The Cybersecurity Maturity Model Certification (CMMC): CMMC Guide & Checklist 2021
The Cybersecurity Maturity Model Certification (CMMC) is a must for defense department contractors.
As many as 300,000 prime contractors and suppliers, as well as those of their subcontractors, will be affected by the security framework released by the US Department of Defense (DoD) in early 2020.
The National Institute of Standards and Technology's Special Publication 800-171 (NIST 800-171) and certain federal regulations are the requirements for CMMC compliance.
The Defense Federal Acquisition Regulation Supplement (DFARS) has long required DoD acquisition contracts to comply with NIST 800-171. DoD officials estimate that only 1 percent of contractors are fully compliant, which means they implement all 110 controls in NIST 800-171.
CMMC demands conformance with NIST 800-171 and adds some new requirements to the NIST Cybersecurity Framework (NIST CSF), the Center for Internet Security (CIS), and the CERT Resilience Management Model (CERT-RMM).
Moreover, Defense Department contractors and their subcontractors, who make up the Defense Industrial Base (DIB), must be certified to do business with DoD. NIST 800-171 relies on self-assessments, rather than being certified by a third-party assessor.
CMMC: Why It's Important
In conjunction with university-affiliated research centers, federally funded research and development centers, DIB stakeholders, and DoD stakeholders, the Under Secretary for Acquisition and Sustainment created the framework. In January 2020, CMMC version 1.0 was released and was updated to CMMC version 1.2 on March 13th.
The DoD states its goal is to ensure that large and small contractors are held to one set of uniform security standards to protect DoD information.
Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) approved third-party assessment organizations (C3PAO) are required to verify DoD contractors' use of cybersecurity best practices and maturity level in their security programs per the CMMC guide.
Your business might not be eligible for lucrative DoD contracts without the CMMC certification. A CMMC certification will be required for all entities that do business with the agency by 2025.
What is your compliance status? Are you aware? Compliance software can help you locate compliance gaps, provide recommendations for how to fill them, track compliance activities from assignment to completion, and gather evidence of your compliance efforts to make your audits much easier and less expensive.
The same cannot be said of all businesses. To deal with this, CMMC Cw offers five maturity levels or tiers of compliance requirements, starting with the least mature/smallest organizations and ending with the most mature/largest organizations.
Depending on your DoD contract, you may need to reach a particular level. Cybersecurity Maturity Model Certification will gradually include the certification levels for organizations in upcoming requests for proposals (RFPs) and requests for information (RFIs).
The level of maturity required will be affected by the types and sensitivity of the Department of Defense information you receive or use. For instance, the Defense Information Systems Agency (DISA) anticipates its contractors achieving certification levels three or four.
Your enterprise will be well on its way to certification if it is compliant with NIST 800-53 or FedRAMP. Currently, you're almost there if you're in compliance with NIST 800-171.
There's more good news: GRC solutions will let you know where there's overlap so that you don't have to duplicate efforts.
The CMMC Guide: How To Use It
You cannot go wrong with knowledge. You can learn about it by reading this CMMC guide, which includes a detailed overview of compliance, as well as details on:
- CMMC security vs. other security frameworks
- Definition of CUI (controlled unclassified information)
- How to determine which CMMC maturity level applies to you, and what the five levels mean
- What you need to do now to comply with the CMMC requirements
- CMMC audit preparation
- CMMC-compliant tools and technologies.
This guide includes links to resources that will allow you to explore the framework in greater detail. CMMC is a complex organization, so be familiar with it after reading all the materials.
CMMC Compliance Checklist
With a detailed breakdown of each of the 17 domains of CMMC compliance, this checklist can be used to prepare contractors for CMMC compliance. Take a look:
<iframe src="https://securiumsolutions.org/wp-content/uploads/2021/11/CMMC-Compliance-Checklist.webp" style="border:0px #ffffff none;" name="CMMC-Compliance-Checklist." scrolling="no" frameborder="1" marginheight="0px" marginwidth="0px" height="2000px" width="800px" allowfullscreen></iframe>
Checkpoint 1: Acknowledging FCIs and CUIs
- The two most common types of government data contractors will deal with are Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
- Government contractors are required to provide FCI to customers as part of their service and product delivery.
- CUI refers to sensitive but non-classified government data. A government agency provides lists of CUIs, which, for example, contain technical data or patent information.
- Compliance with CMMC compliance is high for highly sensitive, classified, and critical data and services.
Checkpoint 2: Network Scoping
- Acknowledge the FCIs and CUIs data within the organization
- Assess the components in the system responsible for storing and processing these data.
- Document the areas that process CUI or FCI data by drawing a diagram of the network and systems.
- Outlining the boundaries of CMMC compliance relies on scoping the relevant system sections.
- An organization can limit the scope of compliance assessment by identifying the systems that process CUI.
- In this way, you can keep CUI separate and secure within your systems and minimize the resources required to meet CMMC compliance.
Checkpoint 3: CMMC Level
- There are different levels of CMMC based on the level of risk posed by the data that a DIB entity is storing, processing, managing, or creating.
- These risk levels are categorized by the CMMC. Requests for Proposals (RFPs) from the Department of Defense will outline the required CMMC level.
- Compliance with CMMC Level 1 is required for organizations that handle federal contract data.
- CUI (Controlled Unclassified Information) will require CMMC Level 3 compliance for organizations that process it or store it.
- The NIST 800-171 standard, designed to guard nonfederal systems against CUI, includes all the requirements for this level of protection.
- At the most comprehensive level, CMMC identifies 171 practices that are based on CIS controls and other standards such as NIST 800-171.
