CMMC Certification: How Contractors Can Adhere to New Privacy Standards
It’s been said that the only thing that is constant is change. This is definitely true when it comes to the world of cybersecurity.
If you’re an existing DoD contractor, then you’ve probably achieved Defense Federal Acquisition Regulation Supplement (DFARS) compliance by now. But did you know that DoD is now requiring all contractors to pass the Cybersecurity Maturity Model Certification (CMMC)?
As the threat landscape continues to evolve, hackers and scammers grow bolder to obtain confidential data. Cybercriminals have targeted and continue to target the Defense Industrial Base (DIB) sector, as well as the Department of Defense’s (DoD) supply chain in the hopes of stealing vital intellectual property and sensitive information.
This climate prompted the DoD to create the new CMMC framework to bolster security. Reactive measures are no longer enough to protect your organization and the data in its care. The new framework is a certification procedure designed to assure the DoD that DIB contractors are capable of protecting sensitive information such as Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
So what does this change mean for your company?
For many organizations, contracts with the DoD make up a significant part of their revenue. That’s why it’s essential to achieve compliance as soon as possible to continue doing business in the sector. If your company was audited by the DoD and found to be noncompliant, you will be given a stop-work order until your company can implement sufficient security measures to keep CUI protected. The DoD can also impose fines on contractors for breach of contract and false claims.
Compliance is also worthwhile for organizations that don’t currently work for the DoD since it can open up new business opportunities in the future. It’s also worth noting that DoD CMMC is one of the most comprehensive cybersecurity compliance regimes currently in place, so it’s a great way to establish an organization’s authority in cybersecurity.
Making this transition can be overwhelming – but it doesn’t have to be. That’s why we’ve created this guide to explain everything you need to know in order to be prepared for CMMC compliance.
Back to top
What Is CMMC?
Any business that contracts with the DoD, or subcontracts with a business that sells to the DoD, will need to be CMMC certified. Businesses that deal with or generate CUI will need at least a Level 3 CMMC certification—we’ll explain more about the levels of certification in chapter 3.
It’s important to note that CMMC requirements don’t replace DFARS regulations. In fact, every DoD contractor that deals with CUI still runs the risk of losing their contracts if they do not comply with the minimum security requirements of DFARS.
Understanding CMMC first means that you should have a firm grasp on how DFARS and CMMC are different. Though DFARS and CMMC are similar in many ways (because the latter draws heavily from the former), there are some key differences between them. Unlike DFARS, CMMC has five levels of maturity based on the complexity of cybersecurity practices and processes, with each level characterized by its focus. Another important difference is that CMMC compliance relies on a different method of certification. Let’s take a closer look.
DFARS vs. CMMC
To be DFARS-compliant, a DoD contractor must meet all 14 security requirements stipulated in the National Institute of Standards and Technology Special Publication (NIST SP) 800-171. On the other hand, CMMC uses different technical frameworks for each of its levels. By categorizing its contractors into different levels, the DoD can ensure that contractors for each project have the appropriate cybersecurity practices and processes in place to protect FCI and CUI.
While self-assessment is enough in achieving DFARS, CMMC requires an external assessor to evaluate the cybersecurity posture of DoD contractors and assign them with their appropriate CMMC level. This external assessor must have received its training and license from the CMMC Accreditation Body. In January 2020, the Department of Defense (DoD) launched the first finalized version of the Cybersecurity Maturity Model Certification (CMMC).
The CMMC version 1.0 is a new set of regulations where organizations contracting with the DoD are required to acquire a certain certification level representing their cybersecurity capabilities. The model uses five levels to identify an organization’s cyber hygiene from basic to progressive. Each level has its set of requirements adapted from several established frameworks (like the NIST 800-171), and certification for any level is to be validated by a certified third-party auditor.
It’s also essential that you understand where to aim. For instance, if you’ve already achieved DFARS compliance, then you should adopt at least 20 more cyber hygiene practices to obtain CMMC Level 3 in your external assessment. But if you want to be able to bid on more DoD contracts, then aim for Levels 4 or 5.
CMMC 1.0 vs. DFARS 7012: Key Differences
Both the Defense Federal Acquisition Supplement (DFARS) 7012 and CMMC version 1.0 use the NIST 800-171 standards and safeguards as a baseline set of rules. In fact, compliance with CMMC level 3, which represents “good cyber hygiene” and is the required level for contractors handling CUI, involves many of the same NIST 800-171 controls as DFARS does.
