1. Start with a current state assessment
Many organizations lack the resources to do a comprehensive assessment; others may be tempted to simply use prior DFARS self-assessments or existing NIST 800-171 compliance materials, or skip this current state assessment altogether. But the CMMC puts structure and an accreditation body in place, and the current state assessment is 90% of the documentation and detail required in the System Security Plans (SSPs) and Plans of Actions and Milestones (POAMs).
A current state assessment that is accurate and complete is the right foundation for full compliance. Understand your technology and applications that process, create, or store CUI. Identify your organization’s target CMMC level. Conduct discussions with the right people in your organization to detail security requirements from NIST 800-171 and CMMC. Companies may have already invested in NIST 800-171 controls, and there could be ways to efficiently convert these to CMMC compliance. If a company has been through DIB CAC audit, there will be reciprocity in the form of credit for implementing ISO 27001 specific controls.
2. Address control gaps
Review your controls documentation and processes for safeguarding CUI. Identify and address previously undiscovered control gaps, based on new evidence discovered during the assessment per CMMC requirements.
Control gaps can range from lacking the right skill sets to overlooking a policy or procedure, or failing to have a sophisticated identity and access management solution. Organizations aspiring to achieve CMMC certification levels 4 and 5 would have more advanced gaps.
Many organizations also face challenges implementing several controls from certification levels 1 through 3, such as:
- multi-factor authentication, a technology investment that can require significant retooling, depending on the environment
- clearly defined network architecture and data flow diagrams, fundamental to scoping and documentation of the environment
- full audit logs at both the application and system level that are monitored and fire alerts
- configuration Management Database (CMDB), to include all physical and logical assets with proper data classification
3. Plan for remediation and compliance
Develop a plan to address deficient controls and reach the target CMMC level desired by your organization and obtain certification. Remediation can take anywhere from a few weeks, for addressing some smaller gaps, to a few years for larger technology implementation efforts. Achieving certification at Level 1 or Level 2 may take a few months, while reaching higher levels may take a year or longer, given the increase in requirements. The level of effort will vary, depending on the client, contract, environment, and the nature of the gaps. It also hinges on which CMMC levels organizations are moving to and from.
Having a gap does not mean you are not at the required level of compliance. If you have the remediation plan in place and the contracting officer’s representative at the Prime contractor above you in the supply chain and/or the contracting officer’s representative at the DoD is comfortable with the plan, you can get certified.
4. Identify key stakeholders across the organization
Cyber exploits can laterally move across functions, departments, and systems. Risks breed in the gaps, silos, and hand-offs. Compliance will require stakeholders across the organization. Who should be involved from the technical, business, compliance, and executive leadership during the planning, remediation, and compliance process? Who should be involved in ongoing CMMC compliance efforts and decision making for the organization?
5. Build continuous compliance capability
Conduct regular status meetings and checkpoints with remediation owners to track status and identify risks before they impact the organization’s overall CMMC compliance. Many organizations will reach this point, if they have executed the previous steps: It is a natural progression from the POAMs and is part of the standard PM practice within any organization. The added benefit: Clear updates can be included in communications with contract officers. Additionally, set the stage for continuous improvement in cybersecurity. Integrate the compliance process into your company’s existing processes within Internal Audit, IT Compliance, or other equivalent internal groups. Implement automation and technical monitoring mechanisms where possible, to ease the burden, and to ensure that the organization stays aware of security risks.