The Cybersecurity Maturity Model Certification (CMMC) is a new framework that applies to US Department of Defense (DoD) contractors and subcontractors. First published in 2020, CMMC will gradually be implemented over the next five years. Compliance with CMMC will be an integral part of the bid process for DoD contracts. Contractors and subcontractors from across the Defense Industrial Base (DIB) will need to comply with the required CMMC level stated in DoD contracts.
CMMC compliance levels will appear in more and more DoD Requests for Proposals (RFPs) over the next few years. CMMC will also likely be adopted by other US federal departments in the future as a best-practice cybersecurity standard for contractors. Organizations should start planning for compliance today. This checklist helps contractors prepare for CMMC compliance and includes a point-by-point rundown of the 17 CMMC domains.
Understand and identify FCI or CUI
The first step is to understand the different types of government data that your organization may deal with. The type of data being processed will affect the level of CMMC compliance that's required. This directly impacts the variety of security controls that your organization and systems will need to meet.
Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) will generally be the main types of government data that contractors will deal with.
FCI is data provided by the government as part of a contractor’s service or product delivery but is not intended for general or public release. FCI will require compliance with the first of five CMMC levels.
CUI is government data that is sensitive, but not classified. Government agencies provide lists of defined CUI, but examples may include technical data or patent information. CUI will require level 3 CMMC compliance.
Highly sensitive data, classified information, or critical services are considered by the highest levels of CMMC compliance.
Perform network scoping
Scoping the relevant system sections or point of entry to the data helps outline the boundaries of CMMC compliance. By identifying the system environments that process CUI, organizations can limit the scope of compliance assessment. This focuses compliance assessment on relevant parts of the network instead of the entire system.
This approach can help minimize the resources required to reach compliance with CMMC, keeping CUI separate and secure within your systems. Controlled access and system partitions can help further minimize the parts of the network in scope for assessment.
Identify the required CMMC level
CMMC has different levels of compliance, relative to the degree of risk and sensitivity of the government data being processed, stored, created or managed by a DIB organization. CMMC acts as a way of categorizing these risk levels. The required CMMC level will be outlined in DoD Requests for Proposals (RFPs).
Organizations that store or process Federal Contract Information will need to meet CMMC Level 1 compliance. Organizations that store or process Controlled Unclassified Information (CUI) will need to meet CMMC Level 3. This level includes all the requirements outlined by the NIST 800-171 standard, which was created to safeguard CUI on non-federal systems.
Organizations that process or store extremely sensitive or classified information or data will need to meet CMMC Level 5 requirements. This is the highest level of CMMC and means compliance with all 171 practices outlined in every level of CMMC, taken from CIS controls and other standards, including the NIST 800-171 requirements.
In 2021, the National Institute of Standards and Technology (NIST) published NIST 800-172, a supplement to NIST 800-171. It outlined enhanced security requirements for protecting the confidentiality of CUI in non-federal systems. NIST 800-172 is useful to understand the high-level requirements and security controls needed by CMMC Level 5 certification.
Perform compliance gap analysis
It’s important to gauge your current compliance level ahead of CMMC assessment to properly prepare in good time. Testing gaps in compliance will help prioritize the steps needed to achieve CMMC certification. Vulnerability scans of networks and systems are an effective way of highlighting gaps in compliance against CMMC security practices.
A gap analysis will help organizations create a Plan of Action with Milestones (POAM), a key part of project planning. Clear milestones help to streamline the process and realign resources. The plan will need to be formulated and completed before the official CMMC compliance assessment by a Certified Third Party Assessment Organization (C3PAO), as DIB organizations need to be fully compliant with the security practices for the required CMMC Level to receive certification and execute the DoD contract.
Each CMMC level brings new security practices, outlining cybersecurity policies and processes needed for compliance. Organizations can use these controls as the basis of their gap analysis. To reach a certain level of CMMC compliance, organizations must meet the requirements in the previous levels too.
- CMMC Level 1 contains 17 security practices
- CMMC Level 2 adds 55 security practices, bringing the total to 72
- CMMC Level 3 adds 58 security practices, bringing the total to 130
- CMMC Level 4 adds 26 security practices, bringing the total to 156
- CMMC Level 5 adds 15 security practices, bringing the total to 171
Build a project plan
A project plan should bring together the documentation and findings of the previous steps. It will provide a clear outline of how to achieve compliance with the required CMMC level. A project plan with milestones will make the journey to compliance more straightforward.
