A CMMC gap assessment is a necessary procedure to measure an organization’s compliance when it comes to the NIST 800-171, a document covering the protection of controlled unclassified information in non-federal systems and organizations.
The effectiveness of your existing controls relating to NIST 800-171 will come under scrutiny. If your company fails to comply with government rules and regulations, the ramifications to your organization can be grave.
Understanding gap analysis is critical for existing contractors of the Department of Defense who need to implement the new Cybersecurity Maturity Model Certification (CMMC). At its core, this self-assessment model requires the company to have third-party certification.
Cybersecurity Maturity Model Certification
The Cybersecurity Maturity Model Certification (CMMC) has foundations from existing compliance requirements, namely the following:
- NIST SP 800-171
- NIST SP 800-53
- AIA NAS9933
- DFARS 252.204-7012
The overall goal is to increase the security of the Defense Industrial Base (DIB). There are five levels that an audit must undergo to achieve a comprehensive analysis of cybersecurity practices.
- Level 1: Basic Cyber Hygiene for Practices and Performed for Processes
- Level 2: Intermediate Hygiene for Practices and Documented for Processes
- Level 3: Good Cyber Hygiene for Practices and Managed for Processes
- Level 4: Proactive for Practices and Reviewed for Processes
- Level 5: Advanced/Progressive for Practices and Optimizing for Processes
So much is at stake when contractors are part of a DoD project. It is not sufficient to judge their readiness on their mastery of technical controls. The documentation and outline of policies must also be excellent. The DoD supply chain must have participants who all have certification.
The DOD introduced the Cybersecurity Maturity Model Certification (CMMC) to raise the bar for cybersecurity defense when it comes to contractors. While it ensures a more robust shield against cybercriminals, navigating the compliance of these regulatory frameworks can be confusing.
The first version of the CMMC was the product of a thorough collaboration between the following stakeholders back in January 2020:
- The Office of the Under Secretary of Defense for Acquisition and Sustainment
- University Affiliated Research Centers (UARCs)
- Federally Funded Research and Development Centers (FFRDC)
The objective of the CMMC is to create a cybersecurity standard that contractors must implement to protect the defense industrial base (DIB) supply chain. The compliance requirements increase for a contractor depending on the nature of their involvement with the DoD.
The Process of Gap Assessment
CMC Gap Assessment varies from audit to audit. But the expectations remain the same once you understand the critical steps to this process:
- A comprehensive review of existing documentation and plans
- Exercises and interviews to test the dependability of security controls
- Reporting of ongoing implementation status, including any deficiencies that assessors will find.
- A summary report to wrap up all discoveries and suggestions.
Requirements of CMMC
The CMMC has five basic levels that have individual requirements and parameters. It is essential to understand all these levels to pass the assessment.
Level 1: Basic Cyber Hygiene
The basic cybersecurity processes of an organization will undergo review at this level. To get a Level 1, the company must implement 17 controls from NIST SP 800-171 Rev 1.
Basic cyber hygiene is the focus of Level 1 certification. An organization needs to show that it can safely manage Federal Contract Information (FCI).
Level 2: Intermediate Cyber Hygiene
Documentation is an essential consideration on this level, particularly about universally accepted best practices in cybersecurity. 46 NIST SP 800-171 Rev 1 controls are the requirements here.
This is the transitory step in handling Controlled Unclassified Information (CUI). Documentation of intermediate cyber hygiene measures is integral in passing this level.
Level 3: Good Cyber Hygiene
Managed controls under the NIST SP 800-171 Rev 1 guidelines are under review at this level. The organization must accomplish the final 47 authorities to pass the audit.
This is the median level to establish basic CUI protections and competent cyber hygiene policies and procedures.
Level 4: Proactive Cyber Hygiene
Sophisticated and advanced cybersecurity defenses are under scrutiny at this level. Its guidelines include passing the 26 NIST SP 800-171 Rev B controls.
The strengthening of CUI security against advanced persistent threats (APTs) is the benchmark for this level. The organization must exhibit that they have the foresight to defend vital data even before threats launch their attacks. Prevention is better than cure.
Level 5: Progressive/Advanced Cyber Hygiene
The optimization of highly advanced cybersecurity practices is the focus of this level. These measures must be under continuous enterprise improvement. Aspirant DoD contractors must accomplish the final four NIST SP 800-171 Rev B controls to pass this level.
Utmost sophistication is the centerpiece of this Level, focusing on security controls that eliminate or reduce the risk of APTs. The organization must show that its cybersecurity defense is advanced and progressive.
The Purpose of the Gap Assessment
The CMMC gap analysis determines if an organization, particularly a Department of Defense contractor, is compliant with government regulations about cybersecurity. The assessment will identify vulnerabilities and deficiencies that the company must address.
Here are potential areas where deficiencies can happen:
- Access controls
- Multi-factor authentication
- Data storage
- Backup controls
- Incident response plan
- Network segmentation
- Personnel awareness
The CMMC Gap Assessment findings will guide the organization’s roadmap on how to keep up with compliance. This is not a game of chance, especially for contractors who want to honor their obligations and deliverables with the U.S. Government.
