Preparation Checklist for a CMMC Audit

In 2019 the Department of Defense (DoD)—in conjunction with John Hopkins University Applied Physics Laboratory (APL) and the Carnegie Mellon University Software Engineering Institute (SEI)—began a review of the various cybersecurity standards.

Their mission: to forge the various practices into a single unified cybersecurity standard in order to secure the DoD supply chain.

Its name: the Cybersecurity Maturity Model Certification (CMMC)

Although the novel cybersecurity framework is still in the process of being built out, it’s estimated that a selected group of DoD contractors will undergo audits as soon as the year’s end.

So if you’re a government contractor, the time to begin preparing for a CMMC audit is now. Here’s a convenient CMMC audit checklist to help you prepare accordingly.

 

What is a CMMC Audit?

From the outset it’s important to note that the CMMC is still in the process of being built out, so some aspects may be subject to change by the time audits begin.

Here’s what we know so far:

The CMMC is being created to streamline security practices, making it easier for specific companies who work along the DoD supply chain to maintain cybersecurity compliance. It applies to contractors who work with:

• Federal Contract Information (FCI) – Information provided by, or created for the Government, and is not made available to the public.
• Controlled Unclassified Information (CUI) – Information that “requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policy.”

The framework condenses and combes the best practices some of the most popular control frameworks used today, including:

• NIST 800-171
• NIST 800-53
• RMF
• ISO 9000
• SANS
• CMMI
• DISA STIGs
• FIPS 140-2
• ISO 27001
• AIA NAS9933
• FICO
• FedRAMP
• Gartner

Currently, the CMMC Accreditation Body has been formed and is in the midst of building out the various processes for auditor training, certification, and organization audits. To date, no CMMC auditors have been appointed..

As of now, you can’t get certified. However, as new Requests for Proposals (RFPs) roll out next year, some level of CMMC certification will be required.

What we do currently know is that the level 1 CMMC requirements have been finalized. That means you can get to work on those immediately.

 

Assess your CMMC compliance

 

The Five Levels of CMMC

The DoD structures contracts by their risk profiles. Each RFP will have a specific level requirement ranging from 1-5. To submit a bid you’ll need to have proof of certification.

So what are the levels?

• CMMC Level 1 Performed – 17 Controls must be applied based on 48 CFR 52.204-21. Every single DoD contractor is required to complete these tasks. It’s worth noting that there’s no process maturity requirements.
• CMMC Level 2 Documented – 72 Controls (includes Level 1 controls) must be applied. This includes documentation to processes, such as SOPs, policies, and plans.
• CMMC Level 3 Managed – 130 Controls (includes Level 2 controls) must be applied, along with the requirements of NIST SP 800-171. This stage requires you to follow a MMC process maturity model and its existing policies and procedures.
• CMMC Level 4 Reviewed  – 156 Controls (includes Level 3 controls) must be applied at this stage. Level 4 companies are required to demonstrate that they’ve taken a proactive approach to cybersecurity, which includes Advanced Persistent Threat (APT) adherence.
• CMMC Level 5 Optimized – 171 Controls (includes Level 4 controls) must be applied to reach process level maturity and optimized cybersecurity. The DoD is confident that you’ve the controls in place to combat APTs and protect the entire breadth of your company.

Lower levels 1 and 2 will apply to contractors who don’t handle CUI. This includes the majority of resellers. They will apply to contractors who don’t keep government information on their corporate networks, except for HR data and purchase orders.

Middle levels 3 and 4 are for DoD contractors who deal with CUI, particularly data that could possibly be reverse-engineered by foreign enemies. It will adhere closely to the NIST SP 800-171 control recommendations.

Highest level 4 and 5 involves CUI that’s highly sensitive and could include information on weapons tests or manufacturing schematics. Naturally, following these recommendations will be costly.

 

Download our CMMC Whitepaper: Best Cybersecurity Practices for DoD Contractors

 

CMMC Audit Checklist

Regardless of your level, the CMMC released 7 steps you can follow to begin preparations for an audit of your own. They are:

Task #1 – Define CUI Specific To the Contract and Identify Where it is Stored, Processed and Transmitted

Your initial task is to identify the CUI environment. These are the places in your facility where CUI is:

• Stored
• Processed
• Transmitted

By understanding the CUI environment you can then define the various systems, services, and processes of NIST 800-171. To determine your level or risk in your specific situation, the federal contracting official for the prime contractor is required to clearly define the CUI for their subcontractor.

 

Task #2 – Identify Applicable NIST 800-171 Controls 

Once you’ve defined the CUI environment, you can begin identifying which systems, services, and processes fall within the scope of NIST 800-171. This will be based on whether or not they store, process, or transmit CUI.

Simple networks can expect that the controls will be applied universally across the entire organization, whereas segmented CUI environments will only have controls applicable to sub-networks.

 

Task #3 – Create Policies, Standards, and Procedures to 

Every contractor is in a unique situation.

Policy prescriptions will change due to level of risk. Preparation begins by determining the various compliances your organization is governed by, including:

• Domestic and international cybersecurity and privacy laws
• Industry specific regulations
• Legally binding contracts

Documentation plays an enormous role in maintaining compliance. It requires that you clearly write out a hierarchical structure that includes the various:

• Policies
• Standards
• Controls
• Procedures

Documents should be clear, follow a logical order, and have identifiable delineation of all compliance requirements. This can later be used to inform decision making and gauge risk related to purchasing, staffing, and management.