The main difference between version 1.0 of the CMMC and DFARS 7012 is in the process by which an organization is declared capable of handling CUI. Where self-assessment is sufficient to be regarded as a DFARS-compliant organization, CMMC compliance requires validation from a 3rd Party Assessment Organization (C3PAOs).
CMMC version 1.0 is a supplement to DFARS 7012—the set of regulations currently used by the DoD to regulate Controlled Unclassified Information (CUI). It’s not meant to replace DFARS 7012, but rather augments adherence to it by eliminating self-certification and replacing it with third-party certification. The creation of CMMC model 1.0 is part of the effort to improve the low rate of DFARS compliance.
Who Needs to Be CMMC Compliant?
All prime contractors and subcontractors working for the DoD should be DFARS and CMMC certified. A prime contractor is a company that works directly with the DoD and needs a high-level certification. A sub-tier supplier is a company that is subcontracted by a prime contractor to work on projects relevant to the supply chain.
A contractor’s access to CUI will determine the level of certification it needs. If a contractor does not handle or manage CUI but works with federal contract information (FCI), the contractor should comply with Federal Acquisition Regulation (FAR) Clause 52.204-21 and should be at least CMMC Level 1.
C3PAOs, Assessors and Training Providers
CMMC assessments will be conducted by Certified Assessors, who can be individuals or organizations that are trained by a Licensed Training Provider. Licensed training providers can be community colleges, universities or other learning institutions.
The CMMC Accreditation Body (CMMC-AB) is starting the initial rollout with a provisional program, where 72 qualified assessor applicants will be selected to be “Provisional Assessors.” The requirements include either 10+ years of experience conducting evidence-based assessments in cybersecurity including ISO, FedRAMP and more, or proven experience as a consultant or leader in cybersecurity for at least 20 years.
C3PAOs are DoD-authorized organizations that ensure certified CMMC assessors adhere to the CMMC-AB’s professional code. They will also monitor the process by which certified assessors schedule assessments and review and submit completed assessments. The DoD maintains a list of official C3PAOs and assessors to more easily connect organizations looking to acquire a CMMC certification with assessors. Contractors can only be audited and certified once the C3PAOs have been trained with the CMMC accreditation body (AB). Once accredited, these auditors can perform CMMC assessments and grant eligible contractors CMMC certifications.
Back to top
CMMC and DFARS: A Closer Look
To further prepare for challenges ahead, realize that CMMC does not put an end to DFARS. In fact, every DoD contractor that stores, processes, and transmits CUI runs the risk of losing their contracts if they fail to comply with the minimum security requirements of DFARS. To be considered DFARS-compliant, a contractor needs to fulfill the requirements of NIST SP 800-171, which involves 110 controls. The CMMC level three certification only requires 20 additional controls on top of the existing DFARS requirements. And thus, DFARS-compliant contractors are already about 85% ready for a CMMC level three certification.
In addition to NIST 800-171, the CMMC model uses cybersecurity best practices found in NIST SP 800-53, ISO 27032, ISO 27001, AIA NAS9933, and more to create an effective standard for cybersecurity.
The CMMC model currently has 17 domains, which include:
- 1. Access control
- 2. Asset management
- 3. Audit and accountability
- 4. Awareness and training
- 5. Configuration management
- 6. Identification and authentication
- 7. Incident response
- 8. Maintenance
- 9. Media protection
- 10. Personnel security
- 11. Physical security
- 12. Recovery
- 13. Risk management
- 14. Security assessment
- 15. Situational awareness
- 16. Systems and communications protection
- 17. System and information integrity
What is NIST 800-171?
NIST 800-171 is a set of guidelines and cybersecurity best practices designed to help DoD contractors improve their cybersecurity measures. It’s divided into four core areas:
The NIST framework features five functions vital to managing cybersecurity risks. They are:
- Identify – Identify cybersecurity risks to data, assets, and systems.
- Protect – Create and implement safeguards to ensure critical infrastructure services are not disrupted.
- Detect – Create and implement policies to detect cybersecurity anomalies and events.
- Respond – Create and implement policies for containing potential cyberthreats.
