What is CMMC? The Complete CMMC Compliance Guide
Believe it or not, the day that many of us thought would never arrive is finally here: the Department of Defense is actually going to start enforcing the CMMC or DFARS/NIST 800-171 compliance requirements and if the conversations we’ve been having with our managed IT services clients are of any indication, there’s certainly a lot of surprise- and dread- to go around.
As a direct result of these updates and in an attempt to properly secure the Defense Industrial Base (DIB), we’ve developed a brief CMMC guide to help your organization navigate these numerous requirements.
What is CMMC?
At its core, the CMMC is designed to be an assessment model and certification program intended to clarify the degree in which contractors safeguard both their own and customers’ CUI.
As always, and as with anything related to IT or compliance, it’s a recent progression that will require you to keep a few key things in mind.
Maybe the most important factor to understand about all of this is that, unlike previous years, the various contracting authorities that you’re working with will NOT accept an SSP (System Security Plan) and/or POA&M (Plan of Action and Milestones) as evidence of intent to eventually adhere with DFARS compliance or as an unofficial, long term compliance deferment strategy.
Instead, under the CMMC, contractors will begin being audited and evaluated based upon their implementation of their respective level’s mandate controls. This can include but is not limited to formulating detailed IT policies, generating comprehensive network documentation and for the higher CMMC levels, the performance of annual penetration tests, to validate their adherence to compliance and verify their CUI’s security posture.
Most organizations will likely be required to adhere to CMMC levels 1 or 3, but regardless of the CMMC level you are required to attain, your certification level and adherence to it, will determine the types of contracts you will be qualified to acquire.
Who Needs CMMC Compliance?
It’s essential to reiterate that this CMMC level requirement will flow down to ALL subcontractors, prime and subcontractors alike, that are a part of the DoD supply chain. According to Katie Arrington, CISO for Acquisition under the Office of the Under-Secretary of Defense of Acquisition and Sustainment, only about 5% of contractors that will require CMMC are currently compliant, meaning that there is certainly a lot of work to be done to that end.
As the Secretary of Defense has also stated, future RFPs will require a CMMC designation if you handle Controlled Unclassified Information (CUI)- period. All of this means that the CMMC is something you need to start thinking about as it is will become the standard framework for working with the DoD and any other government or federal agencies in the near future- including the GSA.
The Department of Defense began finalizing the CMMC certifier accreditation program in January 2020, with the accreditation process itself expected starting in June. Based on this timeline, it’s likely that we will see the first accreditations go out in the second half of 2020 with contractor evaluations -meaning the ones you have to care about- beginning now or shortly thereafter.
CMMC Audit and Compliance
A dedicated team of auditors will be conducting these CMMC audits, but it is unclear how they will select the contractors that will be reviewed. If the costs of implementing these controls has you concerned, one important change moving forward will be the opportunity to recover, from the prime contractor, the expense of these solutions as an ‘allowable cost’.
This presents an interesting opportunity to not only introduce increased rates, but also new bidding strategies that leverage your CMMC posture as a true competitive advantage over your historical competitors that delayed the implementation of these similar compliance measures.
Because these numerous compliance controls present a considerable cost to any organization, we encourage that you weigh the benefits of attaining CMMC alongside their associated costs to determine if any missed contract opportunities are worth the trouble of implementing these compliance requirements.
If the costs outweigh the potential benefit or if you don’t have the financials to hire additional IT security/compliance professionals, you may want to consider cutting your losses or outsourcing your compliance needs to a reputable managed services provider or managed security services provider.
The CMMC versus NIST
What Is NIST?
The NIST 800-171 was established on January 1, 2018 and was created by the DoD to improve the low rate of NIST 800-171 compliance across the DIB.
When NIST 800-171 was initially launched, the DoD did not accept third-party audits to verify both primes and sub contractors’ adherence to these requirements which is why the CMMC was created. The CMMC was brought into effect to implement a systematic approach to audit contractor compliance with NIST SP 800-171 by requiring five varying levels of maturity expectations which range in the number of requirements and controls that must be met in order to achieve certification.
Key Differences between CMMC and NIST
CMMC Level 1 versus CMMC Level 3
Based on our research, it is our understanding that the most required CMMC levels will be either CMMC 1 or 3. The requirements within each vary considerably so we’ve outlined the principal differences between the two.
>> Click here to view TSI’S CMMC Technical Managed Programs
CMMC Level 1
Level 1 or “basic cybersecurity hygiene” is the minimal level of security controls that a government contractor must establish to get the Cybersecurity Maturity Model Certification. Only the basic security controls, such as such as using antivirus software or ensuring employees change passwords, need to be in place to qualify for this level.
