The Cybersecurity Maturity Model Certification (CMMC) is a standard to which the Department of Defense will require all contractors to adhere. This standard relates specifically to the protection of sensitive, unclassified information within a system. Basically, in order for a government contractor or vendor to engage in a business partnership with the United States Department of Defense, they must meet CMMC requirements. The process for CMMC compliance is comprehensive but attainable. And it never hurts to have a qualified and CMMC-Accreditation Body Registered Provider Organization (CMMC-AB RPO) in your corner to assist (but more on that later). In this article, we’ve outlined the overarching process for DoD contractors to achieve CMMC compliance.
Step One: Review your organization’s current system security plan (SSP) and any plan of action and milestones (POAMs)
You’ll first want to take a hard look at your organization’s current SSP and evaluate how you’re storing and transmitting controlled unclassified information (CUI). While this process can vary greatly depending on your industry, your federal contracting officer will be able to inform you as to which level of CMMC accreditation your organization will require.
Step Two: Submitting your DoD NIST 800-171 self-assessment
The NIST 800-171 (National Institute of Standards and Technology Special Publication 800-171) governs the use of non-government contractors with a need for and access to CUI. It is designed to protect the integrity of CUI and ensure that only vendors meeting a specific clearance of cybersecurity practices ever have access to it. The Defense Federal Acquisition Regulation Supplement (DFARS) Interim Final Rule published last year requires contractors to submit a scored NIST 800-171 self-assessment.
Step Three: Verify level of CMMC compliance needed and any direction from prime
There are five levels of CMMC compliance, and the level to which your organization needs to be compliant depends on the type(s) of sensitive information being handled. These levels range from basic cyber hygiene (level one) to advanced and progressive (level five). In addition to its own requirements, each level includes all requirements set in place by lower levels (e.g. level three includes all level three requirements in addition to all requirements set forth in levels one and two).
It should be noted that the CMMC-AB has made it clear that Managed Service Providers (MSPs) and Managed Service Security Providers (MSSPs) are required to CMMC certify (at the same level of their defense customers) if they handle their defense customers’ CUI.
Step Four: Review of Current IT Systems
The next step in the process relates specifically to your IT systems, including but not limited to shop floor machinery and IT tools. There may be changes necessary per CMMC and/or International Traffic in Arms Regulations (ITAR) requirements in order to attain compliance for your business. As data breaches are not merely limited to phones and laptops, you must be certain that every technological aspect of your organization’s current operations is in tune with CMMC’s strict cybersecurity requirements.
Step Five: Conduct a NIST 800-171 and CMMC Gap Assessment
A gap assessment is designed to provide a review and evaluation of documentation procedures and how such procedures interact with the protection of CUI. This assessment should cover your existing policies and procedures, your IT environment, as well as your existing physical security practices.
Step Six: Choose the right provider
We realize this is a lot to take on yourself. Fortunately, there are partners available to help you at every step of the way. It is in the best interest of your business to develop a partnership with a cybersecurity mainstay verified by the CMMC-AB…like, for instance, us!
SSE is a DoD contractor ourselves and a CMMC-AB RPO and has the knowledge and experience necessary to assist vendors of all markets and sizes to attain CMMC accreditation. Our team of cybersecurity experts will conduct a thorough technical audit of your systems and resources and assist your organization in developing and implementing an attainable plan to meet CMMC requirements. For more information on CMMC accreditation, or to get started with a readiness assessment, contact us. You can also visit our Resources directory for a downloadable checklist relating specifically to CMMC planning.
Need to Meet CMMC Compliance?
Schedule Your CMMC Readiness Assessment
Fill out the form below to start the process
Learn More About CMMC and NIST Compliance
Check out some of our technology and DOD cybersecurity articles.