- CMMC Level 5 requirements must be met by organizations handling extremely sensitive or classified information or data.
- CUI was to be protected by strict security requirements in nonfederal systems.
- CMMC Level 5 certification requires the understanding of high-level requirements and security controls presented in NIST 800-172.
Checkpoint 4: Compliance Gap Assessment
- CMMC assessments are best prepared with a clear understanding of your current compliance level.
- CMMC certification can be achieved by testing compliance gaps.
- CMMC security practices are effective at identifying gaps in network and system vulnerability scanning.
- By conducting a gap analysis organizations can develop a Plan of Action with Milestones (POAM), which is an important step in planning projects.
- Defined milestones allow process improvement and reallocate resources.
- DIB organizations need to formulate and complete a compliance plan to meet compliance standards to be certified and execute DoD contracts.
- The plan must be completed before the official CMMC compliance assessment by a Certified Third Party Assessment Organization (C3PAO).
- Security practices are outlined at every Cybersecurity Maturity Model Certification level, outlining the policies and processes that must be followed to ensure compliance.
- Gap analyses can be based on these practices. An organization must meet the requirements in each level of CMMC compliance before it can reach a certain level.
- There are 17 security practices in CMMC Level 1
- With 58 new security practices added to CMMC Level 3, the number now stands at 130
- This brings the total to 72 security practices with CMMC Level 2 by 55 more.
- There are 171 security practices listed in CMMC Level 5, up 15 from Level 4.
- With the addition of 26 new security practices to CMMC Level 4, it now has 156
Checkpoint 5: Plan
- Findings and presentation should be consolidated in a project plan.
- It helps you provide clear structure to accomplish the compliance with CMMC Level specified.
- Establishing milestones along the way will make the process easier to follow.
Among the project plan's components are:
- Assessing the scope and boundaries of the system
- Implementation and Measurement team
- Compliance with CMMC level needed
- CMMC compliance gap audit findings
- Resources and timeline estimated
- Clear deadlines for completion of the project
Checkpoint 6: System Security Plan
- CMMC compliance at the higher levels requires an SSP (System Security Plan).
- CUI or other government data is processed and stored as a result of this document.
- For CMMC level 2, an SSP is must because cybersecurity methodologies are documented at this point.
- Every organization contemplating CMMC compliance should develop or refine an SSP.
- Keeping it up to date should be considered a regular process.
Checkpoint 7: Right Resources
- Taking a look at cybersecurity resilience and updating it will require a lot of resources.
- Besides deploying new hardware and software, improvements also encompass cybersecurity training and policy formulation.
- The compliance project should have the appropriate level of resources.
- Throughout the process, it is likely to require the most resources at first.
- DoD contractors must comply with CMMC for FCIs and CUIs contracts.
- Assessment of internal resources and expertise is critical for optimizing compliance, as external support and resources may be needed.
- Establish a team of staff with budgets to cover security scans, outsourced advice, or policy and procedure revisions.
- It takes time, effort, and resources to review and renew controls and system security.
Checkpoint 8: Checklist for the CMMC Domain
Below specified security practices are included in each of CMMC's 17 domains or areas. Take a look
CMMC Domain 1. Authentication: Update records of who is authorized to use which systems.
CMMC Domain 2. Managing assets: Record procedures for archiving data and destroying it.
CMMC Domain 3. Accountability and auditing: Ensure the CUI and assets are logged after every session.
CMMC Domain 4. Train and Educate: Train everyone in the organization on cybersecurity.
CMMC Domain 5. Managing configurations: Improve cybersecurity resilience by embedding baseline device configurations.
CMMC Domain 6. Validation and Identification: Establish a minimum level of password complexity for user identification.
CMMC Domain 7. Incidence Response: Train employee response to potentially serious incidents.
CMMC Domain 8. Upkeep: Make sure that systems, hardware, and devices are regularly inspected and maintained.
CMMC Domain 9. Protecting media: Implement a policy for managing and destroying sensitive media and have a track record of sensitive data on all media.
CMMC Domain 10. Security of employees: CUI access should be screened for all personnel and complete background checks for all newly hired employees.
CMMC Domain 11. Protection against physical harm: Protect sensitive areas of the organization, including servers and hardware.
CMMC Domain 12. Recovering: Set up an automated system backup schedule and also test backups periodically.
CMMC Domain 13. Managing risks: Build a risk management plan and embed it into your business processes and acknowledge vulnerabilities in networks and systems.
CMMC Domain 14. Assessing security risks: Acknowledge new vulnerabilities by auditing security measures regularly and adopting security measures as threats emerge.
CMMC Domain 15. Sense of Situation: Processes to alert the system to new threats and be aware of external threats related to cybersecurity.
CMMC Domain 16. Communications and System Protection: Establish clear boundaries between networks, including cloud-based systems, and make sure endpoints are secure.
CMMC Domain 17. The Integrity of information and systems: Stay up-to-date and patch your network components and upgrade software and hardware on regular basis.
Checkpoint 9: Avail Certification
- CMMC is not self-assessed like NIST standards.
- A C3PAO confirms an organization's CMMC compliance with the assistance of an audit.
- CMMC level compliance is assessed by a third-party evaluation organization.
- The CMMC Accreditation Body issues a three-year certification once the accreditation is complete.
- It will be a requirement for contractors to prove compliance with the CMMC before awarding contracts.
These are the CMMC guide and CMMC domain checklist that you must be aware of to proceed further in the respective domain. Your business might not be eligible for lucrative DoD contracts without the CMMC certification. A CMMC certification will be required for all entities that do business with the agency by 2025.