5 Tips for a Successful CMMC Compliance Checklist

The US Department of Defense (DoD) released the first version of the Cybersecurity Maturity Model Certification (CMMC) on 31 January 2020. The new framework aims to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) and will apply to all DoD contractors or subcontractors. It was adopted in response to a wave of cybersecurity incidents that jeopardized sensitive defense information located on contractors’ information systems.

The latest of these, the disastrous Solarwinds data breach discovered in late 2020, affected no less than nine federal agencies and showed the necessity for frameworks like CMMC to tackle a rapidly evolving threat landscape.

An estimated 300,000 companies that do business within the Defense Industrial Base (DIB) supply chain will be affected by the rollout of CMMC and will be required to obtain a CMMC certification. This will include suppliers across every tier of the supply chain, from small businesses to foreign suppliers and commercial items contractors. The only companies exempt from CMMC certification are those that produce commercial off-the-shelf products.

The final version of the CMMC framework is expected in late 2021, but organizations wishing to join or continue to be a part of the DIB supply chain should not waste time in reaching compliance as full CMMC compliance will be required at the time of submission for all DoD bids. The best place to start is a CMMC compliance checklist that can help guide companies to their final goal. Here are our tips to successfully build one:

Assess your CUI

Understanding your data and what part of it is subject to CMMC is an essential step towards CMMC compliance. Controlled unclassified information (CUI) covers a multitude of different types of information including tax-related data, sensitive intelligence information, patents, and intellectual property.

For companies to correctly determine which level of CMMC compliance they need to reach, it is essential to identify what CUI they collect, how it is processed and stored. Organizations can use solutions such as Data Loss Prevention (DLP) tools to discover, monitor, and classify CUI.

Identify your CMMC maturity level

There are five certification levels for CMMC. Each level builds upon the last, meaning that, for example, requirements for Level 2 include all requirements for Level 1. The level of CMMC compliance needed to participate in a bid will be listed in the DoD Requests for Information (RFIs). As maturity levels may differ from contract to contract, it’s important for companies to reach the highest level of CMMC certification possible for them.

Currently, it seems that most organizations part of the DIB supply chain will likely require either a CMMC Level 1 or CMMC Level 3 certification to continue working with DoD. DoD has provided a series of appendices and assessment guides for Levels 1 and 3 that companies can use to help determine what level they will need or should aim for to ensure they will be able to participate in future bids.

Leverage NIST 800-171 and other existing frameworks

Most companies that work with federal agencies and DoD, will have already been subject to some form of data protection compliance requirements. The most prominent of these is NIST Special Publication 800-171, but can also include standards and laws such as ISO 27001 or the Federal Information Security Modernization Act (FISMA).

Many existing standards and regulations have requirements that overlap with CMMC controls, especially in the lower compliance levels. CMMC Level 1, for example, is made up of 17 basic cybersecurity controls such as the use of antivirus software and regular password changes which many companies may already have in place.

NIST 800-171 compliance is especially useful for CMMC compliance as the special publication was one of the foundations of the CMMC framework. In fact, if a company is NIST 800-171 compliant, it is already CMMC Level 1 and Level 2 compliant. Once a company aims for a higher level of CMMC compliance, however, the CMMC goes further than NIST 800-171, having additional controls in place. That being said, NIST 800-171 covers 110 controls of the highest possible number of CMMC controls, 171, included in Level 5, making it an excellent starting point for compliance efforts.

Remediate gaps

Once an organization has decided on the CMMC level it is aiming for and identified which controls it already has in place as a consequence of other frameworks, it then needs to fill the gaps between existing measures and remaining CMMC controls.

This may require the development of new organizational standards, policies, and procedures. An organization’s IT infrastructure may need to be modified to accommodate these. New software and IT security solutions that address security blind spots and meet CMMC security standards may also be required.

Obtain a CMMC certification

Under NIST 800-171, DoD contractors could self-certify and, as long as any security gaps were identified and listed in the Plan of Actions and Milestones, they were allowed to continue providing products and services without achieving compliance with all NIST 800-171 security controls. CMMC has eliminated both of these loopholes.

The CMMC certification process will now be handled by the CMMC Accreditation Body (CMMC-AB) in direct coordination with DoD. Together, they have developed procedures to accredit independent CMMC third-party assessment organizations that will evaluate and certify CMMC levels. All companies wishing to participate in DoD bids will need to present a CMMC certification from one of these approved assessors.