When we think of organizations seeking certification (OSCs) sitting down to look at the requirements proposed in the Cybersecurity Maturity Model Certification (CMMC), there are two types of reactions.
First, it’s not knowing where to start. They’ll look at a list of requirements that contain letters and numbers that seem like a foreign language.
Second, there are the more advanced businesses that house controls in an Excel file. That’s great but it also means they spend eight hours a day looking up different standards to figure out what controls they meet or don’t.
Either reaction feels like a lose-lose. Yet, a lot of the time all that’s required is a little help.
Enter this checklist. Its intention is to help both categories of reactions as a road map to follow.
Table of Contents
Understand The Length of The Journey
Federal Acquisition Regulation (FAR) 52.204-21 details the 17 requirements for a Maturity Level 1 certification. Maturity Level 2 builds on the FAR requirements and adds the 110 practices from NIST SP 800-171 Revision 2.
These existing requirements describe exactly what you need to do as a contractor for CMMC 2.0.
But, how long will it take your organization to take this journey?
That depends on where you’re starting from and what maturity level you’re seeking. But, generally speaking, plan on 12 to 18 months to go through the entire process from start to finish.
Some of the first Certified 3rd Party Organizations (C3PAO) organizations that have their CMMC Level 2 started their certification journey back in early 2020. They only just recently received their maturity level designation in mid-2021.
In other words, before you start anything else. You need to get yourself ready for how long the CMMC compliance process will take.
Identify Internal Stakeholders
Most small to medium-sized organizations will have at least 3 to 5 primary stakeholders who will be driving this initiative…
Executive Sponsor: provides proper oversight, execution and maintenance of activities and funding.
The Information Technology and Information Security Department: has the largest responsibilities but it’s helpful to pull in resources from legal, administrative, human resources and physical security teams.
If your team is light on internal resources, it may be beneficial early in the process to identify a registered provider organization (RPO).
RPO’s have the required knowledge to assist in the early stages of preparing your organization.
Determine Desired Maturity Level
Contractors providing commercial off-the-shelf (COTS) products and services won’t need CMMC certification. This holds true as long as the product or service isn’t modified from the commercial version in any way.
Contractors who receive Federal Contract Information (FCI) must achieve Maturity Level 1.
Prime and subcontractors receiving CUI need to receive a Maturity Level 2 certification.
The initial plan for implementing CMMC called for a phased, multi-year roll-out. Each year the number of contracts with CMMC requirements would increase. The DoD projected these increases would continue through 2025. Or, until all solicitations contained CMMC requirements. Before awarding a contract, Prime contractors must have their CMMC certifications. Before a prime could flow down CUI, subcontractors and suppliers must have their CMMC certifications.
DoD projected that during the first year of implementation, there will only be 15 prime contracts with CMMC requirements. That's only approximately 1,500 contracts within the defense supply chain.
The DoD estimates the number of contracts with CMMC requirements will grow to…
75 in year 2
250 in year 3
479 in year 4
All Solicitations by year 5
Identify Where FCI & CUI Exists
The scope of where CUI and FCI exist encompasses the people, processes and technologies that store, process or transmit sensitive data.
Network segmentation reduces the scope in two ways…
Isolation by blocking logical access
Controlled access by traffic type or the direction of an initiated connection
Successful network segmentation creates a secure enclave. Thus, separating the secure data environment from everything outside the perimeter. It also defines how you control anything going in and out of that boundary.
If you haven’t already identified the people, processes and technologies that influence the security of FCI and CUI, you should.
In other words, you should start by creating a logical network and data flow diagrams. These help…
Identify the people or groups
Inventory the processes
Document the systems that are within the security perimeter
The Unified Scoping Guide for sensitive and regulated data published a model that identified eight zones for compliance purposes.
It also includes a decision tree that provides a logical walk-through to determine if an asset is in scope or not.
Build an Environment
Your assessor will likely want to see a clearly defined secure enclave and controls to ensure that there aren’t any holes within the perimeter.
If you intend on using an external cloud service provider, they should meet the FedRAMP moderate baseline and meet the requirements under DFARS 7012 [paragraph D].
