The Do’s and Don’ts of CMMC Certification

Technological theft, espionage, and threats to national security are becoming increasingly common concerns for the Department of Defense (DoD). In response to the rising tide of cyberattacks, the DoD has introduced a more stringent compliance framework to protect the Defense Industrial Base (DIB) supply chain. This framework is known as CMMC Certification, the new standard for contractors working with the DoD. CMMC Certification ensures that contractors meet essential cybersecurity requirements, helping safeguard sensitive information and national security.

In this article, we’ll cover the Do’s and Don’ts of CMMC Certification, starting with a brief introduction to the model.

What is CMMC Certification?

The Cybersecurity Maturity Model Certification (CMMC) is a framework designed to assess the overall cybersecurity maturity of an organization. For contractors working with the Department of Defense (DoD), CMMC Certification is replacing the previous self-certification under the NIST 800-171 framework. Under the new system, certification requires an audit by a Certified Third-Party Assessment Organization (C3PAO).

CMMC Certification measures an organization’s maturity on a 5-level scale:

• Level 1 – Basic Cyber Hygiene: Focuses on basic safeguarding of Federal Contract Information (FCI).
• Level 2 – Intermediate Cyber Hygiene: Bridges practices between levels 1 and 3.
• Level 3 – Good Cyber Hygiene: Required for organizations processing Controlled Unclassified Information (CUI).
• Level 4 – Proactive: Implements advanced cybersecurity practices to protect CUI.
• Level 5 – Advanced/Progressive: Optimizes cybersecurity processes to detect and respond to threats effectively.
  

The required level depends on the type of DoD information your organization handles. Compliance is measured by how well your organization implements the practices and integrates the processes outlined in the CMMC model.

CMMC builds upon the NIST 800-171 and Defense Federal Acquisition Regulation Supplement (DFARS) frameworks. Prior knowledge or self-certification to NIST 800-171 is advantageous, as most CMMC practices are derived from it.

Now that we understand the framework, let’s explore the Do’s and Don’ts of CMMC Certification.

 

Certified Third-Party Assessment Organization (C3PAO)

Do:

• Engage a certified third-party assessment organization (C3PAO) for your CMMC Certification audit.
• Working with the DoD now requires a third-party audit to verify your organization’s implementation of the CMMC model.
• Choose a C3PAO that specializes in cybersecurity services to ensure accurate assessment and a smooth certification process.
  

Don’t:

• Attempt to self-certify using NIST 800-171 alone.
• While NIST 800-171 compliance is still important, CMMC Certification requires a C3PAO audit, making self-certification insufficient.
• Until the CMMC is fully enforced, continue NIST 800-171 self-certification as a preparatory step, but do not rely on it for official compliance.

Maturity Level for CMMC Certification

Do:

• Determine the appropriate CMMC Certification level for your organization.
  • Start by identifying the type of data you handle in the DoD supply chain. Are you processing federal contracts only, or does your organization handle Controlled Unclassified Information (CUI)?
  • Conduct a data inventory of all potentially sensitive information and review any industry-specific regulations that might impact your required maturity level.
• Integrate CMMC practices into your organizational culture.
  • The “process” element of the model shows auditors how well your organization has institutionalized cybersecurity practices.
  • Ensure practices are second nature to staff, not just loosely followed rules.
  • Involvement at all levels of the organization is key to successful certification.
• Do your homework.
  • Study the model, understand the practices, and prepare your processes in advance.
  • Early preparation allows your C3PAO to audit and certify your organization efficiently.
    

Don’t:

• Neglect understanding the model.
  • Failing to research CMMC practices and processes can slow down certification and increase the risk of non-compliance.
  • Remember, your C3PAO is there to guide and support you, not to penalize you for lack of preparation.

Staff and Personnel in CMMC Certification

Do:

• Engage your staff in the CMMC Certification process.
  • An organization’s cybersecurity success depends on security-conscious personnel.
  • Ensure staff adopt the CMMC practices as part of their daily routines, which helps institutionalize the processes across the organization.
• Invest in staff training.
  • Cybersecurity awareness is critical , even top-tier software and hardware can fail if employees inadvertently compromise security.
  • Training ensures that every team member understands their role in maintaining CMMC compliance and protecting sensitive DoD data.
    

Don’t:

• Ignore the needs and involvement of your staff.
  • Introducing new processes without engaging personnel can hinder adoption and reduce effectiveness.
  • Include staff in the cyber maturity assessment framework so CMMC practices become ingrained and second nature.
    

Remember: People are the foundation of your organization. Investing in staff awareness and participation is just as important as investing in technology.

General Cybersecurity Principles for CMMC Certification

Before diving into specific practices, it’s important to understand general cybersecurity principles that form the foundation for any CMMC Certification.

These principles are not only relevant to CMMC but are also recognized as best practices across the wider cybersecurity community. Adhering to them helps organizations:

• Strengthen overall security posture
• Reduce the risk of cyber incidents
• Prepare effectively for a CMMC audit
  

Keeping these principles in mind will make the process of achieving CMMC Certification smoother and more sustainable.

Passwords and Access Security for CMMC Certification

Passwords are the foundation of any secure network, and the CMMC model is no exception. However, not all passwords are created equal , weak or default passwords can put your organization at risk and jeopardize CMMC Certification.