- Recover – Create and implement policies to restore services affected by a cybersecurity event.
Categories are specific tasks you must carry out for each of the five functions. For example, to protect your infrastructure from data breaches, you need to implement access control policies and install antivirus software.
Subcategories are tasks related to each category. For instance, if your category is updating all your software, your subcategory will be making sure that all your computers have the auto-update feature switched on.
These are documents and policies that outline how specific tasks should be done. Take the example above. You should have available documents on how to enable auto-updates on your computers.
NIST 800-171 vs. CMMC 1.0: Key Differences
What’s the difference between NIST 800-171 and CMMC? If you are asking this question, you are not alone. CMMC 1.0 offers updated guidelines to help contractors and subcontractors meet the requirements found in NIST 800-171. While both are designed to enhance the cybersecurity posture of contractors, there are key differences between NIST 800-171 and CMMC 1.0.
1. CMMC 1.0 Certification Requires Third-Party Assessment
Under NIST 800-171, contractors could self-certify and claim that their companies comply with all the NIST standards. Contractors applying for CMMC certification must first be audited by a C3PAO. This is to prevent false claims of compliance and ensure contractors applying for certification meet all CMMC requirements.
2. CMMC 1.0 Compliance Is Required to Win DoD Contracts
DoD contracts with CMMC requirements cannot be awarded to contractors and subcontractors who are not CMMC certified.
4. CMMC 1.0 Is Scalable
NIST 800-171 offers controls at only one level, with additional enhancements for extra protection. CMMC 1.0, on the other hand, uses specific levels of compliance, which contractors need to meet to be certified at a particular level. The five maturity levels used by the CMMC 1.0 framework allow contractors to scale their certification up or down depending on the security protocols they need.
For example, all DoD contractors should be at least Level 1 certified. This means that Level 1 contractors must implement 17 NIST 800-171 controls required for that level. If a contractor works with more sensitive information, the DoD assigns a new CMMC level to that contractor. That contractor must implement additional NIST controls over the ones it already has to meet the requirements of that specific CMMC level.
5. CMMC 1.0 Focuses More on Cyberthreats
Both NIST 800-171 and CMMC 1.0 emphasize the need for audits, access control, configuration management, and personnel security. However, CMMC 1.0 also focuses on cyberthreat intelligence, cyberthreat alerts, and situational awareness. This helps contractors develop more efficient security protocols for identifying and managing various cyberthreats.
Since the release of the CMMC framework in January 2020, contractors have been asking if they need to comply with both NIST 800-171 and CMMC 1.0. The answer is yes. NIST 800-171 is not enough to address the growing number of cyberthreats against DoD contractors, which is why the CMMC framework was created. However, contractors need to implement various NIST controls before they can be CMMC certified. As previously mentioned, CMMC compliance is now required for contractors to bid and win DoD contracts.
Back to top
As we’ve established, the CMMC operates on a framework that builds upon existing DFARS requirements. It consists of five levels that DoD suppliers mature into the better they get at protecting federal contract information (FCI) and CUI. Particularly, each CMMC maturity level is characterized by a set of cybersecurity processes and practices as seen in the figure below.
Why the Tiered Approach?
Before the CMMC was created, contractors who wanted to work for the DoD were expected to comply with the NIST 800-171 framework. However, small and medium-sized businesses (SMBs) found it difficult to achieve compliance with the full control set because they had neither an in-house IT staff nor a dedicated information security expert. This made reaching even basic cybersecurity hygiene difficult.
Larger companies, on the other hand, found it easier to achieve full NIST 800-171 compliance because they were held to more rigorous standards such as the Federal Risk and Authorization Management Program (FedRAMP) standard and NIST’s Cybersecurity Framework (CSF). However, for these larger contractors, NIST 800-171 presented a financial disadvantage when it came to implementing continuous improvements. Once they achieved the minimum baseline, larger contractors found no reason to invest more resources in their information security posture.
The CMMC model addressed these concerns by using a tiered approach. Each control stated in NIST 800-171 is assigned to a specific maturity level, with Level 1 being the most basic and Level 5 being the most stringent. The levels and their associated cybersecurity processes and practices are cumulative. This means that to be certified at a certain CMMC level, you must meet all of the requirements of the preceding levels as if you’re applying for certifications for all of those levels. This allows applicants to apply for a certification level of their choosing once, rather than having to go through certifications multiple times.
