The Cybersecurity Maturity Model Certification (CMMC) is the new cybersecurity standard set by the Department of Defense (DoD) for all contractors and organizations throughout the DoD supply chain. It is designed with uniform measures to safeguard Controlled Unclassified Information (CUI) among suppliers and significantly reduce the risks of cyber threats.
This standard is nearing finalization, with new and existing DoD contracts requiring CMMC certification to be phased in by 2025. But updates such as the Interim Rule are currently being enacted to start in stages throughout the rollout process. One change that the Interim Rule implemented was an increase in CMMC audits to ensure that CMMC standards are being met and that self-assessments are performed accurately.
Here’s what we know about the CMMC process and what you can do now to prepare for a CMMC audit.
How to Prepare for a CMMC Audit
CMMC compliance includes five cybersecurity maturity levels, depending on the necessary level of security clearance. Level 1 CMMC compliance focuses on maintaining sensitive Federal Contact Information (FCI), levels 2–3 establish CUI security, and levels 4–5 establish a strategy against Advanced Persistent Threats, or APTs.
The CMMC’s framework capabilities involve 17 sets of domains, which include risk management, situational awareness and incidence response.
Determine Your CMMC Maturity Level
Contractors can determine their required level of CMMC compliance by inventorying data within their network and assessing their use of FCI and CUI, along with their storage methods and security levels. Contractors without the capabilities of handling the preliminary data assessment can reach out to a managed services provider to perform an insightful breakdown.
CMMC’s initiative mainly applies to DoD contractors and subcontractors to safeguard the US defense supply chain. Suppliers seeking CMMC levels two and beyond are required to undergo an audit and obtain an official certificate from an accredited third-party assessor, or C3PAO.
Take the NIST 800-171 Self-Assessment
NIST 800-171 is an integral factor in CMMC audits. The code refers to a set of guidelines that non-Federal entities must follow when storing, processing or transmit CUI and its related security systems.
CMMC-compliant applicants need to submit a cybersecurity self-assessment based on the NIST SP 800-171 DoD Assessment Methodology. Some of the methodology’s fundamental components involve tying all CAGE code-covered contractors to an SSP (System Security Plan), guidelines that make it easier to tabulate an organization’s compliance.
Previously, DoD contractors were required to self-assess their compliance with NIST 800-171 and DFARS 7012, but these recent changes added the uniform, in-depth methodology and scoring for these assessments, as well as the SPRS reporting requirement and the potential for increased audits.
Create Your SSP & POA&M
As part of the assessment, your organization needs to create a System Security Plan (SSP) and a Plan of Actions and Milestones (POA&M) that document both the state of your current network capabilities and compliance with the NIST 800-171 standards and a systematic plan to achieve 100% compliance.
Report Your Score to the SPRS
Additionally, applicants are required to submit their scored assessment, SSP, and POA&M to the Supplier Performance Risk System. Information required for this submission includes the system security plan’s name, network-supported CAGE codes, and an outline of its architecture. The submission should also include the date of assessment, the total score achieved, and the expected date that a score of 110 will be achieved.
Work with a CMMC Consultant
To ensure each step of the CMMC self-assessment is fulfilled accurately, completely, and in a timely manner, many DoD contractors choose to work with a CMMC consultant.
Especially now that accuracy will be evaluated by CMMC audits, and as additional changes are anticipated throughout the next several years during the CMMC rollout, it’s essential that organizations that fall under CMMC give their cybersecurity and processes the attention needed to remain compliant and eligible for contracts. Working with an experienced CMMC consultant like IronEdge can help you quickly comply with time-sensitive requirements and give you peace of mind concerning your cybersecurity and compliance.
Ramifications of the CMMC Interim Rule
While the new Interim Rule CMMC regulations specifically apply to contractors working under contracts with the DFARS 252.204-7012 clause due to CUI regulation, all DoD contractors who wish to be eligible for such contracts in the future must comply with the added measures. The DCMA may conduct spot checks in the near future to ensure the accuracy of self-assessment scores and that applicants work actively toward achieving realistic POA&M objectives.
The streamlined process of the scored self-assessments outlined in the Interim Rule makes it easier for auditors to reference and approve current capabilities for swifter CMMC clearance.
Finally, the new Interim Rule will help DoD contractors reach NIST 800-171 standards with improved effectiveness. However, even after full compliance is reached, applicants must maintain continuous monitoring and incident reporting to ensure that networks remain compliant into the future.
Optimizing CMMC Audit Success
The CMMC audit remains a necessary process in safeguarding national cybersecurity, and the additional rules will help contractors and subcontractors achieve higher security standards. However, as with any maturity model, adoption and substantial results require time.