Companies seeking out lucrative contracts with the Department of Defense (DoD) need to show their commitment to security by attaining Cybersecurity Model Maturity Certification (CMMC). A full implementation of the framework culminates in an official CMMC audit, which can then lead to preferred contractor status with the DoD. Read on to learn how to prepare for a CMMC audit.
How to Prepare for a CMMC Audit in Five Straightforward Steps
Implementing the CMMC Version 1.02 (March 2020) is challenging because of its sheer depth and breadth of protections. Five steps for facilitating a successful CMMC audit process include:
- Determining which CMMC Maturity Level is required for your DoD contract
- Assessing all your existing cybersecurity architecture, systems, and controls
- Implementing all the necessary Practices across all the CMMC security Domains
- Conducting a preliminary CMMC assessment, independently or assisted
- Contacting and working with a certified assessor to formalize certification
Sections below will dive deeply into each step, any relevant challenges, and best practices; RSI Security is well equipped to help your organization rethink all steps of the CMMC audit process.
Step #1: Determine Which CMMC Maturity Level You Must Reach
The most fundamental step toward achieving full CMMC certification is understanding which of the framework’s Maturity Levels you need to attain. There are five in total, with significantly more complex requirements at each successive stage. Overall, they cover two primary kinds of information:
- Federal Contract Information (FCI) – Information that the federal government either directly provides or generates, or otherwise presides over, related to contracts between state and non-state agencies. This information is not intended for public use or disclosure.
- Controlled Unclassified Information (CUI) – Information of or pertaining to sensitive governmental assets or operations, such as technical manuals and plans for defense assets. This information is protected but not formally designated as “classified” intel.
Protection of these data types corresponds roughly to CMMC Levels 1 and 3, respectively. Achieving the highest stages requires contractors to expand upon baseline protections for both types of information and then build additional controls for protecting against Advanced Persistent Threats (APTs) to all data.
Breakdown of Practice and Process Maturity Thresholds at Each Level
One element that makes the CMMC framework unique is its gradual progression toward achieving higher Maturity Levels. Many other frameworks require the implementation of all controls in one fell swoop. For CMMC certification, there are five Maturity Levels. This facilitates implementation—and audits.
Each Level is a threshold for Practice implementation and Process institutionalization, or a measure of integration across all systems and personnel. The breakdown by level includes:
- CMMC Maturity Level 1 – Companies begin with 17 Practices, which constitute “basic cyber hygiene.” Processes must be “performed” but are not yet formally assessed.
- Collectively, these thresholds aim toward the focus of safeguarding FCI.
- CMMC Maturity Level 2 – Next, companies add on 55 new Practices for “intermediate cyber hygiene.” Processes must now be “documented” formally, which is assessed for certification.
- Collectively, these thresholds aim toward the focus of preparing for Level 3.
- CMMC Maturity Level 3 – Companies then add on 58 more Practices, arriving at “good cyber hygiene.” All Processes must now be “managed” and streamlined across systems.
- Collectively, these thresholds aim toward the focus of fully protecting CUI.
- CMMC Maturity Level 4 – Moving beyond hygiene, companies add 26 more “proactive” Practices. Process Maturity now entails all security controls to be “reviewed” thoroughly.
- Collectively, these thresholds aim toward the focus of mitigating all APTs.
- CMMC Maturity Level 5 – Finally, companies add on 15 more “advanced/progressive” practices. Process Maturity at the final stage requires the “optimizing” of all security controls.
- Collectively, these thresholds aim toward the focus of mitigating all APTs.
While Maturity Levels 4 and 5 share the same focus, the shift from passive review to active, ongoing optimization for Process Maturity is dynamic. Unlike all the lower stages, Level 5 requires a forward-facing, open-ended process—subtly suggested through the progressive “optimizing.”
Step #2: Assess Your Existing, Mappable Cybersecurity Controls
The second step toward achieving full CMMC certification involves assessing your company’s existing cybersecurity infrastructure to determine which controls it may already have in place.
Companies seeking DoD contracts are either already in, or entering, the Defense Industrial Base (DIB) sector. The DIB is one of 16 Critical Infrastructure Sectors that are essential to national security, as defined by the Cybersecurity and Infrastructure Security Agency (CISA). All companies that process Covered Defense Information (CDI) covered by various other regulations are considered part of the DIB.
For example, companies that work with the DoD in any capacity are generally bound to the Defense Federal Acquisition Regulation Supplement (DFARS). In particular, DFARS clause 252.204-7012 specifies protocols for protecting CDI and reporting on breaches thereof, which inform the CMMC framework. They also inform the framework that was a precursor to CMMC.
NIST SP 800-171
- Requirement Families – Categories of controls pertaining to areas of concern for CDI; there are 14 in total, including all CMMC Domains except AM, RE, and SA (see below).
- Basic Requirements – Primary Requirements under each Family; there are 29 in total, and all Families have at least one (some Families comprise only Basic Requirements).
- Derived Requirements – Secondary, more advanced Requirements under each Family; there are 29 in total, and all but two Families have at least one Derived Requirement.
Chances are, if your company has worked in any capacity with the DoD before, you have been (and may still be) NIST-compliant. Unlike CMMC, companies self-assess and self-report on their implementation of NIST SP 800-171 controls. All of these are mappable to CMMC, with some changes, as the CMMC contains NIST SP 800-171 in its entirety, along with other framework controls.