Do:

• Use strong, unique passwords for all systems and devices.
• Implement two-factor authentication (2FA) to enhance security.
• Set temporary or one-time passwords for sensitive access when appropriate.
• Ensure all terminals and devices are locked and password-protected when not in use.

Don’t:

• Use easily guessable passwords or PINs, like “1234” or “password.”
• Rely on default passwords that come with hardware or software.
  

Following these practices not only strengthens your security posture but also demonstrates to auditors that your organization takes cybersecurity seriously, a critical factor in achieving CMMC Certification.

Account Management for CMMC Certification

Proper account management is a critical part of CMMC Certification. Ensuring that accounts are correctly configured helps protect sensitive DoD data and strengthens your organization’s cybersecurity posture.

Do:

• Assign individual accounts for each employee,  avoid shared accounts.
  • This ensures accountability and makes it easier to trace any security incidents.
• Review administrative privileges for all accounts.
  • Only authorized personnel should have admin rights to prevent unauthorized changes or breaches.

Don’t:

• Share accounts among multiple users.
  • Shared accounts make it difficult to track responsibility in the event of a data breach.
• Give all users administrative privileges.
  • Excess privileges increase security risks and can jeopardize your CMMC Certification audit.
    

By implementing proper account management practices, your organization can demonstrate compliance with CMMC requirements and reduce potential vulnerabilities.

Cloud Sharing Accounts for CMMC Certification

Cloud platforms are increasingly essential for modern businesses, but mismanaged cloud accounts pose significant security risks, especially for DoD contractors seeking CMMC Certification.

Do:

• Ensure document sharing settings are restricted to internal personnel only.
• Protect all cloud accounts with strong, unique passwords and enable two-factor authentication (2FA).

Don’t:

• Allow employees to share sensitive documents outside the organization’s network.
• Set cloud documents or folders to public access, which can jeopardize your CMMC Certification.

By properly managing cloud accounts, your organization can reduce the risk of data leaks and demonstrate adherence to CMMC security requirements.

Software Management for CMMC Certification

Software, including apps and operating systems, is central to any modern organization. However, many applications are not secure by default, which can create vulnerabilities and jeopardize CMMC Certification. Proper software management is critical to protecting sensitive DoD data.

Do:

• Apply security configurations to all apps and operating systems. Default configurations are often insecure.
• Install updates promptly for all software, apps, and operating systems in use.
• Enable and maintain antivirus, anti-spyware, and anti-malware protection on all devices.
• Use a firewall configured to limit unnecessary internet communications.
• Utilize audit logs and Security Information and Event Management (SIEM) software to monitor and understand your network security environment.

Don’t:

• Use unsupported software or operating systems (e.g., Windows XP), as vendors no longer provide security updates.
• Attempt to self-host software if your organization lacks the resources or expertise. Third-party hosting by specialists is safer and more reliable.
• Delay software updates or patches. Emergency updates are often released to fix vulnerabilities,  failing to apply them promptly can leave your network exposed.
  

Proper software management ensures your organization demonstrates compliance with the CMMC cyber maturity assessment framework and reduces the risk of security breaches

Hardware and Physical Protection for CMMC Certification

Protecting hardware assets, physical locations, and documents is a critical component of CMMC Certification. Physical security is often overlooked, but it’s an essential part of your organization’s overall cybersecurity architecture. The CMMC includes physical protection as one of its 17 domains, making this area crucial for compliance.

Do:

• Use designated public and private spaces within your organization.
  • Section off private areas where only authorized personnel can access devices and computers.
• Implement keycard systems when possible.
  • These systems often include logging to track who enters and exits secure areas.
• Limit computer use to one person per device and enforce it through company policy.
• Sanitize documents before disposal by shredding, even if they do not contain sensitive information.
  • This prevents attackers from exploiting discarded materials (“dumpster diving”).
• Restrict access to keys and access devices to a select group of authorized personnel only.

Don’t:

• Allow unsupervised visitor access. Verify and monitor all guests.
• Dispose of documents without proper sanitization.
• Forget to update locks or access codes when employees leave the organization.
• Leave windows unlocked overnight or compromise physical security in any way.
• Permit hardware to be taken home without strict company policies ensuring secure use.
• Allow personal devices on the company network; provide a separate network for recreational use if needed.
  

Implementing these practices demonstrates that your organization takes physical and hardware security seriously, which is a key requirement for achieving CMMC Certification.

Key Takeaways for CMMC Certification

The Cybersecurity Maturity Model Certification (CMMC) is now a requirement for any organization working with the Department of Defense (DoD). Achieving certification requires a third-party audit by a Certified Third-Party Assessment Organization (C3PAO). While this may seem daunting, attaining CMMC Certification doesn’t have to be complicated — it simply requires that cybersecurity practices become fully integrated into your organization’s culture.

In this article, we’ve outlined the Do’s and Don’ts across critical areas of the CMMC cyber maturity assessment framework and general cybersecurity principles. Following these guidelines will help jump-start your compliance efforts and prepare your organization for a successful certification audit.

For comprehensive support, RSI Security offers expert services to help your organization achieve CMMC Certification efficiently and effectively. Whether you need full-stack cybersecurity architecture implementation or compliance consulting, our team is here to guide you. Book a free consultation today to get started.

Download Our CMMC Checklist