Consider using virtual desktop environments. These keep sensitive data in the cloud and define controls associated with access to the environment.
Identify Gaps
If your organization needs at least a Maturity Level 1 certification, FAR 52.204-21 lists 15 controls. For each of those controls, you’ll need to provide evidence that proves that you’re performing the related practices. The 15 FAR controls align to 17 practices in NIST 800-171, with FAR regulation 10 splits into three separate NIST practices.
For a Maturity Level 2 certification, the number of controls jumps to 110. However, NIST 800-171 also requires documentation for policies and processes for each of the 17 domains. Non-federal organizations must also perform the 37 NFO practices listed in Appendix E.
As you work through the list of practices provided within NIST SP 800-171 Revision 2, the scope will include the stakeholders who own these controls.
It will also include those that…
Contribute or operate the controls
The processes that require application
The technology solutions that store, process or transmit the sensitive data
A contractor must prove habitual and persistent behaviors not just the deployment of specific tools. Six months is a good benchmark to be able to demonstrate that the control has been institutionalized
The NIST SP 800-171A Assessment Guide provides some clarification for each practice. If you still have questions, you can look toward the references.
Assessors will look at two of three potential forms of evidence to determine sufficient adoption for each practice, including documentation, interviews, and testing.
You should have your documentation collected and organized well in advance of scheduling your assessment. Doing so helps you in two main ways.
First, it helps the OSCs understand if they’re compliant with the controls required. Going through each practice and gathering the documentation is the easiest way to conduct an internal gap analysis.
Using a tool like K2 Compliance can help provide OSCs with a roadmap. With it, they can see the controls for each Maturity Level and how many practices are currently documented and performed.
Second, managing versions of these documents in a centralized repository helps. Speficially, it assists in demonstrating process maturity to the assessment team. Process maturity requires more than just documenting policies and practices.
They also have to become a part of the company’s culture. An easy way to demonstrate this would be to capture positive indicators, such as…
The creation date for the policies and procedures
Information on any updates
How the organization communicated each
Lastly, as your organization moves from the gap analysis step to the formal assessment, making objective evidence available to the C3PAO helps reduce costs.
A variety of factors, including duration, staffing, scope, etc. influence the cost of a C3PAO assessment.
The duration of the assessment will vary based on a variety of factors, including how well the OSC has performed its pre-assessment readiness review.
By providing documentation in advance to the C3PAO, you're saving time. The assessment team won’t need to spend valuable time onsite waiting for documents and this should lower the assessment costs.
Perform a Mock Assessment
Once you’ve completed the gap analysis, hiring a service provider organization listed in the CMMC Marketplace is helpful. This organization’s purpose for you is solely to conduct a mock assessment.
A mock assessment tries to achieve multiple purposes…
Have a trained consultant look at the documentation prepared during the gap analysis.
Conduct interviews or test systems to validate that the OSC meets the requirements set forth by the Maturity Level certification assessment.
It’s important to note that if a registered C3PAO consultant provides any consulting services, it can’t conduct the certification assessment.
Consider The Supply Chain
Much of the focus on CMMC has been on OSCs, preparing for and passing their own certification. However, prime contractors must “flow down” CMMC requirements to all subcontractors.
As I mentioned earlier, many organizations have a long road ahead of them to reach compliance.
Yet, the biggest challenge with CMMC is a rule placed on prime contractors. They must manage the risk of subcontractors in their supply chain. That’s a huge undertaking that may require more time than by FY 2026.
Conclusion
To stay ahead of any CMMC surprises, many prime contractors are taking measures to ensure compliance now. They're making sure that their essential subcontractors devote resources to achieve compliance.
Perhaps this is the biggest use case for a solution like K2 compliance.
With it, not only can leadership see a dashboard of their own compliance progress, but they'll be able to see the progress of their supply chain partners' certification preparedness as well.
Thus, prime contractors will have better data to forecast supply chain certifications.
Organizations should identify the roles assigned to each statement within the policy. Mapping policy commitments to requirements and roles creates a shared responsibility matrix.