Companies seeking out lucrative Department of Defense (DoD) contracts as part of the Defense Industrial Base (DIB) sector need to prepare for rigorous security verification. The Cybersecurity Model Maturity Certification (CMMC) framework measures a company’s aptitude to fully secure data critical to military safety, which, in turn, impacts all Americans’ safety. To prepare for an official CMMC audit, many companies elect to execute a CMMC readiness assessment.
How to Conduct CMMC Assessment for Compliance Readiness
The CMMC is a recent development. It was pioneered by the Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD(A&S)) to streamline various protections required for DoD contractors. It is a robust framework that can be challenging to implement.
There are three primary steps companies should take to assess their CMMC readiness:
- Gauging the existing controls already in place for other compliance frameworks
- Executing a mock CMMC assessment, testing for Practices by Domain or Level
- Augmenting security systems, filling in gaps identified in the mock assessment
RSI Security will help prospective contractors with all steps in this preliminary audit process, then facilitate official certification—helping to secure DoD preferred contractor status at low costs.
CMMC Readiness Assessment Step 1: Gauge Existing Controls
The first step towards an impactful CMMC readiness assessment involves surveying your company’s existing cyberdefenses. Many companies who are integrating a new framework already have cybersecurity protections in place. Therefore, meeting CMMC requirements may be equal parts mapping existing controls and building out or acquiring entirely new systems.
One of the first places to begin assessing your cyberdefense architecture implementation is actually by referring to other applicable security frameworks beyond what the DoD requires. For example, if your company collects credit card information, it may need to be PCI-DSS compliant; it may need to be HIPAA compliant if it does business with healthcare providers.
Both cases involve controls that are similar and likely mappable to CMMC requirements.
The best way to streamline all compliance requirements across all applicable frameworks is through an omnibus system like the HITRUST Alliance’s CSF. The newest CSF (version 9.4.2) has explicitly included a built-in mapping framework pertinent to CMMC controls, facilitating your preliminary assessment and eventual development or procurement of safeguards for CMMC.
Request a Free Consultation
DFARS Requirements for DoD Contractors, Vendors, and Third Parties
If your company is not subject to many other compliance frameworks, you may prefer to adhere strictly to DoD-specific requirements for contractors. These requirements are laid out primarily in the Defense Federal Acquisition Regulation Supplement (DFARS) across the following clauses:
- DFARS Clause 204.7304 – Designating clauses in the 252.204-7000 series to govern all contracts for DoD procurement, except for commercial off-the-shelf (COTS) products.
- Clause 252.204-7012 – Defining forms of Covered Defense Information (CDI) that need to be protected, along with protocols for safeguarding CDI and reporting cyber incidents.
- Clause 252.204-7019 – Requiring DoD entities to notify contractual partners about NIST SP 800-171 requirements and assessment levels applicable to the relationship (see below).
- Clause 252.204-7020 – Defining implementation of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and SP 800-171 assessment.
- Clause 252.204-7021 – Requiring implementation of the CMMC framework and current certification no older than three years for all DoD contractors and select DoD subcontractors.
Other clauses in the 252.204-7000 series also pertain to DoD relationships with contractors, but these are the most critical. Note that compliance with the NIST SP 800-171 framework is both a requirement in its own right and a critical step towards full CMMC certification. This is because the CMMC contains all 110 Requirements from NIST SP 800-171, including all the Basic and Derived Requirements from all 14 Requirement Families. Therefore, NIST SP 800-171 compliance is a precursor to CMMC certification and an indicator of success for CMMC readiness assessments.
CMMC Readiness Assessment Step 2: Execute Mock CMMC Audit
The next step to completing a CMMC assessment for certification readiness is to test your security systems against the specific controls laid out in the CMMC framework. Two primary schemes can inform your assessment based on the ways controls are distributed:
- Domains – The CMMC comprises 17 security Domains, based on the 14 Requirement Families in NIST SP 800-171, plus additional areas outside the scope of that guide. The Domains break down further into two distinct kinds of requirements for security systems:
-
-
- Capabilities (43 total) are high-level goals security systems need to accomplish.
- Practices (110 total) are individual controls that work to establish Capabilities.
