Your Guide to
DOD Compliance

NIST 800-171 and CMMC

What Is NIST 800-171?

A special publication from the National Institute of Standards and Technology (NIST) that outlines “recommended security requirements for protecting the confidentiality of CUI.”

It consists of 14 different “families” of security requirements that are divided into “basic” and “derived” levels of control. The general goal of NIST 800-171 is to ensure confidentiality of information rather than data integrity and availability.

The 14 families of NIST 800-171 are:

  1. Access Control. Security measures to control which people, processes, and devices can access information or systems.
  2. Awareness and Training. Training users in the organization to recognize threats and follow incident response plans (IRPs).
  3. Audit and Accountability. Systems and processes to monitor data access events and trace activity to specific users.
  4. Configuration Management. Processes for documenting and managing how hardware and software assets are configured.
  5. Identification and Authentication. Processes and tools for reliably identifying users, processes, and devices to enable access control and auditing/accountability.
  6. Incident Response. The organization’s tools and systems for detecting, analyzing, containing, eliminating, and recovering from security incidents.
  7. Maintenance. Processes to maintain systems to promote security for sensitive information.
  8. Media Protection. The tools and processes used to secure the physical storage media that contains CUI from illicit access.
  9. Personnel Security. Processes such as background checks and post-termination revocation of systems access are used to keep CUI safe from people who would misuse it.
  10. Physical Protection. Rules and security systems that limit the ability of unauthorized persons to access the organization’s physical systems and equipment.
  11. Risk Assessment. Processes for assessing risks and vulnerabilities that may affect CUI confidentiality.
  12. Security Assessment. Analysis of existing security controls to evaluate if they adequately address the organization’s needs.
  13. System and Communications Protection. Standards to protect “data in-flight” and to employ “defense in depth” that make it harder for attackers to jump from system to system on the network.
  14. System and Information Integrity. Requirements to identify, report, and fix system flaws that may impact system integrity against cyber threats. Also covers the need to monitor system security alerts to identify emerging threats.

What Is CMMC?

It’s an acronym for Cybersecurity Maturity Model Certification. This certification was created by the U.S. Department of Defense (DoD) in response to cybersecurity threats targeting the American Defense Industrial Base (DIB). The certification aims to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) from being stolen or accessed by unauthorized persons.

That’s a lot of acronyms for a first paragraph, isn’t it?

Basically, it’s a new certification standard that businesses need to meet if they want to be able to take on contract work for a government entity (or work with other companies that act as government contractors).

Why You Need to Meet NIST 800-171 and CMMC Standards

You might be wondering: “Why is CMMC critical for my business? How does being NIST compliant help?” There are several reasons for a business to try to get a CMMC certification or fulfill NIST standards:

  • To Try to Win Government Contracts. Being CMMC compliant is going to be a basic requirement for bidding on government contracts where CUI will be involved. If a business isn’t certified, then it will likely not be able to earn contracts in the future. Companies looking to secure DoD contracts, in particular, will need to satisfy CMMC requirements or risk losing potentially lucrative contracts. 
  • To Improve Internal Cybersecurity. Many of CMMC’s requirements can help organizations of all sizes and industries improve their cybersecurity. This can be useful for guarding against the countless threats businesses face from malware, DDoS attacks, corporate espionage, and more.
  • To Keep Serving Other Businesses. Even if your company doesn’t do business with the government directly, it could still do business with other organizations that do. In this case, your business clients may insist on you meeting CMMC DoD standards. To remain a vendor for these clients, achieving certification is a must.
 
What Kinds of Threats Does My Business Face as a DoD Contractor?

If your company works with the DoD, DoD contractors, or any other government agency or contractor, it will likely be a target for malicious actors looking to steal sensitive information or disrupt your operations. Some of the different types of threat actors you may encounter include:

  • Corporate Espionage Agents. While illegal, there are some companies out there that may try to steal your organization’s critical data—especially data for your intellectual property (IP)—so they can recreate your services for cheaper or gain other competitive advantages.
  • Political Activists (Hacktivists). Some political groups and hacker communities may target businesses working with government agencies. They may do this because they object to some political policy or because targeting such organizations helps them promote their own political agenda. Either way, hacktivism groups can prove to be very disruptive to government agencies, contractors, and their vendors.
  • Foreign Espionage. Foreign governments are more likely to target businesses that handle information related to U.S. government organizations or elected individuals—regardless of their industry. For example, Marriott/Starwood, a hotel chain, was once targeted by “a Chinese intelligence-gathering effort that also hacked health insurers and the security clearance files of millions more Americans” (Source: The New York Times).

