I recognize that a host of others are writing about CMMC and its ever-changing guidelines while in development. What I would like to do is present a simple view - where we are in the process and development stages and how they can potentially impact your business.
First a few disclaimers, one, the development of CMMC is fluid, meaning that things change on the fly. Two, CMMC has been created for DOD and DOD contractors to adhere to specific guidelines when working with CUI (Controlled Unclassified Information). If you are not in the industry and your business does not work with the DOD, directly or indirectly, you will not have to adhere to the new certification. As everyone reading this is probably aware, the military industrial complex has a variety of outside help to support their supply chain - public and private sectors, small and large businesses. So even if you are not working with the DOD now but aspire to do so or want to be prepared, then you may want to explore CMMC and how to meet the requirements.
What is CMMC? CMMC stands for Cybersecurity Maturity Model Certification. Its current iteration has 3 levels of certification depending on what you are protecting. CMMC is based upon the NIST framework, NIST 800-171 Rev 2 and 800-172, if required to meet level 3 CMMC. NIST provides a guideline framework to ensure that your business is following a process to ensure good Cyber hygiene and promote clear and concise responses to potential and imminent threats. NIST 800-171 Rev 2 is an extensive guideline to help protect controlled unclassified information in nonfederal systems and organizations. NIST is an agency of the United States Department of Commerce.
Currently, the CMMC certification model is not in effect, so no one is required to formally attest and be audited by a certified CMMC practitioner, known by their Star Wars like name, C3PAO or certified assessor. At the moment, self-assessment and attestation is the only requirement. Rule 48 CFR has been handed over for regulatory review. As of this moment, the guess of when the rule will be turned around and put into effect is unknown, some say by the end of this year and others, sometime in 2025. Currently, there is no legal mandate. However, Cybersecurity hygiene is dictated by the particular contract your business is seeking. When will CMMC be mandated to acquire a DOD contract? This all depends on when CMMC comes into effect. As stated earlier, rule 48 CFR is supposedly being reviewed and could be passed sometime this or next year.
The best advice I can give now is to start evaluating where your company stands in reference to technology, IT, Cyber, and documentation. The best way to prepare is to use the NIST 800-171 Rev 2 framework to self-assess what you currently have in place and what deficiencies may require your attention.
A few items that can really help to guide your process are:
- SSP (System Security Plan) This document is needed and I recommend filling this document out to the best of your ability before doing anything else.)
- POAM (Plan of Action and Milestones) This will help you complete tasks and know what resources are required to complete a milestone. It also helps guide completion and target dates.
Something else to note, documentation tends to be the more complicated facet of the CMMC process. Policies, procedures, and understanding how you’re adhering to the NIST guidelines and later CMMC requirements are key elements. Knowing how your company is doing something and how that something protects CUI must be documented. For instance, a disaster recovery plan or a data backup plan and procedure. These policies and others are crucial to the way your business will react to a negative security event. A System Security Plan (SSP) is imperative, it gives your internal IT, management, board members, and the like an overview of your IT, Cyber, and security posture. It can provide guidance on where to find information and what 3rd party vendors are doing for your company to satisfy a specific requirement. Do not be alarmed, when an SSP is done correctly it can be a very large document, sometimes exceeding hundreds of pages.
As CMMC has progressed we have been alongside the ups and downs. There have been plenty of times that we have questioned whether it would ever come to fruition. Although we are still in a holding pattern, it sure seems like it will be mandated within the next year. Moving forward, I do recommend self-assessing, downloading the SSP template and filling it out. This will give your team an idea of what you are up against and start formulating a plan of attack. It will also help you understand which level of CMMC your company needs to acquire. Hiring an outside team or 3rd party vendor to do a gap assessment is another recommendation, to better understand what needs to be done. The one thing that has been a constant throughout this process are the NIST guidelines, so making sure you are following NIST 800-171Rev 2 is a key element to success. Once it is mandated, CMMC will be a contract clause that you will need to agree to and sign in order to receive a DOD contract.
Listed below are links to more information and a direct link to the SSP template. For additional assistance, you can reach out to me directly. I will be happy to answer more in-depth questions and elaborate further.
Jose Pocasangre
Email: [email protected]
Phone: 800-538-9130
Helpful Resources
SSP Link: https://csrc.nist.gov/files/pubs/sp/800/171/r2/upd1/final/docs/cui-ssp-template-final.docx
POA&M: https://csrc.nist.gov/glossary/term/poaandm
CMMC Model: https://dodcio.defense.gov/CMMC/Model/ (Latest Model, 2.0 has 3 levels. 1.0 was the original methodology)
CyberAB: https://cyberab.org/
NIST 800-171 Rev 2: https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final
NIST 800-172: https://csrc.nist.gov/pubs/sp/800/172/final (For Level 3 CMMC)