The importance of having a CMMC Gap Analysis is not an exaggeration. CMMC specifics such as a System Security Plan and risk assessments should not be missing in your cybersecurity programs to be mature and successful.
The Duration of the Process
There is no explicit cut quantification of how long a CMMC Gap Analysis will take. It depends on the complexity and size of the organization, and the following factors:
- Security posture
- CMMC level target
- Human resources for analysis
- On-hand documentation
- Subject matter experts availability
- Awareness of the organization about cybersecurity
Here is an example estimate of how long a CMMC Gap Assessment is when a company has around 250 employees and has a single office. With 25% of the personnel working on the Controlled Unclassified Information (CUI) aspect, the company has to comply with CMMC Level 3. For this reason, the assessment will take about two to four weeks.
The Benefits of CMMC Gap Assessment
The assessment will inform an organization about the status of its security controls. Are there controls that need modification, extension, or implementation? The answers to these queries depend on the CMMC target level of the company to comply.
A successful CMMC Gap Assessment can provide the following advantages:
- Update of progress when it comes to compliance with NIST 800-171
- Assurance that compliance is possible within the target timeline
- Personnel familiarity with the assessment process
- Proof that sensitive corporate data is safe
- Insights on CMMC budget planning for cost efficiency
- Better chance for contract renewal with the Department of Defense
Organizations will benefit by incorporating best practices into their cybersecurity procedures and policies. The audit can help identify the existing security controls and build from there with more processes and controls.
Contractors that are smaller in scope can begin to escalate their cyber hygiene status by following the guidelines of the CMMC. Resilience is the primary objective across the supply chain of the Department of Defense because of the sensitive nature of digital attacks. DoD contractors must review their respective compliance gaps, remediation activities, and information security programs by 2025.
How to Prepare for Assessment
Failing to prepare can have significant consequences for your organization. If you wish to sustain your contract with the Department of Defense, the team should plan to pass the compliance audit.
- Thoroughly understand the technical specifications and requirements for the CMMC level that the organization is targeting.
- Network with expert service and security vendors for third-party support for CMMC certification.
- Check the status of critical services such as cloud infrastructure and file sharing if they comply with NIST 800-171 that the organization is using.
- Draft and create your System Security Plan to reach maturity. Documentation is essential for cybersecurity guidelines and procedures.
- Schedule the CMMC planning from locating budget, documentation, and workforce resources for the assessment. The DoD can reimburse if supplied with sufficient justification.
- Stay updated on the latest updates and news about the CMMC plan rollout.
Federal Contract Information
Federal Contract Information or FCI is information that is not for public consumption. The National Archives Controlled Unclassified Information website specifies FCI as originating from the government under a contract. The data is a utility for delivering or developing a product or service to the Government.
A safekeeping company for the government must follow the “Basic Safeguarding of Covered Contractor Information Systems” guidelines in the Federal Acquisition Regulation (FAR) 52.204-21.
The FAR defines “information” as “any communication or representation of knowledge such as facts, data, or opinions, in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.”
FCI is the broadest information category. By being compliant with FAR 52.204-21, an organization can align with CMMC Level 1.
Controlled Unclassified Information
Controlled Unclassified Information (CUI) originated from the government and is very sensitive because it requires dissemination controls consistent with laws and regulations.
The National Archives manages the CUI Registry that outlines CUI categories and subcategories that received approval. The Organization Index Groupings breaks down the CUI categories into 125.
Here are some of the CUI categories:
- Patent Applications
- Contract Use
- Controlled Technical Information
- Critical Infrastructure Security Information
- Homeland Security Agreement information
Each category undergoes more specifications from the Defense Counterintelligence and Security Agency (DCSA). Take, for example, Controlled Technical Information. This pertains to technical information with space and military applications and must undergo controls for use, access, modification, release, and disclosure.
Other forms of technical information that fall under the CUI definition include:
- Blueprints for engineering
- Engineering research data
- Technical reports, manuals, and orders
- Data sets and analysis
- Computer source code
CUI covers a wide array of information, making it essential to be specific on the type of data and the methodology of safekeeping and storing it. Companies that manage CUI must be compliant with the CMMC Level 3. Gap analysis is essential to determine the stability and resiliency of a company in handling CUI.
CMMC Gap Assessment with the Experts
RSI Security has a team of CMMC-AB Registered Practitioners that can provide insights and guidance for your company about the process. If your organization has business dealings with the Department of Defense, it is vital to always keep up with the compliance requirements.
The DoD requirements will vary depending on whether your company handles Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). A Certified Third Party Assessment Organization (C3PAO) will assess the CMMC level that your organization must accomplish.
The Department of Defense and its certified assessors will evaluate the maturity of your cybersecurity processes through the CMMC Gap Assessment. Do not be caught flat-footed with deficient policies and practices. With RSI Security as a trusted partner, we can help strengthen your company’s compliance according to industry standards.
The guidance of RSI Security can help your company sustain its success as a Department of Defense contractor. Do not let this vital aspect up to chance—partner with RSI Security to ensure the continued momentum of your DoD contract. Get in touch with one of our consultants to set up an appointment.