For example, to get CMMC Level 2 certification, you must satisfy the cybersecurity processes and practices required for both Levels 1 and 2. What’s more, you must demonstrate both the cybersecurity processes and practices associated with Level 2. That is, if, for example, you’ve met Level 2 for processes but not for practices, then you’d only be eligible for Level 1 certification.
Each CMMC level also has a particular focus to ensure alignment between cybersecurity processes and practices with the type and sensitivity of information to be protected. Only companies that achieve CMMC Levels 3–5 can handle CUI, with Levels 4 and 5 offering increased protection against advanced persistent threats (APTs).
On the other hand, those that get Level 1 or 2 certification need to secure only FCI, which means they don’t need to meet full DFARS compliance. This makes certification more cost-effective and affordable to smaller DoD vendors that don’t deal with CUI. Now, let’s take a closer look at each CMMC level.
CMMC Level 1: Basic Cyber Hygiene
There are 17 security controls evaluated at this level. Guided by the Federal Acquisition Regulation (FAR), this is the minimum level of cyber hygiene required to hold Federal Contract Information (FCI), beyond even just the DoD. A level 1 certification indicates that cybersecurity best practices concerning the identified controls are “performed” and included in the business’s processes.
This is the easiest of the five levels to achieve, and there isn’t any requirement to document security processes.
CMMC Level 2: Intermediate Cyber Hygiene
At level 2, a selection of 55 practices from the NIST 800-171 r1 regulations that tie to DFARS requirements are expected to be observed, along with the FAR basics. Seven additional cyber hygiene practices are expected as well. This level is slightly more difficult than level 1, but it’s only a transition point to managing Controlled Unclassified Information (CUI) with the DoD. Security processes here must not only be performed, but also “documented.”
This means that you must record standard operating procedures (SOPs), policies, and strategic plans that guide the implementation of your CMMC efforts. By having documentation, you’ll ensure that your SOPs and policies are practiced in the same manner all the time.
CMMC Level 3: Good Cyber Hygiene
Contractors at this level are required to implement the entire NIST 800-171 r1 framework and be completely DFARS compliant at CMMC level 3. Compliance to 20 additional cyber hygiene practices and FAR basics is also expected at this level. Fortunately, contractors who are already compliant with DFARS requirements are already 85% of the way through this certification level. As this is the minimum level required to handle CUI, most DoD contractors aim to certify at this level.
To become a CMMC Level 3 company, you should establish, maintain, and provide a plan that details how you will manage the implementation of the required cybersecurity practices. This plan may cover the following information:
- Mission and goals
- Project plans
- Resources to be tapped
- Required training
- Roles of relevant stakeholders
CMMC Level 4: Proactive Cyber Hygiene
At this level, contractors are expected to meet all the requirements of previous levels along with a selection of 11 new cybersecurity practices from the draft version of the NIST SP-800 171B. To achieve a level 4 certification, security processes need to be reviewed and management needs to be effectively looped into the process. At CMMC level 4, the focus shifts from only protecting CUI to also proactively defending against state-based advanced persistent threats (APTs).
Level 4 requires you to document, review, and measure your cybersecurity practices for effectiveness. Should your company encounter any issues, your staff should be able to inform higher-level management and adopt corrective measures.
Adopting all 156 practices required in this level enhances your company’s detection and response capabilities so that you can effectively address and adapt to the changing tactics, techniques, and procedures used by APTs.
CMMC Level 5: Advanced and Progressive Cyber Hygiene
A contractor achieves level 5 certification by demonstrating sophisticated cybersecurity capabilities to protect CUI from APTs. At this level, contractors are required to have a standardized documentation of cybersecurity practices and incidents across the organization.
Like in CMMC level 4 certification, a level 5 certification requires standardized, organization-wide cybersecurity processes involving continuous information-sharing and collaboration. A CMMC level 5 certification indicates that a contractor’s cybersecurity defenses are optimized and progressively reviewed to ward off APTs.
To achieve CMMC Level 5, you must have standardized and optimized processes in place across your entire company. After meeting all the requirements of the lower CMMC levels, Level 5 requires you to adopt 15 more cybersecurity practices, amounting to a total of 171 practices. Doing so increases the depth and sophistication of your company’s capabilities in repelling APTs.
