Five Steps in Your CMMC Compliance Checklist
New CMMC 2.0 updates have been released by the Department of Defense (DoD), and requirements are closer than ever before. To best prepare, complete these five steps on your CMMC checklist.
Governmental data around the world has been under increasing attack from threat actors. Look no further than the stunning SolarWinds supply chain attack in late 2020 to see just how determined, sophisticated, and subtle these hackers can be. It’s no surprise that governments, including the U.S., are responding to cybersecurity threats with increased regulations.
While organizations may be aware of long-standing frameworks and certifications such as the Federal Risk and Authorization Management Program (FedRAMP) and the Risk Management Framework (RMF) for Federal Information Security Management Act (FISMA) compliance, there is a new requirement on the block that has organizations of all sizes asking questions: the Cybersecurity Maturity Model Certification (CMMC) program.
Since the U.S. DoD shared the initial draft in early 2020, organizations have been working to understand CMMC, the initial five levels of the framework, and how it applies to their businesses. For organizations not familiar with federal frameworks, CMMC can be a head-scratcher, even with the official CMMC FAQ.
Although the CMMC 2.0 framework is released, there are still many lingering questions surrounding the most recent updates to the CMMC framework. The Pentagon plans to release the DFARS “interim rule” by May of 2023, as well as a CMMC Certification Assessment Process (CAP) guide in June of this year. While timing has been uncertain, organizations can create a CMMC compliance checklist and prepare for anticipated CMMC requirements. Not only can they, but they should—because CMMC requires full compliance. Organizations preparing for CMMC have little wiggle room for error. Read on to get prepared.
1. Assess Your CUI
One of the best things you can do to prepare for CMMC is understand your data and identify which data is subject to CMMC.
The CMMC model is intended to cover controlled unclassified information (CUI) in non-federal IT systems. Per the National Archives, CUI covers a multitude of different types of information, such as:
- Sensitive intelligence information
- Patents and other intellectual property
- Tax-related information
- Information related to legal actions and law enforcement
- And much more
The CMMC’s focus on CUI in non-federal systems is a crucial distinction, as many organizations have pre-existing certifications such as FedRAMP and FISMA, and, as such, their systems (or parts of their systems) may be classified as federal.
However, it’s important to note that even organizations with FedRAMP and FISMA authorization to operate (ATO) may still have CUI that is subject to CMMC.
For example, your organization may:
- Generate derived CUI, which is new CUI created based on how your organization works with existing federal data
- Store, transfer, or process designated CUI in systems that don’t fall under FedRAMP or FISMA
This is why a holistic analysis of your organization’s systems is crucial. Understand what data is subject to CMMC and right-size your approach to bringing that data under full compliance before submitting for CMMC certification.
2. Leverage Other Federal Frameworks
The CMMC is exploring the possibility of reciprocity with other frameworks. However, this concept is still in the preliminary stages of discussion, and organizations can’t assume that compliance with existing frameworks or regulations will be accepted in lieu of CMMC.
That said, organizations seeking CMMC certification should consider how best to leverage existing frameworks. CMMC was developed from various other existing frameworks, and there is overlap between its criteria and that of others, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), several NIST special publications, the CERT Resilience Management Model (RMM), and more. Due to the complex nature of CUI and IT systems, leveraging and complying with existing cybersecurity frameworks can give a leg up to organizations.
Some of the certifications that could ease the transition to CMMC in part or in whole are:
- ISO 27001: A rigorous international framework focused on ensuring that organizations manage information with best practices and industry standards.
- FISMA: A U.S. law that regulates how U.S federal agencies (and the organizations that work with them) securely manage and process data.
- Risk Management Framework (RMF): RMF was developed by NIST and is designed to help organizations implement the controls and processes necessary to manage their risk when handling federal data.
- FedRAMP: A domain-specific version of the RMF, FedRAMP is a U.S. regulation targeted at cybersecurity for cloud services providers that work with U.S. federal agencies.
