A man sitting working on a laptop and a tablet displaying code with open locks graphics over his laptop.

What You Need to Know to Become CMMC Compliant

Meeting the requirements of DFARS and Cybersecurity Maturity Model Certification (CMMC) can seem daunting. The good news is that if you take a measured, informed approach, your organization can begin to take the necessary steps it needs to achieve and maintain compliance and, in doing so, continue to be eligible to secure lucrative contracts with the Department of Defense (DOD).

 

CyberSheath recently conducted training to help support the defense contractor community in meeting their compliance objectives. Our five-part cybersecurity compliance training covered a range of topics and gave attendees the knowledge and tools they needed to be successful. At the conclusion of the training module, participants who successfully completed the entire ninja training course achieved Black Belt status.  Register now for CMMC Con 2021 to see the Black Belt ninjas names displayed honoring their dedication to the training.

 

Steps to CMMC compliance

Here’s what we shared during our training to help participants prepare for the complexities and challenges of meeting the DOD regulatory requirements. 

Step 1 – Identify controlled unclassified information (CUI)

Protecting sensitive information starts with understanding the various information categories. The next step is being able to map the information your company holds to the contracting regulations you must adhere to. Depending on your relationship with the Department of Defense (DOD), there are a number of requirements to protect non-public information (NPI).

Information types include:

  • Federal Contract Information (FCI) – Non-public information associated with a federal contract. CMMC offers this description, “FCI means information provided by or generated for the Government under a contract not intended for public release.”
  • Covered Defense Information (CDI) – A form of CUI that is developed under a DOD contract. It is non-public information where a specific law, regulation, or government-wide policy is published that requires that information to be protected in some manner. 
  • CUI – Established by Executive Order 13556 as a way to standardize how to handle sensitive but unclassified information. According to this order, “CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”

 

Step 2 – Conduct an assessment

An important step toward achieving CMMC compliance at any level is to know what your starting point is. By accurately assessing your current state, you can figure out exactly what steps need to be taken to become compliant. Before getting started, determine which level of CMMC compliance you need to attain. 

  • Level 1 – Compliance with this level demonstrates the basic cyber hygiene required for contractors receiving FCI. It covers 17 controls across six domains.
  • Level 3 – This level is required for companies having CUI data. Compliance requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. It covers 130 controls across 17 domains.

Here are some guidelines. 

  • Start with an assessment kickoff to gather the required team, discuss the CMMC framework, outline the in-scope environment, and craft a schedule.
  • Interview key personnel, complete applicable attestations, and collect relevant artifacts.
  • Analyze all the information you have assembled and compile an initial score as pertains to the controls you have already demonstrably implemented.
  • Create a report detailing the current state including an executive summary, DFARS interim scoring rule, key observations and recommendations, and a detailed analysis of each practice.
  • Present and discuss assessment results, key compliance findings, and the path forward.

 

Step 3 – Submit your current status to the SPRS

Once you have assessed your current state and mapped your organization’s compliance against the 130 controls, it’s time to log that information into the Supplier Performance Risk System (SPRS).

Note that admitting deficiencies can seem counter intuitive, but establishing a cybersecurity baseline for your company, and then working to improve your score–making sure to update it as you comply with controls–is a good way to show your commitment to achieving full compliance.

Here is how you can get started.

  • Set up your account by visiting the procurement integrated enterprise environment (PIEE) website and enter the required information. 
  • Access the SPRS by selecting it from the drop-down menu.
  • Select ‘SPRS Cyber Vendor User’.
  • Add roles.
  • Complete the agreement.
  • Have the admin linked to the cage code approve your account.
  • Submit your assessment score.

 

Step 4 – Draft your SSP and POA&M

The system security plan (SSP) and plan of action and milestones (POA&M) provide a foundation for your remediation efforts as you work to close all of your company’s cybersecurity compliance gaps.

  • SSP – Outline how your organization manages cybersecurity and determine which approach makes sense for your environment – an organizational, system-focused, hybrid or shared compliance plan. Make sure your document includes systems information, control narratives, diagrams, artifacts, and more.

POA&M – This is a corrective action tracking mechanism. Here are the key questions to address as you develop your own POA&M.

  • What are the actions that you need to take to implement each control?
  • When do you plan to have each action completed? Include interim completion dates.
  • Who is responsible for managing and completing each action?
  • What is the compliance impact, estimated cost, and risk of each?
  • How was the weakness that requires this action identified?
  • Which control does this action correspond to and address?
  • What is the status? Is this action ongoing or completed?

 

Step 5 – Implement controls and manage compliance

Addressing security measures can seem like a huge task, as your organization must meet all 130 controls to be CMMC compliant. Here’s an overview of how to tackle this endeavor, divided into general control categories.

  • Security Monitoring Controls
    • Security Information and Event Management (SIEM) – Regular review of logs is a key part of CMMC and NIST SP 800-171 compliance, as well as a general best practice. Keep in mind that aggregating and reviewing the massive volume of logs is not practical to accomplish with manual processes.
    • Vulnerability Scanning – Vulnerability and patch management strategy is an essential requirement to meet CMMC. Unpatched vulnerabilities are often used by threat actors to exploit systems, leading to ransomware and data theft.
  • IT Infrastructure Controls – IT Infrastructure refers to all of your company’s hardware and software, both on-premise and in the cloud. Many companies struggle implementing controls in environments where CUI is stored on-premise and they have older unsupported hardware and software which puts CUI at risk. 
  • Policy and Administrative Controls – One of the key points in gaining CMMC compliance is ensuring that your controls have maturity. Make sure you are capturing what technology you are putting in place and the processes of implementing and managing that technology. 

 

No matter how skilled you and your organization are, we can support your path to compliance with CMMC. Engage with us for as much as you need. Our team is happy to partner with your internal resources to help you reach your compliance goals. Contact us to learn more.