Following security compliance standards like NIST 800-171 and CMMC can help businesses to defend against these malicious actors.

 

3D-Cover-MSSP-CMMC-Readiness-Roadmap

 

Verify Your Business is Getting
the Right Cybersecurity Protection

Download our cybersecurity checklist for a list of what to look for in a cybersecurity service provider and a questionnaire you can use to determine the cybersecurity services your business needs.

Download Now!

What Are the Benefits of Complying with DoD Security Standards like NIST 800-171 and CMMC?

Implementing new cybersecurity measures always has some cost attached to it. Even “free” security tools and training resources cost you time and effort to set them up. Effective security solutions may have a high price tag for licensing, installation, maintenance, etc.

With this in mind, what are the benefits of complying with security standards like NIST 800-171 and CMMC? A few basic business benefits include:

Preventing Potential Data Breaches

A data breach is an event where an unauthorized person gets access to sensitive data on a company’s systems or network. When these breaches are large enough, they can become industry headlines that expose the breached company to extensive public ridicule and possible sanctions from government agencies.

According to data from a study by IBM and the Ponemon Institute, the average cost of a data breach is around $3.86 million worldwide. In the USA, that average jumps to about $8.64 million per incident. So, if a company spends $1 million on cybersecurity and stops just one data breach, then they’re ahead by $2.86 to $7.64 million already.

Of course, this is just accounting for the direct costs of remediating a data breach. The indirect costs of a security breach, such as a loss of market share as customers look for alternative services that haven’t been breached by hackers, can massively inflate the impact of a breach.

Being able to prevent data security breaches is a major benefit of following cybersecurity guidelines. However, IT security may call for more than just basic IT compliance.

Getting Opportunities to Work with Government Contractors

Not every business that works with the government can do everything they need to internally.
Some contractors may need to work with other vendors to secure crucial supplies or to provide
extra services outside their normal expertise.

This creates opportunities for businesses to become subcontractors, creating valuable revenue streams and helping build connections with new clients. So, being compliant with NIST 800-171
or CMMC requirements can be useful.

Companies that work with government agencies and need to subcontract work or find vendors for critical supplies and services often prefer to work with companies that already meet compliance standards. This makes meeting compliance standards a key competitive advantage for earning business from government contractors and vendors.

Building a Reputation for Secure Business Practices

Even when not working for government agencies, some companies simply prefer to partner with vendors that have high-security standards.

Third-party vendors can be a crucial security gap. “Supply chain attacks” that target vendors to get at the businesses they serve are a well-known fact among cyber security-savvy organizations. So, they may have fairly stringent security requirements for their vendors to avoid such vulnerabilities.

Being able to demonstrate compliance with government-grade security requirements can be a key differentiator when dealing with security-conscious companies.

However, this benefit can extend to B2C companies as well as B2B companies. As information about cybersecurity breaches and cyber threats becomes more common, consumers may become more concerned with security. Such consumers may research a company’s cybersecurity practices and check for records of past breaches before making purchase decisions.

In this case, having a long track record of cyber safety could help earn the business
of concerned consumers.

For example, one study by Berkeley of consumers before and after being made aware of security flaws in popular products and apps showed that “consumers aware of the privacy flaws trust a company less.” In the study, consumers made aware of data privacy issues at Apple perceived the company as “significantly less trustworthy” immediately after the breach—though this perception faded somewhat when people were surveyed a year later.

Trust is one of the hardest resources to acquire, taking a long period of time to build through consistent action and success. However, it’s one of the easiest to lose with a single mistake.

The NIST 800-171 and CMMC Glossary of Terms

There are a lot of terms related to NIST 800-171 and CMMC that are important to know. Here are some of the most important terms and brief descriptions for each:

Controlled Unclassified Information (CUI)

CUI is defined by the Office of the Undersecretary of Defense Acquisition and Sustainment as:

“Information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order.”

In other words, it’s information that isn’t considered classified under any specific government mandate but still needs to be protected from illicit access. This is often because CUI includes sensitive information that may be useful to foreign intelligence agencies.

