Working as a contractor with the US Department of Defense (DoD) can provide lucrative short- and long-term opportunities for partnering companies. But it also requires strict adherence to multiple cybersecurity frameworks. The most recent of these, which has an ongoing roll-out, is the new Cybersecurity Model Maturity Certification (CMMC) framework. This framework is presided over by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD-A&S).
Compliance can be challenging, especially for newcomers to the Defense Industrial Base (DIB) sector. To get started on your journey toward compliance, read on for a CMMC self-assessment checklist.
Your CMMC Self-Assessment Checklist
Consistent lucrative work with the DoD will only be available to companies that achieve “preferred contractor” status. And CMMC compliance is one of many hoops you’ll need to jump through for that because it proves that you’re protecting sensitive cases of information to the Defense Federal Acquisition Regulation Supplement (DFARS) specifications. In this guide, we’ll break down everything you need to know about CMMC assessment in two primary sections:
- First, we’ll explain the CMMC self-assessment guides available from the OUSD(A&S), including differences between self- and full-assessments and scoring methodologies.
- Then, we’ll explain the entire CMMC framework, including all its Levels, Domains, and Practices, to establish a clear checklist for your self-assessment and certification.
By the end of this blog, you’ll be well on your way to assessment, certification, and DoD preferred contractor status. But first, let’s address a significant consideration.
Is there Self-Certification for CMMC Compliance?
At present, there is no mechanism in place for companies to self-certify their compliance with CMMC. Self-assessment is a best practice that has no bearing on eventual DoD contractor status. This departure from prior compliance frameworks that inform the CMMC, such as NIST SP 800-171, codifies assessment methodologies for basic self-assessment. Even within that context, however, self-assessments only grant “low” confidence in assessed scores.
For CMMC, self-assessment is not required, nor can it grant any form of CMMC certification.
Nevertheless, the OUSD(A&S) encourages companies who need CMMC certification to self- assess before their full, third-party assessment. It’s a valuable tool to help companies gauge how much work is necessary to achieve full compliance. But this self-assessment will never lead to full certification in and of itself. For that, you’ll need to work with a qualified assessor (see below).
CMMC Assessment Methodologies and Guides
The CMMC doesn’t comprise unique controls that the OUSD(A&S) fabricated. Instead, it compiles controls and approaches from other frameworks formerly or still required for DoD contractors. As a result, much of its assessment methodology adapts or fully re-uses the methods from these other frameworks. For example, CMMC encapsulates all of NIST SP 800-171, and the assessment of these controls comes from NIST’s SP 800-171A.
- The CMMC Level 1 Assessment Guide Volume 1.10, published in November of 2020
- The CMMC Level 3 Assessment Guide Volume 1.10, also published November 2020
Levels 4 and 5 do not have assessment guides publicly available yet as companies are not yet expected to have these controls in place. No guide is presently available for Level 2 since it functions as a preparatory transition to the third level. Companies may use the Level 3 guide even at Level 1, as it includes Processes that are not measured at Level 1 (see below).
CMMC Assessment Criteria and Scoring Systems
In assessing a company’s implementation of the CMMC framework, an assessor (the company or a third-party) will set objectives for controls or practices to test and criteria based on the source (NIST protocols for NIST-based controls). Then, the assessor tests relevant software and hardware settings, examines procedures in real-time, and interviews individuals.
For all practices tested, there are three possible findings:
- Met – The contractor is found to be meeting all requirements for the practice as laid out in the CMMC framework, and the assessor provides appropriate evidence to support this.
- Not Met – The contractor does not meet all requirements for the practice as laid out in the CMMC framework, and the assessor describes the lack or flaws to support this.
- Not Applicable – The contractor is exempt from implementing the practice, and the assessor must provide an explanation and documentation to support why this is the case.
In the case of a self-assessment, your company should produce accurate findings, even if they are all or mostly “Not Met” — hold yourself accountable the way an external assessor will. An honest assessment will allow your company to improve enough to meet official certification standards.
Who is Responsible for Full CMMC Assessments?
If self-assessment is merely a best practice and not a required scaffold on the way to full compliance, this begs the question: who conducts the actual assessment that will grant certification? The CMMC Accreditation Body (CMMC-AB) is responsible for giving third-parties clearance to assess companies and award CMMC certification.
There is more than one level of qualified assessor accredited by the CMMC-AB, but the most critical category to understand is Certified Third-Party Assessor Organizations (C3PAOs). These are cybersecurity service providers who, by passing rigorous CMMC-AB licensing exams and meeting other requirements, can certify that other companies are ready for DoD contracts.
The CMMC also partners with the C3PAOs to list and match them with companies seeking compliance. The best C3PAOs are those that will work with your company on all stages of CMMC compliance, from architecture planning through implementation, such as RSI Security.
CMMC Framework: Levels, Domains, Practices
Assessment is the final element of CMMC compliance. This guarantees to the DoD and other stakeholders that your company deserves contracts because it can keep protected data safe. Before a successful assessment grants certification, your company will need to implement all of the required controls across the CMMC Framework. As noted above, many of these come from other frameworks and regulatory documents, such as DFARS and NIST SP 800-171. These are informed by more baseline tests like NIST’s Cybersecurity Framework (CSF).
Many of the assessment methodologies and protocols are adapted from those of prior frameworks, and the same goes for much of the CMMC framework overall. For example, several “Domain” names are identical to analogous NIST “Requirement Families.”