This maturity model concept lays out a series of stages or levels for a certain capability or competence. The higher level you are, the better your capabilities are. This model makes it explicitly clear what’s required for each level of maturity, from current competencies to organizational processes.
Determine Your Desired CMMC Maturity Level
As a DoD contractor, you should identify your organization’s cyber security maturity level based on the classification of the data you store, transmit, and process. For example, Level 1 and Level 2 contractors, which are typically small contractors and subcontractors, must be authorized to be provided with Federal Contract Information.
Larger contractors that process CUI and Covered Defense Information (CDI) data need to be certified for higher levels, i.e., Level 3 and Level 5. Your IT team must be familiar with NIST SP 800-171 and the appropriate target levels so that they can determine the right CMMC controls to adopt for your organization.
Understanding how you can prepare the transition to CMMC compliance is a must no matter what cyber security level you are aiming for. This is where experienced professionals can be a tremendous asset. Let’s examine further.
Back to top
Preparing for CMMC Compliance
Once you gain an understanding of the CMMC certification levels, it’s time to look toward preparing for an audit. All DoD contractors should prepare for a CMMC audit, even for a Level 1 certification. A self-assessment is an excellent way of pinpointing issues in a contractor’s cybersecurity program that should be addressed before an audit. Contractors should focus on the controls found in NIST SP 800-171 Rev. 1. Once these controls are in place, a contractor can easily obtain a Level 3 certification.
7 Steps to Take Now
Use this checklist to make sure your company is on track in
preparing for a CMMC audit and achieving compliance.
The first step you need to take is to indicate your company’s CUI environment. This is a controlled environment where CUI is stored, processed, and transmitted. It’s important to know what the CUI environment is because it defines the processes, services, and systems in scope for NIST 800-171. If you’re not sure what your CUI is, you can ask for assistance from your contracting officer.
Next, you must identify which controls apply to your CUI environment from 62 NFO and 110 CUI controls. This CUI scoping guide will help you with this process.
Identify all applicable contracts, regulations, laws, and requirements your company should comply with and create policies and processes that will help you meet and manage those requirements. These policies must be concise and directly align with your company’s compliance requirements.
This is the step where your technology, processes, and people come together to operationalize your privacy and cybersecurity program. It implements the exact requirement for compliance and brings your policies to life. This step requires you to identify teams responsible for specific CUI controls and to define their roles and responsibilities to ensure requirements are properly implemented.
Create a Plan of Action & Milestone (POA&M) and a System Security Plan (SSP) to document the changes that affect your CUI environment. These two documents are important because:
- The SSP contains information about the processes, people, and technologies used to manage your CUI environment.
- The POA&M acts as a risk register for deficiencies in NIST 800-171 controls.
Also, a CMMC auditor needs your SSP and POA&M to properly assess your CUI environment. These documents are also required for NIST 800-171 compliance. If your company lacks these documents, you risk non-compliance penalties.
There are various methodologies available your organization can use to manage risk. There are risk models from ISO 31010, FAIR, OCTAVE, and NIST 800-171 that assess how effective controls are implemented and how much risk is reduced based on the control’s level of maturity. However, there’s no perfect risk methodology, and you should choose one that best supports your company’s functions.
It’s even possible to use different risk methodologies for operational, strategic, and tactical risk decisions because each has its own strengths and weaknesses. The goal of this step is to allow your company to define and achieve a level of optimal risk-taking.
Gathering metrics gives you a snapshot of a control’s performance and helps you identify areas for improvement. You can do this by defining key risk indicators (KRIs) and key performance indicators (KPIs) to gain insight into the controls vital to your organization.
Other Important Considerations
Contractors and subcontractors working in an unsecured email environment leave themselves open to the most common way hackers steal data — phishing. According to a Cyber Defense Magazine blog article, about 43% of cyberattacks target small- and mid-sized businesses, including DoD contractors. Ninety-one percent of those attacks were done using a phishing email.
As such, some DoD contractors and subcontractors are looking to the cloud to increase their cybersecurity measures against phishing attacks. This is where understanding the Federal Risk and Authorization Management Program (FedRAMP) and Microsoft Government Community Cloud (GCC) High comes in.