Federal Contract Information (FCI)

FCI is a catch-all term for any information that the U.S. government provides
or generates under a contract that isn’t intended to be released to the public.

Personally Identifiable Information (PII)

A general term for any information that an organization stores or processes that can be used to identify an individual. Many data privacy standards reference PII and the need to protect it from illicit access.

If stolen, PII can be used to commit fraud that can be financially devastating—both for the organization whose data is stolen and the individuals identified through their PII.

Media

In cybersecurity and compliance circles, the word “media” carries a different meaning
from the usual. When mentioned in CMMC and NIST documentation, “media” typically is a reference to storage media, meaning assets like USB drives, hard disk drives (HDDs), solid-state drives (SSDs), CDs, DVDs, floppy disks—basically anything that can hold data on it for future retrieval.

Defense Federal Acquisition Regulation Supplement (DFARS)

A supplement to the Federal Acquisition Regulation (FAR) that is administered by the Department of Defense. According to the Federal Register, DFARS “contains requirements of the law, DoD-wide policies, delegations of FAR authorities, deviations from FAR requirements, and policies/procedures that have a significant effect on the public.”

As one of the security standards that the DoD administers, it is important for companies working with the DoD to meet DFARS requirements.

Defense Industrial Base (DIB)

The defense industrial base is the collection of all the businesses that participate in the national (or global) defense industry. Consisting of hundreds of thousands of companies, the DIB enables research and development for military weapons and IT systems, components, and parts as well as managing the supply chain for various military-related applications.

This is sometimes referred to as the national technology and industrial base (NTIB) when talking about both domestic and global portions of the DIB.

Companies within the DIB are often a target for espionage by foreign agencies looking to learn more about America’s defense industry and capabilities.

Advanced Persistent Threat (APT)

A specific category of cybersecurity threat that attempts to hide its presence in infected systems as it collects sensitive data to send off to an attacker. APTs are often defined by their difficulty to detect and their ability to steal a lot of information over a long period of time.

In some cases, APTs may go undetected for weeks or even months as they
infiltrate systems. This makes them extremely dangerous tools.

Request for Proposal (RFP)

A document issued by government agencies to try to get potential vendors to issue bids. This document generally includes various criteria for the project to be completed or work to be done so companies can generate a realistic bid.

Request for Information (RFI)

A document that requests information about a given industry that the government uses to inform its purchase decisions. This document is often used to gather info that is later used to generate a “request for proposal” document.  

Cybersecurity

A general term for the policies, procedures, and tools that an organization uses to protect its data from being stolen or lost. Strong cybersecurity helps protect businesses from modern cyber threats like phishing attacks, malware, APTs, ransomware, DDoS attacks, and the like.

Some cybersecurity tools, such as disaster recovery solutions, can also help prevent data loss from accidental deletions or damage to critical infrastructure.

Security Control

Security control is a tool, procedure, or another safeguard that helps an organization
to detect, avoid, counter, or minimize the impact of a security risk or threat.

The DoD and other government agencies may require businesses to use specific security controls to counteract or protect against certain cyber threats. For example, NIST 800-171 specifies the use of access controls to limit the types of transactions users, processes, and devices can make—and to verify identities before allowing transactions to take place.

Examples of security controls can range from firewalls to antimalware tools, security incident and event management (SIEM) software, employee security awareness training, multi-factor authentication (MFA), and more.

System Security Plan (SSP)

A system security plan is, as noted by SANS, used to “provide an overview of the security requirements of the system and describe the controls in place or planned, responsibilities and expected behavior of all individuals who access the system.” 

In other words, it’s a document that organizations use to describe their current and planned security tools, procedures, and role-based responsibilities for system users. An SSP can be an integral part of security compliance efforts.

Plan of Action and Milestones (POA&M)

A document that details specific tasks that need to be accomplished. It includes any resources required to accomplish the plan, specific milestones for different tasks, and scheduled completion dates. 

As noted in the FedRAMP Plan of Actions and Milestones (POA&M) Template Completion Guide, “The purpose of the POA&M is to facilitate a disciplined and structured approach to tracking risk-mitigation activities in accordance with the [cloud service provider’s] priorities.”

Supplier Performance Risk System (SPRS)

database meant for DoD acquisition agents that serve as “the authoritative source to retrieve supplier and product PI [performance information] assessments for the DoD [Department of Defense] acquisition community to use in identifying, assessing, and monitoring unclassified performance.”