What is unique about the CMMC, however, is the way it facilitates its implementation through a gradual progression of maturity, at five thresholds called “Maturity Levels.” Let’s take a closer look at each one before poring through all the controls across its various Domains.
CMMC Maturity Levels, Focuses, and Process Goals
Companies who are seeking DoD contracts will eventually need to implement all of the CMMC framework in its entirety, with the exception of exempt Practices. Luckily, this wide-scale adoption can happen in five successive steps, labelled Maturity Levels. Each level has a distinct focus and new Practices along with a distinct “Process Maturity” goal.
The breakdown of Maturity Levels and their respective focuses and goals are as follows:
- Maturity Level 1 – This level focuses on safeguarding Federal Contract Information (FCI), with 17 Practices for “basic cyber hygiene” and a Process Maturity goal of performance.
- Maturity Level 2 – This level focuses on transitioning to full FCI protection at Level 3, with 55 new Practices for “intermediate cyber hygiene” and Process Maturity requiring documentation.
- Maturity Level 3 – This level focuses on full implementation of NIST SP 800-171 and more, with 58 new Practices for “good cyber hygiene” and Process Maturity requiring management.
- Maturity Level 4 – This level focuses on protecting against Advanced Persistent Threats (APTs), with 26 new Practices that are “proactive” and Process Maturity requiring regular review.
- Maturity Level 5 – This level focuses on the most complex FCI and APT protections, with 15 new “Advanced” or “Progressive” Practices and a Process Maturity goal of ongoing “optimizing.”
Process Maturity measures the extent of institutionalization for all Practices across all personnel and departments at the company, a comprehensive measure that complicates the “Met” criteria.
CMMC Security Domains, Capabilities, and Practices
The entire framework of the CMMC is best understood through its 17 security Domains, which are roughly analogous to NIST SP 800-171’s Requirement Families. The Domains house 43 Capabilities, which are fleshed out across 171 Practices (similar to NIST’s Requirements).
In all, the interlocking matrix of Domains, Capabilities, and Practices breaks down as follows:
- Access Control (AC) – Four Capabilities and 26 Practices focus on limiting access to sensitive information through strict identification requirements, detailed below (IA).
- Asset Management (AM) – Two Capabilities and two Practices focus on identifying and monitoring physical and virtual assets essential to protecting sensitive data.
- Audit and Accountability (AU) – Four Capabilities and 14 Practices focus on audits conducted internally and externally to guarantee accountability across staff at all levels.
- Awareness and Training (AT) – Two Capabilities and five Practices focus on the schedule and contents of regular and special event training programs to ensure staff awareness.
- Configuration Management (CM) – Two Capabilities and 11 Practices focus on removing all vendor-supplied security settings to be replaced by more robust options.
- Identification and Authentication (IA) – One Capability and 11 Practices focus on building an identity and access management program to optimize access control.
- Incident Response (IR) – Five Capabilities and 13 Practices focus on the systematic response to hacks, attacks, and all cybersecurity incidents in real-time (see RE below).
- Maintenance (MA) – One Capability and six Practices focus on the schedule and protocols for both regular and special event maintenance of hardware and software.
- Media Protection (MP) – Four Capabilities and eight Practices focus on protecting media devices and removing traces of sensitive data prior to disposal, transport, etc.
- Personnel Security (PS) – Two Capabilities and two Practices focus on recruitment, hiring, onboarding, retention, promotion, demotion, and termination measures for staff.
- Physical Protection (PE) – One Capability and six Practices focus on physical and proximal protections for individual devices and workspaces connected to sensitive data.
- Recovery (RE) – Two Capabilities and four Practices focus on both short- and long- term efforts to mitigate the damage done by attacks and recover compromised information.
- Risk Management (RM) – Three Capabilities and 12 Practices focus on the efficacy of preventative threat and vulnerability management and overall risk mitigation strategies.
- Security Assessment (CA) – Three Capabilities and eight Practices focus on regular assessments to produce, analyze, and mobilize threat and cybersecurity intelligence.
- Situational Awareness (SA) – One Capability and three Practices focus on specific awareness thresholds and relevant training tailored to the company’s unique positionality.
- Systems and Communications Protection (SC) – Two Capabilities and 27 Practices focus on safeguarding points of communication in all internal and external networks.
- System and Information Integrity (SI) – Four Capabilities and 13 Practices focus on the overall efficacy and proper functioning of security architecture, free from known flaws.
Adopting all 171 Practices up to the Process Maturity goals detailed above is challenging for all but the biggest and most well-funded IT departments. Just as with assessment, bringing in a third-party to help your company with implementation is the best way to get it done correctly.
Professional CMMC Compliance Advisory Services
Returning to where we began, it’s critical to understand CMMC self-assessment as one small step in a larger third-party assessment process rather than a direct route to compliance. If your company is hoping to secure DoD contracts and preferred status, self-assessment is not required, but it can be extremely helpful in understanding what controls you need to implement before an actual, CMMC-AB approved C3PAO (like RSI Security) runs a full assessment.
This CMMC self-assessment checklist is one of many CMMC resources and services that RSI Security provides to current and prospective DoD contractors. Our suite of CMMC compliance advisory services also includes comprehensive managed IT and security, with offerings tailored to the specific needs and means of your company. Our experts can help you build out security architecture up to DFARS standards, manage patchwork needed, and perform assessment. No matter where you are on your journey toward compliance, we can help — contact us today!