- NIST Special Publication 800-171 (NIST SP 800-171): A special publication that specifically details the guidelines for managing CUI in non-federal IT systems (more on this below).
Again, none of these certifications, regulations, or frameworks guarantee compliance with CMMC. Depending on how your organization uses CUI, portions or all of your organization may be subject to CMMC anyway. However, if you are already pursuing ISO 27001, FedRAMP, or FISMA compliance, now is a good time to review the reach of those certifications with a trusted auditing and assessment firm to determine any overlap with CMMC and the potential of reciprocity. Plus, those with experience speaking “federalese” will have an advantage when it comes to understanding CMMC.
Bottom line: In some cases, the lessons you learn from other frameworks can be applied to your CMMC certification process.
3. Read the CMMC Appendices and Assessment Guides
The DoD has been consistent from early on with its CMMC framework and appendices. Reviewing these documents should be one of the first stops on your CMMC compliance checklist, as they are one of the best sources for understanding:
- Which controls CMMC 2.0 establishes
- The intent of each control
- How controls are defined
Additionally, the DoD has provided assessment guides to understand the three levels of CMMC. Each assessment guide explains the criteria for assessment, various controls and practices that will be assessed, and more.
With CMMC 2.0, the original five levels were reduced to the current three security tiers designed to simplify the program requirements. Information on Level 1 Foundational, Level 2 Advanced, and Level 3 Expert is available. Reviewing these documents can help organizations determine their current level, or what they need to do to meet the criteria of their desired level. The difference between Level 1, Level 2, and Level 3 is a matter of controls and maturity capabilities; Level 1 requires 17 controls the same as under CMMC 1.02. Level 2 has 110 controls outlined in NIST 800-171, whereas Level 3 will replace what was formally known as CMMC Levels 4 and 5. Details of this level are still being defined. It is expected that this level will incorporate a subset of controls from NIST SP 800-172.
Most organizations will likely be either at CMMC Level 1 or CMMC Level 2. Reading the appendices and assessment guides can help determine what level your organization actually needs or wants to aim for.
4. Complete NIST Special Publication 800-171
Beyond CMMC, there is an existing publication that addresses the use of CUI in non-federal IT systems: NIST Special Publication 800-171 (NIST SP 800-171).
For organizations planning to seek CMMC Level 2 compliance, adhering to NIST SP 800-171 offers a head start. By complying with NIST SP 800-171, organizations will have hit on the same controls covered by CMMC Level 2.
This step on your CMMC compliance checklist may, in fact, be mandatory for your organization. The DoD requires, via the updated Defense Federal Acquisition Regulation (DFARS) 7012 clause, organizations to prove NIST SP 800-171 compliance for any new contracts, as a means of easing the transition to CMMC in the coming years.
Regardless of whether your organization is seeking a new contract or just working toward becoming CMMC-ready, NIST SP 800-171 is a good interim step toward the newest rule.
5. Find the Right Partners
CMMC certification must be completed through an authorized CMMC third-party assessment organization (C3PAO). As with most audits, finding the right firm is paramount. And a good firm will be more than a vendor; they’ll be a partner.
Many of the certifications and ATOs you pursue will interact with CMMC in various ways, and the right long-term partner can help you pursue a smart strategy to address your compliance needs and goals. For example, at A-LIGN, we worked with our client Aires to streamline their audits and get ready for CMMC.
A good auditing firm will be paying close attention to CMMC right now, attending the CMMC-AB town halls, and becoming a CMMC expert. Before the DoD releases their final guidance for CMMC assessments, find a partner who can help you prepare, guide you through the process, and keep you updated on CMMC news.
Start Your CMMC Checklist Today
Getting started with CMMC may seem daunting; this is a new framework, and there are still many unanswered questions. However, organizations can make a CMMC compliance checklist and tick off several steps in the meantime to prepare. By understanding the use of CUI internally, implementing controls ahead of time, and more, organizations can face the final updates with confidence.