SPRS supports acquisition professionals from the DoD by providing numerous pieces of information, including delivery scores and quality classifications, procurement risk data and assessments, company exclusion statuses, and the National Security System Restricted List, among other pieces of data.

Procurement Integrated Enterprise Environment (PIEE)

An enterprise procure-to-pay (P2P) application for the DoD and supporting agencies. PIEE provides a variety of features that help automate the procurement process, reduce risk, and promote collaboration. Some of these features include:

  • Purchase Request Data Standard (PRDS)-compliant tools for writing procurement requirements.
  • Tools for assisting with the award process for contracts.
  • Post-award administration functions.
  • Payment management tools.
  • Property management solutions.
  • The National Industrial Security Program (NISP) Contract Classification System (NCCS).
  • Reporting and document retrieval tools.
Microsoft Government Community Cloud

A government cloud service from Microsoft that is meant to “meet the unique and evolving requirements of the United States Federal, State, Local, and Tribal governments, as well as contractors holding or processing data on behalf of the US Government.”

Also referred to as Office 365 Government, this tool is an overlay for the regular Office 365 service that “supports the Federal Risk and Authorization Management Program (FedRAMP) accreditation at a High Impact level.” Users are screened via background checks to help maintain security compliance standards.

Managed Service Provider (MSP)

An organization that provides managed IT services on the behalf of other people or companies. MSPs can assume responsibility for a variety of IT functions for an organization—often for a fraction of the cost of having to hire an IT team to do the same things internally.

The specific services provided may vary from one MSP to the next, so it’s important to ask MSPs what services they offer before entering into an agreement. When government contractors work with MSPs, the MSP will need to be compliant with CMMC and NIST 800-171 guidelines.

Managed Security Service Provider (MSSP)

Similar to an MSP, a managed security service provider offers outsourced services. However, their specific focus is typically on the monitoring, maintenance, and management of security tools, procedures, and systems.

MSSPs help organizations identify and close gaps in their security architecture to minimize data breach/loss risks, meet regulatory compliance standards, and keep security tools streamlined to reduce bloat that might interfere with business operations.

Department of Defense (DoD)

A department of the executive branch of the United States (and the largest U.S. government agency). The DoD’s mandate is to “provide the military forces needed to deter war and ensure our nation’s security.”

To this end, the Department of Defense works with numerous organizations to secure technologies, tools, and systems that enhance the effectiveness of America’s armed forces and can help prevent attacks against American interests.

Because of the sensitive nature of the DoD’s work, the department has enacted several data security standards, guidelines, and certifications that their contractors need to be compliant with.

Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S))

The Office of the Secretary of Defense (OSD) is a part of the DoD that “is responsible for policy development, planning, resource management, and program evaluation” for the DoD. The Office
of the Under Secretary of Defense for Acquisition and Sustainment is a sub-department of this office specifically responsible for enabling the “Delivery and Sustainment of Secure and Resilient Capabilities to the Warfighter and International Partners Quickly and Cost-Effectively.”

The OUSD(A&S) worked alongside key stakeholders in the DoD and the defense industry to develop the CMMC framework. CMMC specifically helps to address key resiliency and safety goals held by the OUSD(A&S).

CMMC Accreditation Body (CMMC-AB)

The organization authorized by the DoD to “be the sole authoritative source for the operationalization of CMMC Assessments and Training with the DOD contractor community.” If you want to achieve accreditation under CMMC, the CMMC-AB is the only DoD-approved and endorsed entity.

CMMC Third-Party Assessor Organization (C3PAO)

A C3PAO is an organization or individual that is authorized by the CMMC-AB to deliver CMMC assessments. C3PAOs need to apply for certification, a process that includes signing a license agreement, passing a background check, and passing at least a level 3 certification under CMMC standards.

National Institute of Standards and Technology (NIST)

An agency within the U.S. Department of Commerce that promotes technology and innovation that helps keep U.S. businesses competitive. It is also one of the USA’s “oldest physical science laboratories,” being founded in 1901.

The NIST often releases special publications that provide guidelines for ensuring basic cybersecurity protections in an ever-evolving threat environment. Examples include NIST 800-171 and NIST 800-53.