Step #3: Implement Practices Up to Your Required Maturity Level
The next step, arguably the most critical, is implementing all required controls for your requisite CMMC Maturity Level. At a glance, this is most challenging at Levels 2 and 3, which require the most significant adoption of new practices (55 and 58, respectively).
However, the actual controls introduced are more complex and challenging at each Level, meaning that the 15 integrated at Level 5 may be more challenging than the 58 at Level 3. And, as noted above, another major element of each Level is ensuring all Processes meet their required thresholds. Thus, in practice, no Level is easy to achieve.
What makes this step attainable is understanding the scope of all controls, distributed across the 17 Domains and their 43 Capabilities, which give shape to the 171 Practices. With the full extent of a Domain in view (e.g. the 27 Practices for “SC”), it becomes easier to plan for the specific controls required for a specific Level (two SC Practices for Level 1, 15 for Level 3, etc.).
Breakdown of All CMMC Required Practices by Cybersecurity Domain
The core of the CMMC framework is similar to that of NIST SP 800-171. It contains an additional three Domains and 61 Practices, accounting for controls across other regulatory frameworks.
As per the current CMMC (version 1.02), the breakdown of Practices by Domain is as follows:
- Access Control (AC) – Four Capabilities and 26 Practices govern visibility and control over user access to protected forms of information and appropriate use and disclosure.
- Asset Management (AM) – Two Capabilities and two Practices govern inventory and general management for all physical and virtual assets, especially related to FCI or CUI.
- Audit and Accountability (AU) – Four Capabilities and 14 Practices govern all internal audits or assessments, along with secure logging and processing of data they produce.
- Awareness and Training (AT) – Two Capabilities and five Practices govern training and educational programs for staff, both at regular intervals and after special circumstances.
- Configuration Management (CM) – Two Capabilities and 11 Practices govern settings and configurations on all assets, including removal and replacement of default settings.
- Identification Authentication (IA) – One Capability and 11 Practices govern control over user accounts through identification measures such as multi-factor authentication.
- Incident Response (IR) – Five Capabilities and 13 Practices govern holistic protocols for cybersecurity incidents such as attacks or data leaks, together with Recovery (RE).
- Maintenance (MA) – One Capability and six Practices govern regular updates to all physical and virtual assets and systems, along with special attention after incidents.
- Media Protection (MP) – Four Capabilities and eight Practices govern methods to protect devices on which media is stored or processed, including their safe disposal.
- Personnel Security (PS) – Two Capabilities and two Practices govern protocols for human resources, including secure onboarding, retention, and termination processes.
- Physical Protection (PE) – One Capability and six Practices govern the proximal restrictions and physical safeguards for devices and areas containing protected data.
- Recovery (RE) – Two Capabilities and four Practices govern short- and long-term protocols for recovering from cybersecurity events and maintaining continuity throughout incident response.
- Risk Management (RM) – Three Capabilities and 12 Practices govern proactive threat and vulnerability monitoring and overall risk management to reduce the impact of events.
- Security Assessment (CA) – Three Capabilities and eight Practices govern internal tests and assessments focused on threats and vulnerabilities (distinct from AU above).
- Situational Awareness (SA) – One Capability and three Practices govern training and awareness specific to the company’s cyber threat environment (distinct from AT above).
- Systems and Communications (SC) – Two Capabilities and 27 Practices govern safe traffic and communications over internal (secured) and external (unsecured) networks.
- System and Information Integrity (SI) – Four Capabilities and 13 Practices govern overall management of security systems and regular monitoring for proper functionality.
Implementing all 171 Practices to achieve Level 5 compliance is extremely challenging. See our guide to navigating CMMC certification levels for the specific number of Practices by Domain for each CMMC Level.
Step #4: Conduct an Internal or External CMMC Preliminary Audit
The next step towards successful implementation and completion of a CMMC Audit is to assess your systems internally first. Conducting a low-stakes CMMC preliminary audit or another test can help uncover any issues that would impede your official certification audit. Companies can test systems independently or with the help of a security advisory provider. Also, assessments can adhere strictly to CMMC requirements or be broader, general vulnerability scans.
For example, companies may conduct internal or external CMMC-focused penetration tests designed to drill staff’s IR protocols, which by extension also touch on AT and RE protections.
Note that this step does not correspond to any requirement explicitly established in the CMMC. The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) does not require any pre-assessment of practices prior to submission for official CMMC certification. Think of this step as a best practice that facilitates the transition into the final, high-stakes step.
Step #5: Select a Certified Third Party Assessor Organization
Finally, the last step for completing an official CMMC audit starts with choosing the service provider who will conduct the examination and report on their findings, getting you certified.
As the CMMC is still in its active rollout stage in 2021, the CMMC-AB has begun the initial, ongoing round of C3PAO approvals. RSI Security is currently undergoing C3PAO certification. As an experienced NIST SP 800-171 compliance advisor and soon-to-be C3PAO, we can help with your CMMC audit and implementation process. Our CMMC advisory services cater to your exact needs and means.
Rethink Your CMMC Audit Process, Certification, and Security
Achieving full CMMC integration and certification is not an easy process. When strategizing for how to prepare for a CMMC audit—and pass it—companies need to account for the level they need and their existing controls first. Then, they need to build out or purchase and remaining controls they haven’t already covered. Finally, they need to assess their implementation.
We recommend starting with an internal audit, but companies can also jump directly into an official C3PAO assessment to expedite their certification.
To get started, contact RSI Security today!