The Department of Defense (DoD) has officially published version 1.0 of its Cybersecurity Maturity Model Certification (CMMC) approach. DoD contractors are now trying to figure out what comes next. Since all DoD contractors will need to obtain a CMMC certification at some point, all of them must spend time to create a strategy and develop/implement a plan to get there. To help you jumpstart the process, we've put together the five steps you’ll need to follow. These can be used as milestones as part of an implementation project plan.
Step #1. Determine where you are (pre-assessment).
You can't plan to get somewhere without first knowing where you are. Since DFARS requires compliance with NIST SP 800-171, you should already have some documentation in place regarding your practices concerning 800-171 controls. You can and should leverage this documentation, so you're not starting from scratch. The goal is to validate your 800-171 implementation, but also figure out what CMMC level you currently map to.
Before CMMC, compliance with 800-171 was mostly a "yes or no" question. With the various CMMC levels, the number and types of controls get more involved. There is also a set of process requirements in CMMC you must demonstrate at each of the levels. While evaluation criteria for the CMMC Certified Third Party Assessors (C3PAOs) are still in development, it is clear that a "yes or no" approach is insufficient.
It is not enough to say you have a control implemented; you must be able to prove it to a third party (the C3PAO). Assessors will be looking for evidence that you have implemented controls effectively and consistently. A pre-assessment must take evidence into account and your ability to generate evidence.
Step #2. Determine where you need to be.
Once you know where you are, the next step is to figure out where you need to be. Since DoD has not released yet any indication of what types of contracts a given CMMC level will respond to, you can still begin answering this question now with available information.
CMMC concerns two types of unclassified information within the supply chain. The first is Federal Contract Information (FCI), which is information provided by or generated for the Government under contract not intended for public release. The second type is Controlled Unclassified Information (CUI), which is more sensitive information requiring specific safeguarding or dissemination controls depending on the sub-type of CUI used.
Do you have CUI? How do you know? Answers to these questions will help drive your decision making. If you don’t have CUI, odds are your type of contract will be limited to a level 1 or a level 2. If you have CUI, CMMC tells us you'll be at least a level 3 or more. Determining what your target level is will require discussions with your contracting officers, those currently managing your 800-171, and business leaders to figure out what kinds of contracts you want to go after in the future.
Step #3. Develop and implement a plan of action.
This is where the hard work starts. By this time, you've approximated what level you currently are and have determined a preliminary target level where you'd like to be. Your work is now to look hard at the gaps between the two and develop a plan of action. You will identify the necessary people, process, and technology resources and break down your plan into a series of prioritized tasks. The goal of these controls is to more effectively manager your cyber risk. It is easier to think of CMMC compliance as a byproduct of a solid security program. Focus on the program and compliance will come naturally.
The plan of action is the most challenging part of this process because it can take a significant amount of time to affect the needed change in your organization to move up the CMMC ladder. Knowing the most efficient and effective way to implement this change is where expertise in security and process will be most valuable. You don't want to overspend, but you also don't want to come in short of where you need to be.
Your action plan should include tests to verify successful completion to increase the confidence, then you are ready to proceed with certification.
Step #4. Get certified.
Once you’re ready to see your hard work pay off and get your certification, you'll select and hire a C3PAO for a formal assessment against the targeted CMMC level. If you've done your homework, you'll know ahead of time what kind of documentation you will need to provide. However, since this will be the first time you've gone through a formal CMMC assessment, you should take good notes and capture any lessons learned throughout the process. Since CMMC is a permanent requirement, this assessment will only be the first of many you'll need to go through as a business.
Step #5. Stay certified.
Congratulations! You've gotten certified at your target CMMC level. Unfortunately, it doesn't end there. Your job now is to keep all of those newly implemented processes and technologies going and continuously look to ensure they're still implemented effectively. If your target level was one or more levels above where you started, it'd be easy for things to drift back to where they were before. It takes effort and dedication to prevent this from happening.
Remember that everyone must complete the above five steps to some degree, so you're not alone. Like any goal worth pursuing, hard work and consistent dedication will get you where you need to be. The fruit of your labors will enable you to win the contracts you want and significantly reduce your risk of a cyber breach. Good luck and check back for more updates on the Cybersecurity Maturity Model Certification (CMMC).
Darren Van Booven is a lead principal consultant at Trustwave and former CISO of the U.S. House of Representatives.