48 CFR 52.204-21

A rule within the Code of Federal Regulations (CFR) that is concerned with the “basic safeguarding of covered contractor information systems.” 48 CFR 52.204-21 calls on government contractors to meet 15 distinct security requirements and controls:

  1. Limit information system access to authorized users, processes acting on behalf of users, or devices;
  2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute;
  3. Verify and control/limit connections to and use of external information systems;
  4. Control information posted or processed on publicly accessible information systems;
  5. Identify information system users, processes acting on behalf of users, or devices;
  6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems;
  7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse;
  8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals;
  9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; control and manage physical access devices;
  10. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems;
  11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks;
  12. Identify, report, and correct information and information system flaws in a timely manner;
  13. Provide protection from malicious code at appropriate locations within organizational information systems;
  14. Update malicious code protection mechanisms when new releases are available; and
  15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

These security requirements are in addition to any other security rules that the contractor may be subject to. In other words, if your contract requires you to meet NIST 800-171 and CMMC, 48 CFR 52.204-21 doesn’t replace those requirements—you have to meet them all.

NIST 800-53

A document published by NIST defining a list of security controls for protecting sensitive information. As the Revision 5 version of the document states, NIST 800-53 “represents a multi-year effort to develop the next generation of security and privacy controls that will be needed” to accomplish objectives like making information systems more penetration-resistant and limiting the damage from cyberattacks.

NIST 800-53 defines 20 different families for security and privacy control:

  • Access Control (AC)
  • Awareness and Training (AT)
  • Audit and Accountability (AU)
  • Assessment, Authorization, and Monitoring (CA)
  • Configuration Management (CM)
  • Contingency Planning (CP)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Physical and Environmental Protection (PE)
  • Planning (PL)
  • Program Management (PM)
  • Personnel Security (PS)
  • PII Processing and Transparency (PT)
  • Risk Assessment (RA)
  • System and Services Acquisition (SA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)
  • Supply Chain Risk Management (SR)

If you compare this to NIST 800-171 and CMMC, you may notice significant overlap since these publications use many of the same security families. However, NIST 800-53 specifies some families for topics not found in 800-171 or CMMC.

ISO 27001

A publication from the International Organization for Standardization (ISO), an organization that is often associated with quality and process management standards like the ISO 9000 series of publications. ISO/IEC 27001 provides requirements for an information security management system (ISMS) to help organizations protect sensitive information.

Although not specific to government security requirements, ISO 27001 standards can help businesses meet certain NIST and CMMC requirements.

ISO 27032

A security guidance document from ISO that is more specifically tailored to cybersecurity. The ISO 27032 document provides an overview of cybersecurity, how it relates to other types of security, and a framework for resolving key cybersecurity issues.

 

The CMMC Framework

The CMMC framework consists of 17 “domains” (which are similar to the “families” used by NIST 800-171) across five separate levels of maturity.

The 17 Domains of the Cybersecurity Maturity Model Certification

Each of the 17 CMMC domains has a specific set of “capabilities” that an organization needs to demonstrate to satisfy them. The 17 domains and requisite capabilities for each are:

Domain

Capability

Access Control (AC)

  • Establish system access requirements
  • Control internal system access
  • Control remote system access
  • Limit data access to authorized users/process/devices

Asset Management (AM)

  • Identify and document assets

Audit and Accountability (AU)

  • Define audit requirements
  • Perform auditing
  • Identify and protect audit information
  • Review and manage audit logs

Awareness and Training (AT)

  • Conduct security awareness activities
  • Conduct training

Configuration Management (CM)

  • Establish configuration baselines
  • Perform configuration and change management

Identification and Authentication (IA)

  • Grant access to authenticated entities

Incident Response (IR)

  • Plan incident response
  • Detect and report events
  • Develop and implement a response to a declared event
  • Perform post-incident reviews
  • Test incident response

Maintenance (MA)

  • Manage and maintain IT assets and security tools

Media Protection (MP)

  • Identify and mark media
  • Protect and control media
  • Sanitize media
  • Protect media during transport

Personnel Security (PS)

  • Perform screening of personnel to assess potential risks
  • Protect CUI during “personnel actions” like firing employees or moving them to new departments

Physical Protection (PE)

  • Limit physical access to storage media

Recovery (RE)

  • Manage backups of important data

Risk Management (RM)

