The U.S. Department of Defense (DoD) is implementing Cybersecurity Maturity Model Certification (CMMC) 2.0 to standardize cybersecurity preparedness across the defense industrial base (DIB). This new verification mechanism helps ensure that DIB companies have the proper cybersecurity controls and processes in place to protect Controlled Unclassified Information (CUI) within DIB systems and networks.
CMMC will not be required for all defense contractors immediately; however, companies can start preparing for CMMC compliance now. Here is a look at the five essential steps to obtaining a CMMC certification.
1. Identify the Right CMMC Level
CMMC maturity levels vary based on the criticality of the data being handled. Organizations are responsible for certifying against the level that best matches the type of data that they handle. At a minimum, all DIB contractors must meet the requirements outlined in CMMC Level 1, which is the most basic level required for contractors to store, process, or handle Federal Contract Information (FCI).
Organizations that store, process, or handle Controlled Unclassified Information (CUI) must certify at CMMC Level 2. Businesses that handle very sensitive CUI must certify at CMMC Level 3. The majority of defense contractors will fall under CMMC Level 1 or Level 2. Each level has a set of practices or controls that must be met to gain CMMC certification. The three levels of CMMC 2.0 include:
- Level 1 – CMMC Level 1 is the foundational level and applies to organizations that focus on the protection of FCI. Controls under Level 1 aim to protect covered contractor information systems and limit access to authorized users. The 17 controls in Level 1 are based on the controls found in FAR 52.204-21.
- Level 2 – CMMC Level 2 is the advanced level and applies to organizations that work with CUI. The requirements under this level reflect NIST SP 800-171 and align with the 14 levels and 110 security controls created by the National Institute of Technology and Standards (NIST).
- Level 3 – CMMC Level 3 is the expert level and focuses on decreasing the risk of Advanced Persistent Threats (APTs). It applies to organizations that work with CUI on the DoD’s highest priority programs. The DoD has not yet completed the security requirements for this level.
2. Perform a Self-Assessment
The next step in obtaining a CMMC certification involves performing a self-assessment to NIST 800-171 standards. DoD 800-171 Assessment Methodology was first established in November 2019 by the Office of the Secretary of Defense following the completion of a pilot assessment program by the DoD Contractor Management Agency (DCMA).
Self-assessments require all facets of an organization to be tied to an IT System Security Plan (SSP) which is then evaluated against a scoring rubric with the highest possible score being 110. There are 110 controls in total, each worth different point values ranging from 1 to 5. To perform a DoD self-assessment, an organization must evaluate its compliance with each of these controls.
3. Create a Plan of Actions and Milestones
Using the results of the CMMC self-assessment, create a plan of actions and milestones (POA&M). Choose target dates to achieve the maximum goal of 110 points. The document should identify key tasks that need to be accomplished and what resources are necessary to achieve the elements of the plan.
4. Undergo a CMMC Assessment
The next step in the process involves choosing a CMMC Third-Party Assessment Organization (C3PAO) and undergoing a CMMC assessment. An assessment typically involves four main phases:
- Phase 1: This phase includes pre-assessment planning and collecting initial scope information, identifying assessment team members, approving the assessment plan, and performing a readiness review with NSF-ISR.
- Phase 2: In Phase 2, the C3PAO performs the CMMC assessment that starts with a meeting between the organization and the NSF-ISR CMMC assessment team.
- Phase 3: Phase 3 covers all post-assessment reporting. The results of the assessment are submitted to NSF-ISR which then performs a quality assurance (QA) review. The review is used as a basis to issue or deny the CMMC level recommendation.
- Phase 4: If the assessment finds that the organization falls short of the target CMMC level requirements, Phase 4 may involve remediation.
5. Get CMMC Certification
The CMMC-AB is responsible for reviewing the assessment submitted by the C3PAO and making the final decision on certification for the company. If the assessment is approved, the accreditation body will notify both the C3PAO and the organization. The organization is then awarded a CMMC certification.
Speak with the Experts at SeaGlass Technology
SeaGlass Technology has experience working with a wide range of businesses seeking assistance in gaining their CMMC certification. SeaGlass specializes in helping contractors meet challenging compliance requirements by building resilient information security programs that safeguard sensitive government information from cybercriminals. To learn more about how to get a CMMC certification or to schedule a consultation with an IT security expert, contact SeaGlass Technology today.