The deadline for compliance with the Cybersecurity Maturity Model Certification (CMMC) is fast approaching, and many organizations are feeling overwhelmed trying to understand how to comply, what tools they need, and the associated costs.
Admittedly, there’s a lot to get right and a lot riding on it— organizations will need to comply if they intend on doing business with the DoD. While there’s a lot of advice about what you should do, it’s also crucial to remember what not to do when preparing for CMMC 2.0 requirements.
Based on our experience working with firms to achieve CMMC 2.0 compliance, we’ve crafted the following list of the most common challenges organizations face.
Assuming Time is on Your Side
It is common to think that compliance can wait and can be handled any time before the “deadline”. Assuming you will be pretty close because you have an IT provider helping you and some cyber security policies in place could lull you into a false sense of security. Our experience has shown that even the most advanced organizations can take months to achieve and document compliance.
Remember, CMMC compliance is far more than just an IT exercise and requires more than a simple technology adjustment.
There are over 110 different controls in CMMC 2.0 and 34 discrete policies that need to be written, implemented AND enforced (with proof!). In addition, all employees will need to be trained, while new processes and procedures will need to replace old ones.
You Have an Incomplete System Security Plan
The System Security Plan (SSP) is a formal, written plan that documents the infrastructure, associated risks, and security controls in place or planned to mitigate those risks. Auditors begin by reviewing the SSP, and it is crucial that the documentation is complete, including boundary diagrams, network architectures, services, data flows for CUI, and documented processes and procedures for handling it.
Many small and medium-sized companies do not have existing documentation to the depth and complexity required for CMMC compliance. Larger companies may have the people and documentation in-house, but the information can be spread across multiple IT teams. Regardless of the size of the organization, it is essential to have a comprehensive inventory of what falls into the scope of CMMC compliance.
Inadequate Continuous Monitoring
Many organizations work hard to rise above the challenges necessary to become CMMC compliant, but then become careless once they achieve compliance. Keep in mind, CMMC mandates ongoing assessment, monitoring, and improvement. To streamline the process, it’s best to adopt technologies and frameworks that automate monitoring and maintenance.
Failing to Locate CUI
DIB contractors are required to handle CUI (Controlled Unclassified Information), which is not classified information but is still owned by the government and needs to be protected. Companies often fail to locate or identify the CUI they store. This results in broad controls to protect CUI, which leads to unnecessary costs and complexities.
Viewing the CMMC Compliance Journey as a Mere Checklist
Contrary to popular belief, CMMC compliance is not just a one-time task or a mere checklist (although our checklist is a helpful starting point [add link]. It impacts individuals, processes, and technology, sometimes significantly. Employees may require intensive training, business processes may need alteration, and technology may need to be updated to meet the new standards.
Furthermore, the risk profile and potential attack surface of a business changes over time, as does the cybersecurity landscape. Thus, frequent updates to the SSP are necessary to stay ahead of emerging security risks. This is why the DoD plans for regular CMMC audits instead of a one-time assessment.
CMMC compliance is a journey that requires continuous efforts.
CMMC Compliance Services
It’s incredibly difficult to navigate the CMMC compliance journey on your own. That’s why Kyber Security has assembled a CMMC community of security engineers, business and thought leaders to help supply useful information about CMMC. We can work with you to guide you on this journey and help ensure that you can retain your contracts with the DoD.