What is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is important for cloud service providers that serve federal agencies. It was developed by the National Institute of Standards and Technology (NIST), the General Services Administration (GSA), the Department of Defense, and the Department of Homeland Security (DHS).
FedRAMP is a program developed by the United States government to standardize cloud services providers’ and similar organizations’ security assessment, authorization, and continuous monitoring processes for their cloud products and services. It is primarily concerned with ensuring that public cloud systems containing federal data are well-protected.
FedRAMP ensures that government entities use adequately safeguarded cloud systems, reduce risk management costs, and procure information systems and services rapidly and cost-effectively. Moreover, FedRAMP builds on the Federal Information Security Management Act (FISMA), a law that requires federal agencies to develop, document, and implement an information security and protection program that abides by the E-Government Act Law of 2002.
Here are the steps you need to take to achieve FedRAMP compliance:
This involves categorizing the information system or service under consideration based on the “Standards for Security Categorization of Federal Information and Information Systems” of the NIST publication FIPS-199. Categorizing the data that will be processed within the information system is key to identifying the impact level (low, moderate, or high) of the cloud service or product in case of a security breach. The impact level will then determine the type of data that the provider will be authorized to handle.
- The selected impact level indicates which NIST 800-53 and FedRAMP controls must be used to comply with the program’s requirements.
- A CSP can complete a FIPS PUB 199 Worksheet via www.fedramp.gov.
A third-party assessment organization (3PAO) steps in to examine the effectiveness of the implemented controls. They will conduct a security assessment on the actual system (i.e., not a test system) to be used.
- CSPs are not required to use a FedRAMP-accredited 3PAO. However, any independent assessor must create a testing plan that utilizes the FedRAMP SAP template, which can be found on www.fedramp.gov/templates/.
- 3PAOs and independent assessors must abide by test case procedures found on www.fedramp.gov when assessing the CSP’s system.
The independent assessor or 3PAO presents their findings via a Security Assessment Report (SAR), which should contain any discovered vulnerabilities, threats, and risks, as well as ways to mitigate these. The federal agencies that review the assessor’s findings may request further tests if risks were identified during the assessment stage. Otherwise, the federal agency may approve the report.
- In case risks were identified in the SAR, the CSP must present a Plan of Action & Motives (POA&M) that provides in detail how the security risks will be mitigated using available resources, staff, and a schedule.
CSPs must continuously monitor its security controls and provide their findings to the authorizing agency. That means CSPs must be able to regularly scan their applications, databases, and servers for vulnerabilities. The 3PAO or independent assessor, for their part, should assess the CSP’s cloud security at least once a year.
- Continuous monitoring activities depend on what type of FedRAMP authorization the cloud provider wants to obtain. That means CSPs that want to provide services to multiple agencies require monthly and yearly assessments, while those that want to serve one or two may require only a yearly assessment.
What Is Microsoft GCC High?
Only DoD and Defense Industrial Base (DBI) contractors and federal agencies can use GCC High. Companies hoping to avail of GCC High services need to undergo Microsoft’s validation process.
GCC High is a cloud platform that meets the strict cybersecurity requirements of NIST 800-171, International Traffic in Arms Regulations (ITAR), and the Federal Risk and Authorization Management Program (FedRAMP). GCC High is a copy of Microsoft DoD, but the former is able to operate in its own sovereign environment.
GCC High comes with all the features found in the commercial version, except for compliance manager and calling plans. In addition, several tools including Cloud App Security, Microsoft Defender ATP, and
If your company has a Microsoft 365 Commercial account and you want to take it up a notch and use GCC High, you need to go through several procedures to become a validated user.
To do this, you need to work with an Agreement for Online Services for Government (AOS-G) partner. An AOS-G partner is a managed IT services provider from whom you can purchase a Microsoft 365 license directly.
Do You Need GCC High to Be CMMC DoD Compliant?
GCC High is not included in the list of CMMC DoD compliance requirements. Even though it’s the only version of Microsoft 365 that complies with the reporting requirements stated in DFARS 7012, you do not need GCC High to get a CMMC DoD certificate specifically for CMMC levels 1 and 2. However, if your organization is looking to become certified at level 3 or higher, there is a clause in the contract for DFARS 7012. Microsoft GCC High is the only reporting platform within Microsoft 365 and Office 365 that meets the requirements for DFARS 7012. Therefore, if your company is looking to become level 3 certified, and you use Office 365 or Microsoft 365, you will need GCC high to be compliant.