  • Develop and manage a system security plan
  • Define and manage controls
  • Perform code reviews

Security Assessment (CA)

  • Develop and manage a system security plan
  • Define and manage controls
  • Perform code reviews

Situational Awareness (SA)

  • Implement threat monitoring solutions (such as SIEM)

Systems and Communications Protection (SC)

  • Define security requirements for systems and communications
  • Control communications at system boundaries

System and Information Integrity (SI)

  • Identify and manage information system flaws
  • Identify malicious content
  • Perform network and system monitoring
  • Implement advanced email protections

Of the 43 capabilities listed in the table, many can be further subdivided into specific practices that contribute to the organization’s overall cybersecurity matureness level.

From Basic Performance to Optimization: The Five Levels of CMMC

CMMC processes and practices can be divided into five levels going from simply having “performed” some basic cybersecurity hygiene at the bottom of the pyramid to “optimizing” advanced or progressive cybersecurity measures at the top.

Here’s a graphic from the OUSD(A&C) document on CMMC to illustrate:

ousd-graphic

 

Each “level” of CMMC has a different focus:

  • Level 1. This level focuses on safeguarding FCI
  • Level 2. This is a transitional level in progressing towards
    the
    cybersecurity maturity needed to protect CUI
  • Level 3. Protecting CUI
  • Levels 4 and 5. Protecting CUI and reducing risk from APTs
About Level 1 CMMC Maturity

An organization at level 1 of the CMMC model may be dealing with cyber threats and
risks in an ad-hoc, undocumented manner. Additionally, their safeguards consist of
only the most basic tools and practices from 48 CFR 52.204-21. So, process maturity
isn’t really assessed for level 1 organizations.

About Level 2 CMMC Maturity

At level 2, organizations have documented practices and policies for achieving
cybersecurity maturity. The practices used for level 2 contain a part of the
practices from NIST 800-171 and other standards to protect CUI.

About Level 3 CMMC Maturity

To achieve level 3 maturity, organizations need to establish and maintain a plan showing how they manage security practices for CMMC implementation. It requires following all of the security requirements of NIST 800-171 to mitigate threats.

About Level 4 CMMC Maturity

At level 4, organizations need to review and measure the effectiveness of their security controls and practices. This level focuses on dealing with APTs and protecting CUI from these threats—which
entails using sophisticated threat detection tools like SIEM. It also means adapting to
ever-changing threat techniques and tactics.

About Level 5 CMMC Maturity

An extension of the level 4 processes for reviewing, level 5 requires organizations
to standardize and optimize their implementation of improved security processes.
Organizations at level 5 maturity have deep and sophisticated security and the
documented processes to show it.

How Many Practices Do I Need to Meet at Each Level?

Each level of CMMC maturity has an increasing number of security practices
that organizations must meet to satisfy.

  • Level 1: 17 Practices
  • Level 2: 72 Practices
  • Level 3: 130 Practices
  • Level 4: 156 Practices
  • Level 5: 171 Practices

How to Achieve a CMMC Certification

If you're wondering how to become a CMMC independent contractor or CMMC-certified organization, the process is relatively simple, thought time-consuming.

SXIcon_Trophy

Step 1: Set Your CMMC Level Goal

First, determine what level of CMMC you want to certify for. The higher the level of certification you achieve, the more sensitive the type of work the DoD and other government agencies can entrust to you. This may mean being able to bid on work with relatively few competitors or bidding on higher-value contracts because of a limited selection of competitors.

However, aiming for higher-level certifications may also mean having to do more work to set up your cybersecurity measures.

SXIcon_Form

Step 2: Assess your Current Cybersecurity Processes and Identify Gaps

After setting your CMMC maturity goal, take some time to run a gap analysis of your current cybersecurity processes and tools to compare them to your goal. This gap analysis can help you determine what specific improvements you need to make to line up with the security practices needed for cybersecurity maturity certification and help you identify the most efficient way to close any gaps.

It’s important to conduct this analysis before contacting a CMMC accreditation body or a C3PAO. Otherwise, you may not be able to make the required changes in time for the C3PAO’s assessment.

SXIcon_Clipboard

Step 3: Make Changes (and Document Them)

After recording any gaps between your current cybersecurity procedures and your desired CMMC level, implement changes to address those gaps. If not already in place, create a process for documenting those changes, their implementation, and projected/actual impacts.

