CMMC Compliance – Cybersecurity Maturity Model Certification
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) independent verification model designed to ensure the protection of Controlled Unclassified Information (CUI) that resides on the Defense Industrial Base (DIB) systems and networks.
CMMC Model 2.0 is more than checking off security controls from NIST SP800-171. Earning CMMC Level 2 Certification requires a good grasp on how to weave through specific requirements, such as scoping your environment, developing a detailed System Security Plan, and instituting appropriately shared responsibility matrices (SRM), to name a few.
The DoD is encouraging DIB contractors to improve their cybersecurity posture before the Final Rule is published around May 2023. SecureStrux’s™ expert CMMC consultants are here to help you achieve and maintain CMMC compliance. We have Certified CMMC Assessors (CCA) and Certified CMMC Professionals (CCP) available to help you on your journey to CMMC compliance and certification. We have a CCA, who has undergone a formal assessment for a CMMC Level 3 certification (Model 1.0), and has insight into how CMMC practices are evaluated. Our team of CMMC professionals assists you with understanding the comprehensive CMMC assessment process and prepares you for a successful CMMC assessment.
CMMC Asessment – Preparing for Your Audit
We recognize that CMMC has created a number of questions for you and your team, such as:
- Are we ready for a CMMC assessment?
- What do we need to do to get ready for a assessment?
- What is the assessment process?
- How do we scope our environment to meet CMMC standards?
- Are our partners, such as managed service providers and cloud service providers, a part of our assessment?
- What should our policies and procedures look like?
- How do we complete and upload our mandated Supplier Performance Risk System (SPRS) score in accordance with DFARS 252.204-7019?
We’ll connect the dots, using what we’ve learned over the past decade to help you move quickly and efficiently through to compliance and beyond. As experienced CMMC compliance consultants, we not only walk you through the CMMC assessment process, but we can also provide a gap analysis, develop your key documentation, assist with remediation, and provide continuous monitoring to maintain your compliance.
Recommended Steps You Can Take on our Path to CMMC Compliance:
1. Configure your existing environment or build a new environment to NIST 800-171 and CMMC compliance standards.
- Define clear roles and responsibilities.
- Coordinate appropriate Shared Responsibility Matrices with service providers.
- Understand how to scope your environment (isolate CUI) in accordance with CMMC requirements.
- Ensure technical solutions meet CUI / ITAR requirements, such as incorporating Office 365 GCC High or other cloud providers to ease this process.
2. Develop a Systems Security Plan (SSP) and a Plan of Action and Milestones (POA&M).
- Implement the security controls / CMMC practices in accordance with the SSP.
- Manage the POA&M based on the planned controls as annotated in the SSP.
3. Determine the budget required for preparing for and maintaining CMMC compliance.
- Evaluate options, such as cloud services and/or managed services to ease the resource (cost, manpower, etc) burden of achieving and maintaining CMMC compliance.
4. Conduct a self-assessment.
5. Hire an independent consultation to conduct a CMMC / NIST SP 800-171 gap analysis (after all, it is tough to see the forest through the trees).
6. Remediate the known gaps before scheduling for the formal CMMC assessment for certification.
CMMC CONSULTING
Flexible Services for Your CMMC Needs
No matter what level of support your organization needs, we will ensure you are ready for CMMC. Our team of professionals can assist you with a comprehensive suite of services, ranging from a routine assessment to fully implementing all the new CMMC measures.
CMMC 2.0 Explained
- CMMC 2.0 model is streamlined from 5 to 3 levels
- Eliminates CMMC 1.0 Levels 2 & 4
- Three levels of progressive sophistication
- Level 1 (Foundational) – Federal Contract Information (FCI)
- Level 2 (Advanced) – Controlled Unclassified Information (CUI)
- Level 3 (Expert) – CUI
- Level 3 for highest priority programs with CUI
- Eliminates all CMMC unique practices & maturity processes
- Mirrors NIST SP 800-171 & NIST SP 800-172
- Level 2 is directly aligned with NIST SP 800-171
- Level 3 is aligned with a subset of NIST SP 800-172
- Allows limited use of Plan of Action & Milestones (POA&M)
The intent of CMMC 2.0 is to reduce impact to the DIB with:
- Assurance of accountability for companies to implement cybersecurity standards while minimizing barriers to compliance with DoD requirements;
- Integration of a collaborative culture of cybersecurity and cyber resilience; and
- Enhanced public trust in the CMMC ecosystem, while increasing overall ease of execution
DFARS Clauses are still effective
- DFARS Clause 252.204-7012 (2017) (self-attestation of basic safegaurding requirements)
- DFARS Clause 252.204-7019 (NIST SP 800-171 – Self Assessment) (SPRS)
- DFARS Clause 252.204-7020 (NIST SP 800-171 – DoD Assessed by DCMA)
- DFARS Clause 252.204-7021 (CMMC Certification) (Modified due to CMMC 2.0)
CMMC SERVICES
CMMC Gap Analysis
This is your first step in preparing for CMMC compliance. We will perform a traditional CUI gap analysis with all 110 controls in NIST SP 800-171, along with an analysis of your preparedness to meet CMMC compliance requirements. We will also assist with determining your SPRS score
Depending on your organizational layout and infrastructure, we will complete the compliance assessment onsite or through remote access. Upon completion of the CMMC gap analysis, we will provide a detailed list of all the action items needed to achieve your desired level of compliance. Also, we will have an executive-level briefing addressing significant concerns.
