As most Department of Defense (DoD) contractors are likely aware, the Cybersecurity Maturity Model Certification (CMMC) is the latest in increased regulation of controlled unclassified information (CUI). Since its initial draft in early 2020, many organizations have been working to understand the levels of the framework, and how it applies to their business. Luckily, CMMC draws from existing technology standards.
So what can DoD contractors do understand how CMMC applies to them, and how to prepare for an assessment? Create a CMMC compliance checklist. CMMC requires full compliance at the time of assessment, so preparation is crucial. Here are some checklist items your organization can utilize in order to be better prepared for your assessment.
Assess Your CUI
One of your top priorities when preparing for CMMC is to understand your data and identify which is subject to CMMC. It is intended to cover CUI in non-federal IT systems. CUI covers a multitude of types of information, such as:
- Sensitive intelligence information
- Patents and other intellectual property
- Tax-related data
- Information related to legal actions and law enforcement
CMMC’s focus on CUI in non-federal systems is a crucial distinction, as many organizations have pre-existing certifications like those of FedRAMP and FISMA, which may classify their systems as federal.
Leverage other Federal Frameworks
Organizations seeking CMMC certification should consider how to best leverage existing frameworks. Because CMMC was developed from other various frameworks, overlap exists between its criteria and that of others, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CFS), several NIST special publications, the CERT Resilience Management Model (RMM), and more.
Some of the certifications that could ease the transition to CMMC include:
- ISO 27001
- FISMA
- Risk Management Framework (RMF)
- FedRAMP
- NIST Special Publication 800-171 (NIST SP 800-171)
It’s important to note that these certifications and frameworks don’t guarantee compliance with CMMC, and depending on how your organization uses CUI, portions or all of your organization may be subject to CMMC anyway. Complying with existing cybersecurity frameworks, however, can give you a leg up and be applied to your CMMC certification process.
Familiarize Yourself with the CMMC Appendices and Assessment Guides
Familiarizing yourself with these documents should be another priority on your CMMC compliance checklist, as they are one of the best sources for understanding:
- Which controls CMMC establishes
- The intent of each control
- How controls are defined
The DoD has provided assessment guides to understand the five levels of CMMC. Most organizations will likely be either at CMMC level 1 or level 3 but reading the appendices and assessment guides can help determine what level your organization actually needs to aim for.
Complete NIST Special Publication 800-171
Beyond CMMC, NIST SP 800-171 addresses the use of CUI in non-federal IT systems. For organizations planning to seek level 3 of CMMC compliance, adhering to NIST SP800-171 can give you a head start. By doing so, organizations will have hit on 110 of the same controls covered by CMMC, leaving only a handful of other controls to be level 3 compliant.
This step may be mandatory for your organization, as the DoD requires, via the updated Defense Federal Acquisition Regulation (DFARS) 7012 clause, that organizations prove NIST SP 800-171 compliance for new contracts.
Start Your CMMC Checklist Today
Starting out on CMMC may seem daunting, but by preparing a checklist and taking it step by step, organizations can be better prepared for their assessment. Understanding your organization’s use of CUI internally, familiarizing yourself with the framework, and implementing controls ahead of time can help you face CMMC with confidence.
Prepare for CMMC with Kyber Security
Any business operating with the DoD will need to be CMMC compliant to win contracts, and Kyber Security can help you do just that. Allow us to evaluate your related processes, controls, and policies to identify any potential gaps in your infrastructure to be better prepared for your assessment.