Back to top
Implementing a CMMC Audit Strategy
Some contractors may experience a slow process for CMMC certification, but this does not mean that all DoD contractors can do is wait until the accreditation board is ready to conduct audits. There are a number of ways contractors can ensure success in their upcoming certification by developing a clear compliance plan and strategy.
What Does the CMMC Audit Look Like?
- All contractors working for the DoD are required to be CMMC certified by passing a CMMC compliance audit. The CMMC Accreditation Body (AB) recommends that contractors should prepare for the audit at least six months in advance.
- The DoD will work with certified third-party assessor organizations (C3PAOs) that will be responsible for performing audits to ensure a contractor has met all the required cybersecurity controls needed.
- A contractor will be level certified if the CMMC auditor sees it meets all the requirements specific to that level.
If your company has the available resources and IT staff, it can meet the CMMC requirements without the help of a third-party consultant. A Self-Assessment Handbook - NIST Handbook 162 is available to guide your IT team, however, it only covers NIST SP 800-171 Rev. 1. Unfortunately, this only lets you obtain a level three CMMC certification. For the time being, a self-assessment handbook Rev. 2 is not yet available.
A CMMC consultant will help your company meet the controls stated in NIST SP 800-171 Rev. 2. In addition, many contractors prefer to have a consultant help them meet CMMC requirements. Other benefits of having a CMMC consultant are:
- It will save your company time and money when getting and maintaining compliance standards.
- A CMMC consultant possesses the tools and documentation needed to conduct a gap analysis and create a system security plan.
- A consultant can perform remediation steps required for compliance.
- A consultant will have documents to prove that compliance is reached and maintained during a CMMC audit.
Once your company is ready for a CMMC audit, the first step is to get a gap assessment. This assessment will determine how close or far away your company is from meeting CMMC level standards. Other issues that gap assessments look for are:
- How access to sensitive information is controlled and limited
- How managers and systems administrators are trained
- How data records are stored and protected from breaches
- How security controls and policies are implemented
- How cybersecurity incident response plans are created and implemented
A gap assessment for Charles IT will identify potential danger spots and weaknesses in your IT infrastructure. We will then provide you with a remediation plan to address those weaknesses, ensuring a straight path to CMMC and DFARS compliance. You can start your gap assessment today.
Steps to Success
No matter which route your company chooses, certain processes should be part of every audit success strategy. Review those steps here:
Step 1: Use existing guidelines to review your current cybersecurity maturity
Check your compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) and NIST 800-171 regulations. This will give you a good baseline to see what controls you’ve implemented and which ones you might look to implement in the future. 85% of level 3 CMMC certification depends on NIST 800-171 security controls, so it is a good way to start with DFARS compliance to evaluate your current compliance with CMMC requirements.
Step 2: Identify the gaps in your security protocol and determine what needs to be strengthened and/or improved
Determine which security controls you need to implement, ideally after a gap assessment from a third party. Strengthen controls required for the CMMC level you’re aiming to certify for. For most contractors with the DoD, that’s a level 3 certification, which allows handling of CUI.
Step 3: Assess your business’s ability to fill in the gaps identified (can you do it in house?)
Assess whether you’re fit to implement any needed security controls. Consider electing external help with critical services like endpoint encryption, external vulnerability scanning and backup and disaster recovery.
Step 4: Create a plan that will be sustainable in the long-term
Create a plan that lays details such as company protocols, responsibilities of employees, the security solutions needed and their cost. With a detailed plan, you’ll be able to identify whether you have the manpower or budget to sustain the upgrades to your cybersecurity in the long-term. It will also help you decide whether it would be best for you to outsource these solutions or set them up yourself with your own resources.
Step 5: Implement the plans and start step 1 again.
Check to see if the plans you’ve implemented actually got you closer to CMMC compliance. You can do this by reviewing your refreshed cybersecurity protocols and identifying any further gaps that need to be filled.
Identifying and filling in gaps in your cybersecurity is an ongoing process. Merely implementing a group of security solutions will not help maintain CMMC compliance. You and your team needs to be informed and have access to proper channels of communications and support to ensure that your cybersecurity hygiene is operating at the optimum level.
