What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a set of requirements implemented by the United States Department of Defense (DoD) that will help standardize cybersecurity implementations for organizations within the Defense Supply Chain (DSC). Although previous standards have existed, they were often implemented and enforced ineffectively. For example, NIST 800-171 provides requirements for organizations that are in possession of Controlled Unclassified Information (CUI). Companies self-assess their cybersecurity standing and report their own assessment results. Unfortunately, this has led to many companies misunderstanding or incorrectly implementing the necessary security requirements. In some cases, this in turn has led to CUI being stolen in data breaches. Although there are penalties for not implementing NIST 800-171, the damage has already been done by the time that comes to light. In contrast, the CMMC requires organizations to meet its standards before they are provided access to CUI or other important documents. In addition, the assessment must be conducted by an independent third-party assessor.
Although the process of meeting the CMMC requirements can seem overwhelming, it is not an unattainable goal. The CMMC is separated into five levels. Compliance with higher levels allows for access to more sensitive information. This means that if a company is handling data that only requires level three compliance, they do not have to meet the standards in levels four or five of the CMMC. Additionally, the requirements for level three compliance include all of NIST 800-171. So if a company is NIST 800-171 compliant, they have already done a lot of the work for reaching CMMC level three. On top of that, each level is cumulative, meaning that each level of compliance includes the requirements for the levels below it. So achieving compliance at level three also means compliance at level one and level two as well.
Processes and Practices
Most of the certification levels are assessed based on two types of information; these are typically referred to as processes and practices.
Processes, sometimes called administrative controls, are the items that involve creating written policies that address the certification requirements.
Practices are the items that require a technical implementation of some sort. Depending on the organization’s target certification level, varying levels of documentation will be required. For example, at certification level one a company only needs to have the required practices in place; they don’t necessarily need thorough documentation on those items. At level two, however, the implemented practices must be properly documented to help ensure their accuracy and repeatability.
Preparing for Certification
CMMC preparation normally occurs in two steps: preliminary assessment and remediation. In the preliminary assessment phase, a company will need to determine what certification level is required. This is determined by various factors, including how sensitive the data they are being provided is. Once a target certification level has been selected, the company can begin the process of reviewing the policies and procedures they have in place and comparing them against the CMMC requirements. After unfulfilled requirements have been identified, the organization must then work to implement new processes and practices to meet those requirements.
Unfortunately, this straightforward process includes a few pitfalls. One of the biggest is understanding what is actually necessary to fulfill a requirement. Whether it is the CMMC or some other compliance standard, requirements can often be confusing or easily misunderstood. This is especially true for standards like the CMMC that are non-prescriptive, which means that while the CMMC will specify what requirements need to be met, it does not specify how to meet them. This unfortunately leaves some of the requirements open to (mis)interpretation. Often, a company will implement a solution to fulfill a requirement and later realize their solution solves the wrong problem. On the other end of that spectrum, it can be easy for a company to implement a solution that costs much more time and money than was really necessary.
The process of assessing an organization’s infrastructure and remediating compliance deficiencies can be a confusing and time-consuming one. As a result, many companies are utilizing the services of third-party compliance experts. These experts often come with a deep understanding of CMMC and other compliance standards. Their services will typically include assistance in reviewing a company’s existing security posture and making recommendations on how to fill in the gaps.
For example, Vestige has a three phase process to help organizations prepare for CMMC certification. The first step is a precertification assessment. During this phase, we conduct a cybersecurity assessment as if we were running the certification audit. Using the results of the assessment, we provide a roadmap that shows where the organization is currently as well as a plan forward to meet the requirements of the target certification level. In the second step, we help the organization implement the recommendations from the roadmap. We work with the existing IT team to ensure that the newly implemented processes and practices are properly working and documented. For the last step, we work with the company during the actual CMMC certification audit, helping to ensure the certification process goes smoothly.
Preparing for CMMC certification can be a difficult process, but there are experts who can help. To learn more about your options – click this link:
Keep in mind, Vestige is a CMMC – Registered Provider Organization (RPO) with Registered Practitioners (RP) on staff. As cybersecurity experts across multiple frameworks we have the experience and knowledge required to navigate the complexities of the CMMC and other compliance standards. CONTACT VESTIGE to learn more about our CMMC Services and how we can help.