justin is responsible for product ownership at Securicy, a SaaS platform that assists businesses through creating, implementing, and managing their information security and privacy compliance program. He is also involved in advisory service delivery, and holds the responsibility of Security and Privacy Officer at Securicy. When Justin isn’t performing his duties at Securicy, he likes to go on adventures to new places to visit, learn about, and taste different cultures. He is from Nova Scotia, Canada.