Four Steps for Getting Started with CMMC Compliance

Beginning now and during the next few years, more than 300,000 companies and subcontractors that conduct business with the U.S. Department of Defense (DOD) will have to certify—and potentially—overhaul their cybersecurity controls and policies to comply with the Cybersecurity Maturity Model Certification (CMMC) or face a tremendous impact to their bottom line.

Back in January 2020, the U.S. federal government began to introduce CMMC to deliver a unified cybersecurity standard across the entire defense industrial base. Before then, DOD contractors largely managed the implementation, monitoring, and certification of their cybersecurity methods, potentially leaving sensitive DOD information vulnerable to new cyber threats.

These new requirements act as the DOD’s response to strengthen its focus on cybersecurity and resilience against outside forces and emerging security risks. Effective 30 November 2020, DOD contractors and subcontractors needed to be prepared to review and score their security protocols against the DOD’s standards, documenting adherence and/or plans to remediate if necessary.

This first step towards the DOD’s desired end state leverages third-party organizations to complete audits of companies throughout the defense industrial base against the CMMC practices. This process was defined as the Defense Federal Acquisition Regulation Supplement (DFARS) Interim Final Rule, and it requires organizations to submit scored self-assessments against the current NIST 800-171 requirements—prerequisite conditions to CMMC.

Whether your organization works directly with the federal government or is a subcontractor, the new requirements of the Interim Final Rule apply. Failure to comply with these requirements could prevent future contracts, task orders, or delivery orders awards. But, worse than that, failure to comply could bring litigation under the False Claims Act. Certainly, it’s a position that no company wants to find itself in. 

Internal surveys of DOD contractors from SSE, a longtime DOD contractor, indicate significant confusion and uncertainty surrounds these new requirements. As of fall 2020, more than half of contractors surveyed said they had not started a process towards compliance. Unfortunately, time is up. Companies need to take the time to understand what is required and prepare. 

Identify Readiness

Like every business strategy, adjusting for CMMC requirements should begin with a planning stage. Starting with a readiness assessment to identify any problem areas will save time and money in the long run.

A few questions to consider to ensure overall preparedness for compliance include: Will you need consultant and vendor support to get your arms around the requirements? How much budget will you need to set aside to assess your current situation? How much budget and time will be necessary to remediate any unmet requirements?  

Determine CMMC Maturity Level and Assess Gaps

CMMC compliance has five maturity levels, based on the nature of an organization’s work with the DOD. These compliance levels vary, with each building on the foundation of prior levels.

For example, level one—the minimum requirement for all contractors—focuses on basic cybersecurity hygiene covering 17practices. Level five covers 171 practices for contractors focused on highly sensitive DOD projects. The consensus is that most companies will be required to meet level three. CMMC level three consists of 130 practices, which are inclusive of the 110 controls already defined by NIST 800-171 and require both IT and physical security practices and policy be fully documented.

Understanding which level your organization is subject to is a critical first step in the assessment process. If initial compliance efforts result in a failed audit, remediation to fix any gaps could extend the process further. Evaluate your current security systems and processes for gaps in the requirements of the maturity level your organization must adhere to, considering and documenting your current IT policies and procedures—as well as your hardware and software.

This will prove to be beneficial as you move on to developing a plan for remediation.

Remediate Gaps

Once an assessment has been completed and a strategy has been developed, you can begin implementing necessary changes. This could include, but is not limited to, server and workstation configurations, hardware and software installations, documenting policies and procedures, and training for upgraded physical processes.

While working through the remediation stage, you may also consider Cybersecurity-as-a-Service solutions that help automate security processes for ongoing CMMC compliance. Experienced Cybersecurity-as-a-Service providers can provide policy templates for mapping these solutions to a vetted tech stack of IT tools.

For small to medium-sized businesses, this is often the simplest path for remaining compliant, minimizing capital expenditures, and maintaining flexibility for adapting to new requirements. Be sure to look for providers who not only have a rich IT or security knowledge base but also have a track record with the DOD and are verified by the CMMC Accreditation Body.   

Continuous Monitoring

Compliance is not a one-time business effort. It requires around-the-clock management of tools, policies, and procedures. To ensure ongoing compliance, a plan should be put into place for continuous monitoring and remediation of issues, along with ongoing auditing and collection of evidence to support your compliant posture. Federal contractors should be prepared to annually conduct internal self-assessments.

While this four-phased approach can help jump-start your process for achieving CMMC compliance, the complexity of remediation and ongoing compliance will vary widely across the industry.

Elizabeth Niedringhaus is president and CEO of SSE, an established DOD contractor and IT solutions provider helping businesses accelerate growth and human performance through technology-enabled solutions. SSE is an ISO 9001:2015 certified organization and a Registered Provider Organization (RPO) with the CMMC-AB focused on providing compliance services to companies across the defense and financial industries.