This documentation can prove to be incredibly useful for proving compliance with CMMC standards (and other data security standards).

SXIcon_Calendar

Step 4: Schedule an Assessment

Go to the CMMC-AB’s marketplace to find an available C3PAO.
From there, the C3PAO will schedule an assessment with one
of their certified assessors.

While waiting for the assessment, it can help to re-review security
controls in the organization and set up a plan for further improvements.

SXIcon_Certificate

Step 5: Complete and Finalize the Assessment

Once the assessment has been completed, the CMMC-AB will review it with their quality auditors to identify any potential deficiencies in the assessment. After receiving the assessment, you will have 90 days to resolve any issues that
the C3PAO or the CMMC-AB have found.

Following the resolution of any issues, you can receive your certification from the CMMC Accreditation Body.

Tips for Meeting NIST 800-171 and CMMC Compliance Standards

Meeting CMMC standards for the higher levels of implementation can be a challenge—especially since they mean meeting compliance requirements for a variety of security standards like NIST 800-171, 48 CFR 52.204-21, ISO 27001, and others.

Some basic tips for meeting CMMC and NIST compliance requirements include:

Check for Security Tools to Meet Multiple Compliance Standards

There is a lot of overlap between the different parts of NIST 800-171 and CMMC. For example, access control (AC) and identification and authentication (IA) both require organizations to have security tools for identifying users so access can be restricted to authorized personnel.

Finding tools that help verify identities, such as multi-factor authentication tools,
can help satisfy both standards.

Asset management tools can be helpful for more than just the AM section of CMMC as well. With a comprehensive list of assets, organizations can identify security gaps and risks more easily. It’s also necessary to have a complete inventory of IT assets to make monitoring solutions more effective, since gaps in the inventory list may mean that some assets won’t be protected correctly.

 

Conduct Periodic Self-Assessments (Even after Getting Certified)

A CMMC certification isn’t a “one and done” event. It’s a continuous cycle of managing cybersecurity controls, finding gaps, identifying threats, and implementing fixes that minimize risk.

After all, cyber threats are constantly evolving. No security system, regardless of how good it is, will be 100% future-proof. There’s always a new threat just around the corner to surprise the unwary.

So, conducting periodic self-assessments is a must for staying at the top level of CMMC maturity.

Consider Partnering with an MSSP

Becoming CMMC-compliant can be a complicated and difficult process. This is especially true if you’re trying for a higher-level certification. Achieving level 5 requires following 171 different practices.
If any single element is missing from your cybersecurity strategy, you might miss the level of certification you’re aiming for.

So, working with a managed security service provider can be immensely useful. Why? Because MSSPs often have extensive cybersecurity expertise available to them that can help you identify and close critical security gaps. By closing these gaps, you can bring your organization one step closer to CMMC certification.

Additionally, MSSPs may be able to recommend tools and solutions that allow you to satisfy multiple CMMC and NIST guidelines at once—streamlining security processes and tools to reduce bloat while improving safety and security for sensitive information.

Document Everything for CMMC Compliance!

One of the most important things to do for any government-related process is to document everything that you can. C3PAOs will want to review your written processes and records as a part of their maturity assessment.

Documenting processes also make it easier to onboard new employees and make sure that they’re
up to speed with your company’s security requirements. If your processes and procedures are documented, then you can introduce new hires to them and keep every person to a
consistent and fair standard.

Besides, if you use a security control for a particular CMMC guideline, but don’t have any documentation to show for it, the DoD and other agencies aren’t likely to take it on faith.
They won’t know how the control is being used or if it is being applied consistently.

 

Preparing for the Future of CMMC

As of the time of this writing, CMMC is still in version 1.0. However, considering the ever-evolving nature of cybersecurity threats, it is all too likely that this standard will be revised at some point in the future. The specific nature of these revisions is impossible to predict, but they are likely to require organizations that do the “bare minimum” to make frequent changes to satisfy new standards.

So, one of the best things any organization can do is to go above and beyond the minimum requirements for CMMC compliance and use protections that exceed the DoD’s suggestions. This not only helps ensure compliance with standards beyond CMMC, it can also help businesses protect themselves from new cyber threats.

 

 

 

Need help with your
NIST 800-171 or CMMC Certification?

Reach out to the team at Systems X to get started!

Contact Us