Level 1 is the basis upon which the other levels are built. Once the basic security controls are in place, you will be able to safeguard FCI and keep it away from public viewing. Similarly to CMMC 3, this level has 17 practice areas, which are derived from FAR (Federal Acquisition Regulation 48 CFR 52.204- 21).
CMMC Level 3
This level builds on the basic Level 1 and Level 2 CMMC requirements. Contractors that have achieved Level 3 are equipped with the basic security controls needed to protect sensitive and confidential data and denotes that the contractor has facilitated 130 cybersecurity practices.
These practices are derived from FAR and also include all the practices listed in NIST SP 800-171, as well as 20 other practices. They help implement “good cyber hygiene” practices to safeguard CUI.
Implementing CMMC Controls Cost Effectively
The Assessment Phase
The first step toward CMMC compliance starts with the assessment phase where you establish a baseline for recommendations that will address any gaps that may impact your CMMC compliance posture. Based on the actionable insights stemming from this assessment, you can start formulating a strategic roadmap addressing these gaps and ultimately move onto the implementation of those controls in preparation of any audit or vendor driven compliance verification request.
This assessment should clearly determine your compliance posture alongside all the required steps and resources to address them. It’s important to also note that because the documentation attesting the completion of these controls is a CMMC requirement, you should do so to also help guide your efforts to make sure you’re paying the appropriate amount of attention to the most heavily weighted compliance requirements of the CMMC.
Plan of Action and Milestones (POA&M)
The good news is that getting ready for CMMC certification isn’t necessarily difficult IF there is a precise, regimented plan in place addressing your strategic gaps alongside a solid understanding of how to minimize the exposure of CUI throughout your organization.
At the very least, you can accomplish this by making sure that the parts of your network that are accessing CUI are segregated from the broader network.
Minimizing your ‘exposure’ to CUI is one of the most critical ways that can significantly minimize your costs and achieve compliance in a way that is both complete and cost-effective.
The Role of a Managed Services Provider
Rather than hiring your own CIO/CISO to address your CMMC requirements ,you could also dramatically minimize the costs of attaining CMMC compliance by choosing to partner with a Managed Security Services Provider that is well oriented with these compliance requirements – something that we’ve spoken to in a recently published article, ‘vCISO for CMMC ’. Because approximately 95%+ of all CMMC certification requirements are cybersecurity related, working with an MSP or MSSP will provide the resources and expertise required for a successful compliance strategy.
In addition to the ongoing management of your compliance strategy, your MSSP can also work with your auditors or clients to verify you adherence and ensure you’re positioned for long term success, rather than investing in additional internal resources to accommodate to these IT requirements. Keep in mind that your CMMC success not only includes the successful implementation of IT solutions, but a clear understanding of what auditors are looking for. Don’t make the mistake of delegating these compliance tasks to your IT team and seriously consider either sourcing or hiring a CIO/CISO level resource to help accomplish your respective compliance objectives. There is a high degree of expertise required to successfully implement these controls and relying on a small IT team or network administrator is both unfair to them and your organization as a whole- even if they’re insistent that they can accomplish this!
To say that CMMC certification is a huge undertaking is a bit of an understatement, especially considering that you’ll be required to constantly document and verify the security posture of the greater network as well as the end users accessing CUI.
That said, if partnering with an MSSP is your likely route, keep in mind that you need to give your provider considerable time to get you to the point where you need to be. Generally speaking, it takes several months- at a minimum- to get everything into place and requires the ongoing documentation, testing and configurations of these solutions- in addition to your existing security processes- to address today’s evolving cyber threats.
If nothing else, remember that CMMC certification is NOT something you want to wait until the last minute to do. At the very least, you should perform an assessment as soon as you’re able, to help forecast your expenses as well as provide the chance to identify the who/what/when/where’s of the process to clarify exactly what you need to do to become compliant so that it isn’t a complete surprise to your company and any sales opportunities are unanticipatedly lost.
Preparing for CMMC Certification, Together
At TSI Support International, we understand how important CMMC certification is – and we’re also aware that this is one road you’re not necessarily eager to travel down alone. But the good news is that we’ve been addressing these and similar compliance requirements for over 20 years, and confident we can help you as well. To learn more about how we can help your organization, feel free to contact either myself or a colleague at TSI to schedule your introductory phone call. That way, we can make sure you’re best positioned to address these requirements and can focus on growing your business.
Preparing for CMMC Certification, Together
At TSI Support International, we understand how important CMMC certification is - and we're also aware that this is one road you're not necessarily eager to travel down alone. But the good news is that we’ve been addressing these and similar compliance requirements for over 20 years, and confident we can help you as well. To learn more about how we can help your organization, feel free to contact either myself or a colleague at TSI to schedule your introductory phone call. That way, we can make sure you’re best positioned to address these requirements and can focus on growing your business.