To be fully prepared for your CMMC audit, you’ll want to keep your eye on updates as the CMMC process gets rolled out. Appointing someone from your organization to be your designated CMMC leader would be a smart move. Your appointed CMMC leader will then be responsible for keeping up with updates, scrutinizing each area of your cybersecurity hygiene, and identifying your company’s preparedness for an audit. Needless to say, that person will also need to be fully equipped with everything there is to know about the CMMC requirements, so make sure that they read our guide to CMMC compliance requirements.
If you’re unsure whether a current employee has all the necessary expertise required to get your company certified, you can instead consult with a trusted expert on DFARS regulations, like Charles IT.
Back to top
The Impact of Managed Detection Response
There’s an additional layer of security that many contractors opt to implement. Managed Detection and Response (MDR) is an advanced approach to managing cybersecurity challenges through the proactive detection of potentially malicious activities across a network. It’s a type of outsourced service that provides organizations access to the tools and knowledge they need to achieve a high level of cybersecurity maturity even if they have limited in-house resources.
Although there’s some overlap between MDR and managed security services in general, there are some important differences regarding coverage, compliance, incident response, detection levels, and human expertise. Modern threat detection services, for example, use behavioral AI to recognize potentially malicious activities regardless of their origins and attack vectors. A response program proactively manages and reverses the malicious activity so every endpoint can be healed in real time.
Proactive detection and response is one of the core concepts of CMMC. CMMC level 4 compliance in particular requires systems and practices to be put into place that enhance detection and response capabilities of an organization so they can adapt to evolving tactics, techniques, and procedures used in cyberattacks.
Achieving a CMMC level 4 certification might seem like a daunting task. It requires a deep understanding of your IT systems and processes and the threat models and vectors criminals and state-sponsored attackers use when they try to compromise your systems. However, reaching this level can greatly expand your business’s chances of securing profitable contracts with the DoD.
It’s almost impossible for all but the largest enterprises to achieve a high cybersecurity maturity without external help. Even in cases where money isn’t a factor, there are millions of unfilled information security positions around the world. Simply put, in most cases outsourcing is the only practical option.
But outsourcing isn’t just a necessity in many cases. MDR can also be highly beneficial to the long-term mission of a business. It lets them innovate at scale without increasing risk, while also becoming more resilient to change, especially with regards to the cyberthreat landscape.
MDR is now an essential extra layer of security, not just for those seeking CMMC certification, but also for reducing risk to their businesses and their clients. By contrast, traditional managed security services only provide a base level in the form of event logging and monitoring, device scanning, and policy management.
Back to top
Your company’s ability to conduct business with the DoD is on the line if you don’t pass your audit. You need to get that certification on your first CMMC audit so that you don’t lose any critical time and revenue preparing for and conducting reassessments.
This means that the certification preparations should start as soon as possible. The sooner an organization begins preparation, the more efficiently they can assess the gaps in their current cybersecurity hygiene. Remember, self-certification is no longer an option for CMMC, unlike it was for DFARS. DoD CMMC certification can only be awarded upon a positive review by an accredited third-party auditor.
DoD contractors shouldn’t view CMMC compliance as something that’s complete the moment they’ve passed an audit. Instead, it should be approached as a starting point for iteratively improving your organization’s cybersecurity posture. Building a security-first company culture will add value throughout the business and open the doors to innovation. Becoming certified and working your way up through the levels will ensure you’re better positioned to compete in a highly lucrative market.
The easiest way to prepare for a CMMC audit is to work with a CMMC consultant, especially if you don’t have access to the necessary in-house expertise. For many contractors, it makes more sense to outsource the task, since it costs less, saves time, and ensures the necessary requirements have been met before an official audit.
Having a gap assessment performed is a good way of identifying weaknesses and gaps in your IT infrastructure. Our gap assessment will ensure that your business has the minimum security requirements in place to comply with CMMC standards. Want to pass your CMMC audit the first time? Start with a Charles IT gap assessment.
Table of Contents
What is CMMC?
CMMC and DFARS: A Closer Look
The 5 CMMC Levels
Preparing for CMMC Compliance
Implementing a CMMC Audit Strategy
The Impact of Managed Detection Response
Save it for later. Download the PDF version of this ebook!