CMMC is coming in 2021. Take care of these five steps on your compliance checklist to get ready.
Governmental data around the world has been under increasing attack from threat actors. Look no further than the stunning SolarWinds supply chain attack in late 2020 to see just how determined, sophisticated, and subtle these hackers can be. It’s no surprise that governments, including the U.S., are responding to cybersecurity threats with increased regulations.
While organizations may be aware of long-standing frameworks and certifications such as the Federal Risk and Authorization Management Program (FedRAMP) and the Federal Information Security Management Act (FISMA), there is a new regulation on the block that has organizations of all sizes asking questions: the Cybersecurity Maturity Model Certification (CMMC).
Since the U.S. Department of Defense (DoD) shared the initial draft in early 2020, organizations have been working to understand CMMC, the five levels of the framework, and how it applies to their businesses. For organizations not familiar with federal frameworks, CMMC can be a head-scratcher, even with the official CMMC FAQ.
While many questions have yet to be answered and the final framework is not expected until later in 2021, organizations can create a CMMC compliance checklist and prepare for the final rule. Not only can they, but they should—because CMMC will require full compliance at the time of submission. Organizations preparing for CMMC have little wiggle room for error. Read on to get prepared.
1. Assess Your CUI
One of the best things you can do to prepare for CMMC is understand your data and identify which data is subject to CMMC.
The CMMC model is intended to cover controlled unclassified information (CUI) in non-federal IT systems. Per the National Archives, CUI covers a multitude of different types of information, such as:
- Sensitive intelligence information
- Patents and other intellectual property
- Tax-related information
- Information related to legal actions and law enforcement
- And much more
The CMMC’s focus on CUI in non-federal systems is a crucial distinction, as many organizations have pre-existing certifications such as FedRAMP and FISMA, and, as such, their systems (or parts of their systems) may be classified as federal.
2. Leverage other Federal Frameworks
The CMMC is exploring the possibility of reciprocity with other frameworks. However, this concept is still in the preliminary stages of discussion, and organizations can’t assume that compliance with existing frameworks or regulations will be accepted in lieu of CMMC.
That said, organizations seeking CMMC certification should consider how best to leverage existing frameworks. CMMC was developed from various other existing frameworks, and there is overlap between its criteria and that of others, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), several NIST special publications, the CERT Resilience Management Model (RMM), and more. Due to the complex nature of CUI and IT systems, leveraging and complying with existing cybersecurity frameworks can give a leg up to organizations.
Some of the certifications that could ease the transition to CMMC in part or in whole are:
- ISO 27001: A rigorous international framework focused on ensuring that organizations manage information with best practices and industry standards.
- FISMA: A U.S. law that regulates how U.S federal agencies (and the organizations that work with them) securely manage and process data.
- Risk Management Framework (RMF): Part of NIST, the RMF is designed to help organizations implement the controls and processes necessary to manage their risk when handling federal data.
- FedRAMP: A domain-specific version of the RMF, FedRAMP is a U.S. regulation targeted at cybersecurity for cloud services providers that work with U.S. federal agencies.
- NIST Special Publication 800-171 (NIST SP 800-171): A special publication that specifically details the guidelines for managing CUI in non-federal IT systems (more on this below).
3. Read the CMMC Appendices and Assessment Guides
The DoD has been consistent from early on with their CMMC framework and appendices. Reviewing these documents should be one of the first stops on your CMMC compliance checklist, as they are one of the best sources for understanding:
- Which controls CMMC establishes
- The intent of each control
- How controls are defined
Additionally, the DoD has provided assessment guides to understand the five levels of CMMC. Each assessment guide explains the criteria for assessment, various controls and practices that will be assessed, and more.
4. Complete NIST Special Publication 800-171
Beyond CMMC, there is an existing publication that addresses the use of CUI in non-federal IT systems: NIST Special Publication 800-171 (NIST SP 800-171).
For organizations planning to seek CMMC Level 3 compliance, adhering to NIST SP 800-171 offers a head start. By complying with NIST SP 800-171, organizations will have hit on 110 of the same controls covered by CMMC. As the CMMC framework includes only 20 more controls than SP 800-171, organizations would only need to add a handful of further controls to be Level 3 compliant.
This step on your CMMC compliance checklist may, in fact, be mandatory for your organization. The DoD requires, via the updated Defense Federal Acquisition Regulation (DFARS) 7012 clause, organizations to prove NIST SP 800-171 compliance for any new contracts, as a means of easing the transition to CMMC in the coming years.
Regardless of whether your organization is seeking a new contract or just working toward becoming CMMC-ready, NIST SP 800-171 is a good interim step toward this new rule.
5. Find the Right Partners
CMMC certification must be completed through a certified CMMC third-party assessment organization (C3PAO). As with most audits, finding the right firm is paramount. And a good firm will be more than a vendor; they’ll be a partner.
Many of the certifications and ATOs you pursue will interact with CMMC in various ways, and the right long-term partner can help you pursue a smart strategy to address your compliance needs and goals. For example, at A-LIGN, we worked with our client Aires to streamline their audits and get ready for CMMC.
A good auditing firm will be paying close attention to CMMC right now, attending the CMMC-AB town halls, and becoming a CMMC expert. Before the final rule comes down in 2021, find a partner who can help you prepare, guide you through the process, and keep you updated on CMMC news.
Start Your CMMC Compliance Checklist Today
Getting started with CMMC may seem daunting; this is a new framework, and there are many unanswered questions. However, organizations can make a CMMC compliance checklist and tick off several steps in the meantime to prepare. By understanding the use of CUI internally, implementing controls ahead of time, and more, organizations can face the final rule in 2021 with confidence.