Contractors that work with the U.S. Department of Defense (DoD) will soon be required to meet CMMC requirements before they can bid on contracts. The Cybersecurity Maturity Model Certification (CMMC) was initiated by the DoD as a strategy to implement cybersecurity across the defense industrial base (DIB).
Currently, there are more than 300,000 companies in this supply chain, each with varying degrees of access to sensitive defense information. Version 1.0 of the CMMC was released on January 31, 2020, followed by the announcement of CMMC version 2.0 on November 4, 2021. This version of the Cyber Security Model Certification aims to simplify contractor compliance.
CMMC Compliance Checklist
Since the DoD first announced that the CMMC will impact contractors interested in bidding on defense contracts, many businesses have been anxious to take the necessary steps to achieve CMMC compliance. Here is a look at the basic steps that DoD contractors will be expected to follow to become CMMC certified.
1. Determine The Appropriate CMMC Level
CMMC version 2.0 contains just three maturity levels compared to the five presented in version 1.0. The new version eliminates levels 2 and 4 which were originally created as transition levels. The three maturity levels of CMMC 2.0 include:
- Level 1 – This level is considered “foundational” and applies to contractors that focus on the protection of federal contract information (FCI). It has similarities to Level 1 of CMMC version 1.0 as it will be based on 17 controls found in FAR 52.204-21. These controls are designed to protect covered contractor information systems and limit access to authorized users.
- Level 2 – This level is known as an “advanced” level and applies to contractors that work with controlled unclassified information (CUI). The requirements of this level will mirror NIST SP 800-171 and remove all maturity processes and practices that were unique to CMMC. Level 2 will now align with 110 security controls and 14 levels developed by NIST to protect CUI.
- Level 3 – This level is considered an “expert” level and focuses on decreasing the risk of advanced persistent threats (APTs). Contractors that work with CUI on the DoD’s highest priority programs may need to comply with CMMC Level 3 requirements.
2. Identify Internal Stakeholders
Stakeholders within an organization will likely play a major role in driving the CMMC initiative. Most small- to mid-sized businesses will have at least three to five stakeholders, including members from the information technology and information security department. An executive sponsor can help provide oversight and maintenance for funding and activities.
Some businesses may have difficulty pulling stakeholders from their internal resources. In this situation, the company may benefit from identifying a registered provider organization (RPO) early on in the process. An RPO can provide contractors with guidance on how to best prepare the organization for meeting CMMC compliance.
3. Isolate Controlled Unclassified Information
CMMC heavily focuses on the protection of CUI, meaning contractors must take the necessary steps to limit the exposure. Contractors must perform a thorough analysis of the business and its systems to determine where CUI is stored and who has access to this information.
Ideally, businesses should reduce the amount of CUI they have in their systems. If a business receives CUI from another contractor, they should limit the amount of information received and only accept enough data to complete the work. The less data that a business has, the easier it is to protect.
4. Create Plans of Actions with Milestones
A plan of action and milestones (POA&M) is essentially a document that identifies which tasks need to be accomplished, resources required to accomplish various elements in the plan, and scheduled completion dates. Before a contractor can undergo a certified third-party access organization (C3PAO) assessment, a POA&M must be developed. Many companies choose to hire an outside company to complete this task.
5. Hire a C3PAO to Conduct a CMMC Assessment
If a contractor is only seeking CMMC Level 1 compliance, they have the option to self-certify annually. Some Level 2 businesses can self-certify while others will require a CMMC assessment from an outside party. Level 2 contractors can self-certify if they do not handle information that is deemed critical to national security.
However, Level 2 contractors that manage information that is critical to national security will require a third-party assessment every three years. Contractors that seek CMMC Level 3 compliance will require a government-led assessment every three years. A company that works in federal supply chains can achieve CMMC compliance when they successfully pass an assessment performed by a C3PAO.
Schedule A Consultation With SeaGlass Technology For More CMMC Compliance Checklist
Information surrounding CMMC is continuing to change and the requirements are not yet set in stone. However, many DoD contractors are taking the proper measures to ensure compliance now. To learn more about CMMC compliance or to schedule a consultation with a knowledgeable IT professional, contact SeaGlass Technology today.