-
- Levels – Full CMMC implementation occurs progressively over five Maturity Levels. A company needs to install the specific Practices required for a given Level, along with its:
-
- Processes (i.e., measures of institutionalizing Practices across all systems)
Note that Capabilities apply to Domains but not Levels, and Processes apply to Levels but not Domains. Also, not all Levels have Practices from each Domain. For example, there are no AU Practices Required until Level 3, so a Level-based audit for Levels 1 and 2 may miss a critical Capability required for Level 3 certification. A hybrid approach can solve these problems—companies may assess Practices by Level while drilling all Capabilities.
Testing for all the Required CMMC Domains, Capabilities, and Practices
One approach to assessing CMMC readiness is to test implementation of all required Practices across all Domains. A high-level test can isolate the extent to which security controls meet the Capabilities of each Domain, which inform the Practices it houses.
Per the most recent CMMC, v1.02, the Domains, Practices, and Capabilities break down as follows:
- Access Control (AC) – 26 Practices, informed by four Capabilities:
-
-
- Establishing secure access requirements and protocols across all systems
- Monitoring and controlling all internal access to sensitive data and systems
- Monitoring and controlling all remote access to sensitive data and systems
- Restricting all data access to authorized users and processes exclusively
-
- Asset Management (AM) – Two Practices, informed by two Capabilities:
-
-
- Detecting for, identifying, documenting, and analyzing all sensitive assets
- Maintaining an updated, detailed, and easily accessible IT asset inventory
-
- Audit and Accountability (AU) – 14 Practices, informed by four Capabilities:
-
-
- Defining all audit requirements, per internal and external needs or norms
- Performing audits at regular intervals and around security-relevant events
- Identifying and safeguarding all data produced by audits and assessments
- Reviewing audit logs at regular intervals to maintain integrity and security
-
- Awareness and Training (AT) – Five Practices, informed by two Capabilities.
-
-
- Conducting live-action security training activities for all staff at regular intervals
- Conducting rigorous security training modules for all staff at regular intervals
-
- Configuration Management (CM) – 11 Practices, informed by two Capabilities:
-
-
- Establishing baseline security thresholds for all settings and configurations
- Managing all establishment and maintenance of (or changes to) settings
-
- Identity Authentication (IA) – 11 Practices, informed by one Capability:
-
-
- Requiring strict authentication of user identity for all access permissions
-
- Incident Response (IR) – 13 Practices, informed by five Capabilities:
-
-
- Planning out all short and long term response protocols for security incidents
- Detecting, identifying, reporting on, and responding to events as they occur
- Developing and implementing responses to incidents according to their ID
- Performing review of incident response plans after resolutions of incidents
- Testing all incident response systems and protocols at regular intervals
-
- Maintenance (MA) – Six Practices, informed by one Capability:
-
-
- Managing ongoing maintenance for all assets, settings, and user profiles
-
- Media Protection (MP) – Eight Practices, informed by four Capabilities:
-
-
- Identifying and clearly labeling all media and all other assets related to media
- Monitoring and controlling access to and behavior with all media-related assets
- Sanitizing all media at regular intervals and special occasions, such as transit events
- Implementing special protections for safe transport of media, such as encryption
-
- Personnel Security (PS) – Two Practices, informed by two Capabilities:
-
-
- Screening all potential hires and new personnel rigorously prior to full onboarding
- Safeguarding all sensitive data during all personnel moves (including termination)
-
- Physical Protection (PE) – Six Practices, informed by one Capability:
-
-
- Limiting physical, proximal access to devices and areas containing sensitive data
-
- Recovery (RE) – Four Practices, informed by two Capabilities:
-
-
- Backing up all sensitive assets and settings and managing their security
- Reducing downtime and maintaining business continuity during and after an event
-
- Risk Management (RM) – 12 Practices, informed by three Capabilities:
-
-
- Detecting, identifying, analyzing, and evaluating all risks as swiftly as possible
- Managing risks throughout their lifecycles and the lifecycles of all related risks
- Managing all risks across the supply chain and network of strategic partners
-
- Security Assessment (CA) – Eight Practices, informed by three Capabilities:
-
-
- Developing and then implementing a system security plan (SSP) for all controls
- Defining, implementing, and managing all security controls, per formalized SSP
- Reviewing code and inner workings of all security controls at regular intervals
-
- Situational Awareness (SA) – Three Practices, informed by one Capability:
-
-
- Implementing a threat and vulnerability monitoring and management program
-
- Systems and Communications (SC) – 27 Practices, informed by two Capabilities:
-
-
- Defining and implementing security requirements for communications systems
- Monitoring for and controlling communications at boundaries of security systems
-
- System and Information Integrity (SI) – 13 Practices, informed by four Capabilities:
-
- Detecting, identifying, analyzing, and addressing all security system flaws
- Detecting, identifying, analyzing, and addressing all forms of malicious data
- Performing network and system monitoring exercises at regular intervals
- Implementing advanced protections for email and messenger communication
Maintaining controls that meet these Practice and Capability requirements is an indicator of success in any CMMC readiness assessment, irrespective of Level-specific Process Maturity.
