<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=352585001801011&amp;ev=PageView&amp;noscript=1">
Tyler Thepsiri

By: Tyler Thepsiri on September 06, 2024

Print/Save as PDF

What Is CMMC Compliance? 5 Key Steps To Help With CMMC Certification.

Cybersecurity | Compliance | IT Support

If you are a defense contractor, subcontractor or your organization does business with the Department of Defense (DoD), you may be aware of the proposed deadline for Q1 2025 for CMMC certification.

Your organization will need to make sure that you meet specific Cybersecurity Maturity Model Certification (CMMC) requirements if you want to remain eligible and continue working with the DoD.

Although the deadline is proposed to be sometime in January 2025, once in effect you should not assume that you will get a grace period to become compliant. It’s better to have your compliance journey well underway or close to completion to make sure you stay in business with the DoD.

Compliance is complex, and with constant revisions to the CMMC requirements, it’s important to know where you stand and where to focus your efforts to make sure you are certified and compliant.

I’ve worked in IT for more than 10 years. As manager of engineering services at Kelser, I am familiar with the controls listed in NIST 800-171, which form the basis for CMMC, and how to implement these controls to make sure you can pass your CMMC readiness assessment.

In this article, I will explain what CMMC compliance is, and walk you through the steps you can take now to help your organization be in the best position possible to be CMMC certified and maintain and secure future contracts with the DoD.

What Is CMMC?

The Department of Defense began work on its Cybersecurity Maturity Model Certification (CMMC) Program in 2019. CMMC was created to provide enhanced protection for information shared within the U.S. Defense Industrial Base (DIB). 

The first goal of CMMC is to validate the safeguards and practices that ensure basic cyber hygiene and the protection of federal contract information (FCI) and controlled unclassified information (CUI), within the supplier and partner networks of the DIB.


Related Article: NIST 800-171 vs CMMC:What’s The Difference? How Do They Work Together


What Are CUI and FCI? 

Both CUI and FCI include information created or collected by or for the U.S. Government, as well as information received from the Government.

You can think of FCI as information the government gives to companies to help them complete their work on certain confidential and top-secret government projects.

While CUI can be thought of as information that doesn’t necessarily fall into the top-secret bucket but still needs protecting so that only authorized users can access it.

The second goal of CMMC is to provide a mechanism for the DoD to verify that defense contractors and subcontractors have implemented the security requirements at each CMMC Level and are maintaining that level of security across the contract period.

Additionally, CMMC does not specify its own security controls from scratch, rather, it leverages the controls outlined in NIST SP 800-171 and builds on them by introducing additional security controls and maturity levels.

This means that if your business is NIST 800-171 compliant, you are setting a solid foundation for CMMC certification.


Related Article: What Is Controlled Unclassified Information (CUI) In NIST 800-171?


What Are The CMMC Certification Levels?

CMMC has three certification levels that you should know about. These levels are based on the type of sensitive information you work with, and each level has specific controls and requirements you need to meet for certification.

Let’s take a look at each of these without the technical jargon. It’s important to understand that each certification level builds upon the requirements of the previous one, with more stringent cybersecurity controls required at higher levels.

Level 1 (Foundational)

Total requirements identified: 17

This level requires organizations who work only with FCI to self-assess annually. They need to be compliant with basic cybersecurity requirements outlined in FAR 52.204.21.

Level 2 (Advanced)

Total requirements identified: 110

This level is for organizations who work with CUI and requires them to be compliant with the 110 security controls outlined in NIST 800-171. Organizations at level 2 will be required to undergo third party assessments (C3PAO) once every three years.

Level 3 (Expert)

Total requirements: not defined but specific to project

This level is for organizations who are working on CUI and high priority DoD projects that are subject to advanced persistent threats (APTS). They will need to be compliant with NIST 800-172 and be required to undergo third-party assessments once every three years.

CMMC Compliance Triangle

Now that you know what the three levels are there is a high possibility your organization will fall into level 2 or the advanced category as 95% of organizations do. But what does this mean, what are the key takeaways and where should your compliance efforts be focused?

Simply put, your focus should be on doing everything you can to protect CUI and making sure you are compliant with the 110 security controls outlined in NIST SP 800-171 revision 2.

Furthermore, make sure all 320 assessment objectives are met, and you need to ensure that you are ready to be certified by a Certified Third-Party Assessment Organization (C3PAO).

What Steps Can I Take To Be Ready For CMMC Certification?

You now have a good idea what CMMC is, why certification is important and what each level of the CMMC ladder covers. Where do you go from here? How can you make sure your journey to CMMC readiness certification is as smooth as possible without any disruptions to your business?

I’ll cover 5 key steps you can take to make sure your business meets the required cybersecurity standards, protects sensitive information, and positions itself as a leader to secure future government contracts.

Step 1: Understand What CMMC Level You Require.