The project plan should include:
- Scope of the assessment and system boundaries
- The team in charge of measuring and implementing changes
- The level of CMMC compliance required
- Findings of the compliance gap audit
- Estimated timeline and resource cost
- Clear milestones that need to be met for project completion
Create a System Security Plan (SSP)
A System Security Plan (SSP) is a requirement for the higher levels of CMMC compliance. It’s a document that outlines cybersecurity controls for systems that process or store CUI or other government data. An SSP is needed for CMMC Level 2 and above because this is the point that documentation of cybersecurity processes becomes a requirement.
The creation or refinement of an SSP should be an early step for any organization exploring CMMC compliance. It should be seen as a live document that is regularly reviewed and kept up-to-date.
Assign the right resources
Any project to review and update cybersecurity resilience will take resources to properly complete. Requirements are wide-ranging and will affect different areas of the organization. Improvements will go beyond just the configuration of devices and hardware, dealing with elements like cybersecurity training provision, and the setting of organization-wide policy.
CMMC is mandatory for DoD contracts where FCI and CUI are involved, so compliance is vital for many DoD contractors.
This means the right level of resource should be made available for the compliance project. It should be seen as an ongoing task but will be most resource-intensive at the start of the process. Reviewing and renewing controls and system security takes time, effort, and resources.
Assign a team with a budget to cover elements like vulnerability scans, outsourced security advice, or changes in policy and procedure. The capabilities of internal resources and expertise should be assessed, as external resources and support may be required to efficiently reach compliance.
CMMC Domain checklist
CMMC consists of 17 different domains or areas, each containing a range of security practices needed for compliance. Here’s a simple checklist for each one, to help organizations understand the basics of each domain.
- Create rules for user access to internal networks and systems.
- Keep up-to-date lists of authorized users and account privileges.
- Create an inventory of all hardware, software, and technology on the system.
- Document processes for backup and destruction of system data.
Audit and Accountability
- Establish logs for tracking user actions and information including timestamps.
- Record and log any user access to CUI and assets.
Awareness and Training
- Embed cybersecurity training at all levels of the organization.
- Align training with how each employee interacts with CUI systems in their role.
- Embed baseline device configurations for improved cybersecurity resilience.
- Identify and map devices and systems which process CUI.
Identification and Authentication
- Embed systems for the unique identification of users, devices, and processes.
- Strengthen user identification processes, including setting a minimum complexity of passwords.
- Create an incident response plan to detect and contain threats to CUI.
- Ensure employees are trained and ready to respond to serious incidents.
- Create a schedule for ongoing maintenance of systems, hardware, and devices.
- Track and log updates and repairs to software, hardware, and firmware.
- Create a policy for safe management and destruction of media containing sensitive data.
- Track all media that may contain sensitive information.
- Screen all personnel with access to CUI.
- Add appropriate background checks to the hiring process.
- Maintain a list of employees with access to the building and server environment.
- Restrict access to sensitive areas of the organization that may include servers or hardware.
- Create a schedule for the automated creation of system backups.
- Routinely test backups and logs.
- Design and embed a comprehensive risk management plan.
- Proactively scan networks and systems for vulnerabilities and risks.
- Audit security measures regularly to identify new vulnerabilities.
- Amend security measures to combat emerging threats.
- Embed processes for highlighting new threats and risks to the system.
- Keep up to date with emerging external cybersecurity threats.
System and Communications Protection
- Clearly define network boundaries, including cloud-based systems.
- Monitor end-point security.
System and Information Integrity
- Keep network components and software up-to-date and patched.
- Schedule regular updates for user software and devices.
Arrange for certification
Unlike other NIST standards, there is no self-assessment for CMMC. Organizations gain confirmation of compliance with CMMC through an audit from a C3PAO, an accredited third-party assessor.
Third party assessment organizations evaluate compliance with the given CMMC level. Certification is then issued by the CMMC Accreditation Body and is valid for three years. Contractors will need to provide proof of CMMC compliance before contract award.
Assess CMMC compliance with Titania Nipper
Titania Nipper is a firewall and network auditing tool that can streamline compliance with CMMC. Nipper can accurately assess your cybersecurity compliance against 42 CMMC security practices across 9 of the 17 domains.
Create impact reports to prioritize non-compliance issues and address emerging risks efficiently. Reports provide detailed remediation advice and exact technical fixes for every risk found.