Testing for Required Practice and Process Maturity Across CMMC Levels
The other approach to assessing CMMC readiness involves testing up to the designated Maturity Level requirements you will be expected to reach, per your contract with a DoD entity. All five CMMC Levels have a specific focus and threshold for Practice and Process Maturity, including:
- Maturity Level 1 – Companies first fully safeguard Federal Contract Information (FCI).
-
-
- There are 17 Practices, which collectively constitute “basic cyber hygiene.”
- All Processes must be “Performed” but are not formally audited at Level 1.
-
- Maturity Level 2 – Companies prepare for the full implementation of NIST SP 800-171.
-
-
- There are 55 Practices, which collectively constitute “intermediate cyber hygiene.”
- All Processes must be performed and formally “Documented” for assessors.
-
- Maturity Level 3 – Companies fully protect Controlled Unclassified Information (CUI).
-
-
- There are 58 Practices, which collectively constitute “good cyber hygiene.”
- All Processes must be performed, documented, and “Managed” at Level 3.
-
- Maturity Level 4 – Companies begin preparing for Advanced Persistent Threats (APTs).
-
-
- There are 26 Practices, all of which are complex and designated as “proactive.”
- All Processes must be performed, documented, managed, and now “Reviewed.”
-
- Maturity Level 5 – Companies shift toward fuller protection against and priority of APTs.
-
- There are 15 “advanced/progressive” Practices, more complex than Level 4’s.
- All Processes must be continuously “optimizing” and adjusted dynamically.
At present, the DoD does plan to assign contracts at various CMMC Levels. Contracts exclusively involving FCI may require Level 1, whereas those pertaining to CUI may require Level 3 (or higher) certification. Per the OUSD(A&S), DoD will publish required Levels on future postings.
CMMC Readiness Assessment Step 3: Augment Security Systems
The last step in your CMMC readiness assessment is to act upon the evaluation-generated insights. Your company needs to analyze the data produced and strategize any additional tools or solutions you’ll need to develop or purchase to meet all CMMC requirements. This stage is less about testing proper, more about cybersecurity architecture implementation. Working with a CMMC compliance partner, you can prepare yourself for the actual, formal CMMC audit.
Alternatively, your readiness assessment may indicate that there are no additional controls needed. If this is the case, you may be ready to get officially certified. Get in touch with a Certified Third Party Assessor Organization (C3PAO), qualified and listed by the CMMC Accreditation Body (CMMC-AB).
Note that, as the CMMC is progressing through its initial rollout during 2021, the CMMC-AB is currently conducting the initial round of C3PAO certifications. RSI Security is undergoing this process—and has extensive experience as an advisor to the CMMC’s predecessor, NIST SP 800-171—so we can help you rethink all elements of your preliminary assessment, framework implementation, and certification.
Rethink Your CMMC Certification Process and Overall Cyberdefense
Any company looking to work long term in a lucrative partnership with the DoD needs to ensure their CMMC readiness. The best way to do that is the three-step process outlined above: first, gauge existing controls. Then, test for CMMC-specific controls. Finally, build out any remaining controls needed per your required level.
For help with all stages, contact RSI Security today!