Prior to the arrival of the CMMC, defense contractors were required to self- certify that they follow cybersecurity best practices. The CMMC abolishes the self-certification model and, instead, introduces the requirement for DoD contractors to pass a DoD CMMC audit performed by a C3PAO.
Because it can take a lot of time and work to prepare for a CMMC audit, the CMMC Accreditation Body (CMMC-AB) advises contractors to start preparing for it at least six months in advance, depending on their current cybersecurity readiness and resources.
STEP 1: START WITH A READINESS ASSESSMENT AND GAP ANALYSIS
The CMMC combines and improves upon multiple previous cybersecurity standards, such as NIST 800-171, so it’s very likely that many DoD contractors already have most of the work required to achieve one of the lower CMMC maturity levels.
The goal of a readiness assessment is to provide a detailed inventory of information technology systems, how data flows through them, how data is stored, who is responsible for the implementation and enforcement of incident response plans, and so on.
This information is then used to perform a comprehensive gap analysis in order to pinpoint what needs to be done to move from the current state to the desired future state. A gap analysis plays an essential role in helping DoD contractors prepare for a CMMC audit because it identifies risks, reveals the cost of remedial steps, and helps prioritize their order.
STEP 2: CREATING A REMEDIATION PLAN AND RESOLVING THE GAPS
Once all cybersecurity gaps have been identified, they must be resolved according to a remediation plan, which is an actionable plan that lists all activities necessary to resolve security issues in the order they should be performed.
The remediation plan should describe how the cybersecurity gaps were uncovered and quantify the risk they represent. A timeline should be provided to help ensure the remediation doesn’t take too long, and estimated remediation costs should be included to avoid budget overruns.
CMMC abolishes the one-size-fits-all approach to cybersecurity by mapping security controls to one of five maturity levels. In the CMMC model, you would not be required to cover 100 percent of the NIST 800-171 controls until you reached the third cybersecurity maturity level. This way, contractors that represent minimal risk can certify only to one of the two lower levels, whose requirements are easier to achieve.
STEP 3: ONGOING MONITORING AND REPORTING
The Department of Defense expects contractors to monitor their systems on an ongoing basis and report any incidents they detect. For large contractors with a wealth of resources and plenty of cybersecurity experience with specialized cybersecurity monitoring tools, this last step won’t be too much of a challenge. Smaller contractors, on the other hand, may find it to be the most difficult step of the three.
Such contractors are often unable to do everything in-house without losing focus on their core business and maintaining the quality of service that has helped them secure a government contract in the first place. Fortunately, they can outsource cybersecurity monitoring—and all other activities associated with CMMC audits, for that matter—to a Managed Security Service Provider (MSSP).
A partnership with an experienced MSSP allows DoD contractors to get the expertise they require without stretching themselves too thin, and it typically results in substantial time and cost savings compared with the in-house approach, making it the best way to prepare for a CMMC audit.
GET STARTED ON YOUR CCMC AUDIT
Simple Plan IT is nationally recognized and accredited as a registered provider organization by the Cybersecurity Maturity Model Certification Accreditation Cody (CMMC-AB). We’re happy to answer any questions about the CMMC process or help you plan the steps you need to take in order to qualify. Our team is happy to talk through the steps your particular company should take in the CMMC process, or get started on your certification.