 

Task #4 – Operationalize the Policies and Standards to Implement CMMC Controls

This is the stage where you put words and preparation into action.

By applying NIST 800-171 controls to your policies and standards, you can determine what you’ll need to do to reach compliance then maintain it.

It’s critical that the individuals or teams responsible for specific CUI controls are highlighted and defined. This ensures that controls are not being overlooked or improperly applied as a result of miscommunication about roles and responsibilities.

 

Task #5 – Document the CUI Environment 

At this point your goal is to note the CUI environment’s controls and known deficiencies.

You have to build out two primary documents:

• System Security Plan (SSP) – The SSP answers all of the relevant details—the who, what, when, why, and where. It will include information on the various people, technology solutions, and processes contained within the CUI environment.
• Plan of Action & Milestones (POA&M) – The POA&M will highlight all of the control deficiencies for the NIST 800-171. CMMC refers to it as a “risk register.”

If you want to pass a CMMC audit, these documents must be completed in full detail. One of the very first things a CMMC auditor will ask for is access to both files. Failure to do so will very likely end in an automatic noncompliance decision, and could cause significant legal ramifications as well.

 

Task #6 – Leverage the Controls to Assess Both Risk and Maturity Across Technology and Business Processes

There is no ubiquitous risk assessment methodology.

Certain ones work better for different technology and business processes. What matters is finding the one that is best suited for how your business operates.

The CMMC says there are several methodologies to choose from, including:

• NIST 800-37
• ISO 31010
• OCTAVE
• FAIR

The purpose of each of these is to determine how successful you were in applying controls and how much risk mitigation occurred as a result of your actions. You can mix and match controls. The decision is yours, so long as you are seeking to reduce the risk your organization faces.

Task #7 – Utilize Metrics From Control Execution to Identify Areas of Improvement

Once controls are put in place, your organization must continue to monitor their performance. This allows you to form a long-term composite that can be used for analysis and optimization.

Over time your organization will have detailed information that helps them highlight which areas of the business are fit for improvement. To help you with this take the time to establish Key Performance Indicators (KPIs) as well as Key Risk Indicators (KRIs) related to your organization.

 

CMMC Level 1 Requirements 

Although the framework for the other levels of compliance is still being hammered out, level 1 is simply based on the same standards DoD contractors have been held to since 2016. They include:

• Control 1 – Only authorized users should have access to certain information and systems. Use passwords and PINs to restrict login access. Take proper precautions to protect devices and passwords, and disable accounts when an employee leaves the company.
• Control 2 – Information systems should only have access to specific transactions and functions that the user is allowed to access and execute. Assign most accounts “user” status and limit “admin” rights to a select few.
• Control 3 – Never share your neighbor’s network. Your company’s network and computers should stay totally separate from external business or home networks. Only company devices should ever have access to federal contracts.
• Control 4 – Don’t allow your data to be shared with outsiders. Make sure that cloud storage and documents aren’t shared outside of the contract and that sensitive information isn’t included on the website.
• Control 5 – Each employee should have a separate account. Individual accounts ensure that only approved employees have access to restricted devices or systems.
• Control 6 – Be sure that every company computer and device has a username and password (that’s not the default password). Ideally, the system should use two-factor authentication. 
• Control 7 – Destroy all data on a device—mobile, laptop, computer, thumb drive—before it is disposed of. Documents should be shredded, data modules hammered, and data overwritten.
• Control 8 – Identify public and private work spaces and ensure that all devices, servers, and data storage are restricted to the private area. This ensures that only authorized individuals have access to high level information.
• Control 9 – Visitor activity should be monitored at all times. While this is simpler for small companies, larger ones should rely on check ins, visitor badges, and security escorts.
• Control 10 – Sign-ins and sign-outs should be mandatory for all visitors and employees. Document audit logs of physical access, and add cameras to ingresses and egresses to your facility (if you can afford it.)
• Control 11 – Restrict security access to a few individuals. Only select people should be able to unlock doors or turn off the security system.
• Control 12 – Company networks should be private and devices kept within the boundaries of the firewall. That firewall should restrict all external internet traffic so as to prevent attacks.
• Control 13 – Ideally, internal networks should not be connected to the internet. Much better to rely on a webhosting company and implement subnetworks for publicly accessible system components.
• Control 14 – Be sure to automatically download and then install system updates and patches on all devices.
• Control 15 – Use antivirus programs on your computers and devices to prevent malicious code from accessing critical information.
• Control 16 – Utilize antivirus and firewall threat protections via subscription services that are automatically updated when new releases are available.
• Control 17 – Enable antivirus scans so that they perform a full scan every single week.

 

Get Prepared with RSI Security  

CMMC was created to establish a clear guidelines and audit framework for contractors working with the DOD. In the months ahead more information will be available, detailing the specifics of CMMC audits and frameworks. All you can do for now is start preparing. This starts with the implementation of level 1 controls (if you haven’t done that already.)

As you probably noticed, CMMC only details what practices company’s must implement, not how they should do it.

This is where RSI Security can assist.

We thoroughly understand all of the controls that will inform CMMC compliance and can help you prepare for a CMMC audit, no matter what level of certification you seek.

Interested?

Then reach out today to secure your business and land those DOD contracts.

 

---

Speak with a CMMC compliance expert today – Schedule a free consultation