Earlier we covered that the CMMC levels are based on what type of sensitive information you handle. It’s critical to determine which level your organization falls under. Assess whether you use FCI, CUI or both.

This will give you a fairly good idea of where your organization should be and what controls you need to implement and satisfy.

You can verify this in your defense contract which may also specify the level you need to achieve, and if it doesn’t, contact your contracting office or the organization above you in the supply chain.

Aligning your company with the right CMMC level and security controls ultimately will help you meet customer and regulatory requirements and expectations to make sure you keep your current contracts and have a competitive advantage to bid for new ones.

Step 2: Understand Your IT Environment

Once you have determined your organization’s CMMC level, the next step is to understand your IT environment and infrastructure. Make sure you document and include all systems and devices that store or share sensitive data like FCI or CUI.

Additionally, identify who has access to these systems and how you can limit access only to authorized users. This will help you get a good gauge of how many licenses and other security features or tools you will need to make sure your environment is compliant.

Step 3: Conduct A Gap Analysis

Now that you have knowledge of what systems handle CUI and who has access to them, conduct a gap analysis to help you compare your current security safeguards with the security controls listed in the NIST 800-171 framework.

Your gap analysis will help identify any areas you fall short or where you have vulnerabilities. This will give you a clear picture of what policies, procedures and technology you will need to address these gaps in order to achieve CMMC compliance.

Step 4: Develop A System Security Plan (SSP) And Implement Controls

You’ve identified your gaps and are ready to begin implementing the necessary security controls you need to meet.

The next step is to create a comprehensive System Security Plan (SSP) to explain and document exactly how your organization is going to implement current and new security controls outlined in NIST SP 800-171 to safeguard sensitive data.

It must be detailed enough to show the types of CUI your organization handles, how each type of CUI is processed, stored and shared, and a description of how your organization has implemented each NIST 800-171 control.

It should also highlight who will be responsible for implementing, monitoring and updating each security control, and be aligned with your POAM to address any gaps or vulnerabilities that exist.

Additionally, it’s essential to regularly review and update your SSP. It will be a document that keeps evolving as you implement and update new security controls and will serve as foundational evidence that your organization has done everything it needs to protect CUI and be CMMC certified.


Related Article: What Is A NIST 800-171 System Security Plan (SSP) & How To Create One


Step 5: Prepare And Complete A CMMC Assessment

The last step is to complete a CMMC assessment by a by Certified Third-Party Assessment Organizations (C3PAOs).

First start with a self-assessment and compare your controls against NIST SP 800-171, to make sure you have satisfied all areas of noncompliance in the NIST framework, and if not help you address them before your official third-party assessment.

Once you are satisfied that your self-assessment meets all requirements outlined in NIST 800-171, you can schedule your third-party assessment with a C3PAO (Certified Third-Party Assessor Organization).

Your assessment will include a thorough review of your SSP, as well as interviews with your team to ensure you are fully compliant. This is why I cannot stress enough how important it is to make sure your SSP is as comprehensive and detailed as possible.

It’s important to note that while we have found that most organizations can successfully utilize these 5 steps to ensure they are ready for their CMMC assessment, your organization may need to tweak the finer details depending on its specific needs and how quickly you need to become CMMC ready or certified.

What’s The Bottom Line?

You now have a thorough understanding of what CMMC compliance is, what each level of CMMC requires at a top level, and 5 key steps to help your company with CMMC certification readiness before your Certified Third-Party Assessment.

Ensuring your organization is ready for CMMC certification by the proposed Q1 2025 deadline will be critical for your business if you want to continue working with the DoD as well as gain a competitive advantage for winning new contracts.

These 5 keys steps will help keep your CMMC compliance journey smooth and on track, as well as keep your disruptions to a minimum, and budget also on track.

If you have a large internal IT staff, you may have all the resources you need to ensure that your organization can successfully prepare and implement the necessary policies, procedures, and documentation for CMMC compliance.

If you don’t have a full in-house IT team or a team that has little compliance experience, you may want to explore working with an external IT provider who has compliance expertise and staff to guide and advise you.

Managed IT services help organizations adopt many of the security requirements outlined in NIST 800-171 and ultimately prepare for CMMC certification.

We know managed IT support isn’t right for every organization. We publish articles like this one so that business leaders have the information you need to keep your data and infrastructure safe and understand how to move forward whether you choose to work with us or not.

If you are feeling overwhelmed and just want to talk to a human, we get it too! The button below will connect you to a simple form. Provide your name and email and one of our IT compliance experts will reach out to schedule a 15-minute call to learn about your current technology situation, pain points, and compliance goals. (No sales pitch; just a conversation.)

Talk with a Human

 

About Tyler Thepsiri

With more than 10 years in the IT industry, Tyler is able to adapt quickly to almost any technological issue. He understands how systems should work, and specializes in security and compliance.

Suggested Posts

Visit Our Learning Center