CMMC SERVICES
CMMC System Security Plan (Policies & Procedures) Engagement
For organizations that have more robust IT knowledge, we will work alongside the organization’s stakeholders to manage the compliance documentation, policies, and procedures while they implement the CMMC practices (security controls).
The SSP Engagement includes writing and maintaining the CMMC SSP Plan based on the organization’s architecture to isolate CUI. We will write policies for the protection of FCI and CUI across the organization. The SSP Engagement will include quarterly and annual updates.
CMMC SERVICES
Assured Defense – Managed Security Support Plan
For organizations in need of a more hands-on approach, we can manage and implement any part of your CMMC compliance transition. Our Assured Defense Plan is a menu style offering where you decide what services work best for your organization’s needs. The Assured Defense Plan provides solutions and drafts a POA&M to track the progress. Our team will create and maintain your SSP policies and procedures with monthly and quarterly updates to meet the NIST SP 800-171 and CMMC compliance requirements. We will assist with determining your SPRS score. In addition, our continuous monitoring will include audit reviews, vulnerability management, anti-malware / firewall monitoring and management, and web filtering monitoring. As needed, we will implement and configure hardware and software to meet CMMC compliance.
Build Your Path to CMMC Compliance Success
Not sure what CMMC will mean to your organization? Schedule a gap assessment to stay ahead of new requirements and learn more about how our team can help.
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) newest verification system designed to ensure the protection of Controlled Unclassified Information (CUI) that resides on the Defense Industrial Base (DIBNet) systems and networks. As early as the end of 2020, some new DoD contracts will begin to specify CMMC maturity level requirements. Learn more.
Controlled Unclassified Information (CUI) is sensitive, but unclassified, information that the government requires its handlers to keep safe. The handlers of CUI include private defense contractors. CUI was born out of the fact that agencies and services have different ways of managing sensitive unclassified information.
Learn more about CUI in this CMMC Certification Tips Webinar or contact SecureStrux.
There are strict rules concerning dissemination of CUI. CUI requirements are currently outlined only by NIST-800-171. It is regulated by the Information Security Oversight Office (ISOO) that as part of the National Archives, was established in September 2016 with an executive order from President Barack Obama. Commonly, it’s contractually obligated through the DFARS Clause 252.204-7012. As of October 2020, Executive Order 13556 and 32 CFR, part 2002 designates the National Archives and Records Administration (NARA) as CUI Executive Agent for the CUI Registry. Their guidance is binding.
Learn more about CUI in this CMMC Certification Tips Webinar or contact SecureStrux.
CUI is information that requires safeguarding or dissemination controls that’s consistent with applicable laws, regulations, and government policies. There are two main types of CUI: Basic and Specified. Examples of Basic CUI include Controlled Technical Information (CTI) and International Traffic and Arms Regulations (ITAR).
There are currently 24 categories of CUI, 92 sub-categories, and 110 types, all of which is detailed in the CUI registry. If the government wants to protect data that does not fall into one of those categories or types, they can add another category, sub-category, and type to the CUI registry.
Some of the data that falls into CUI territory includes:
- Government financial information
- Research data
- Critical infrastructure plans & policies
- Procurement & government supply information
- Export control and restriction information
- …and much more; you can find a complete list on the CUI Registry.
CUI can be digital, physical documents, representations, images, and items (parts). For example, CUI can be either electronic information stored on a PC or it can be a printed document. It can be a part, like a circuit board, or it could be an image of that board. You need to have the proper marking and protections in place.
Learn more about CUI in this CMMC Certification Tips Webinar or contact SecureStrux.
CUI does not include information that is lawfully publicly available without restrictions or classified information.
Learn more about CUI in this CMMC Certification Tips Webinar or contact SecureStrux.
Build Your Path to CMMC Compliance Success
Not sure what CMMC will mean to your organization? Schedule a gap assessment to stay ahead of new requirements and learn more about how our team can help.
