CMMC Compliance: An Overview
September 12, 2022
The US Department of Defense has about 300 high-value datasets available to the general public. However, hundreds more of these datasets are only accessible to authorized users. Many of these users are companies that work with governmental information that they need cybersecurity clearance to access.
This is where CMMC compliance comes into play. Read on to learn the basics of CMMC, the levels of certification, what businesses need to consider these standards, and how you can get certified ASAP.
What Is CMMC Compliance?
Cybersecurity Maturity Model Certification (CMMC) is an assessment framework and certification program that determines what data an organization can work with. Specifically, it determines whether they comply with necessary security regulations to work with controlled and vulnerable information.
These standards are set by the Department of Defense (DoD). It is essential for organizations that operate with DoD data. Such data may include military information, classified government intelligence, and even sensitive business data intended only for authorized users.
At its core, CMMC is a standardized way to determine the cybersecurity-related wellness of a company. A third party will look into whether or not the company is able to maintain its cybersecurity standards. They will also look into whether they’re using best practices to secure and protect data.
Some things that CMMC certification officials look into include:
- Proactive measures used to manage cybersecurity (tracking data, using top-notch firewalls and authentication features)
- Reaction strategies to network breaches (such as disaster recovery)
- How involved a company’s cybersecurity measures are
- Whether data destruction standards are met
Most companies that require CMMC certification work with the government. However, some organizations that do not work directly with government officials may also need some level of CMMC certification. However, they may only need Level 1 compliance rather than Level 3 certification.
The Levels of CMMC
There are multiple levels of CMMC certification that businesses can attain. In the past, there used to be 5 levels. They were:
- Basic cyber hygiene
- Intermediate cyber hygiene
- Good cyber hygiene
These 5 levels constituted the CMMC 1.0 model. It was hyperspecific. Testing was challenging because of all the tiers and their distinctions from one another.
As of 2022, this model is about to become outdated. The DoD has instead consolidated cybersecurity compliance into 3 tiers. This shift will make assessing and testing CMMC compliance much easier.
Implementation is set for May 2023, so it’s important that companies know what to expect from future assessments. Do not try to use the CMMC 1.0 model for your next assessment. It is outdated and will prove ineffective both for self-assessment and third-party assessment.
Level 1: Foundational
To achieve foundational compliance, an organization must comply with 17 controls found in NIST 800-171. This is a set of regulations that governs all contracting procedures within US governmental bodies. It also regulates federal acquisitions.
The purpose of NIST 800-171 is to provide requirements for data confidentiality.
To achieve Level 1 compliance, an enterprise must submit a self-assessment once per year. This ensures that they are constantly on top of current best practices. Constant re-evaluation means that those who work with the DoD will never use outdated cybersecurity models.
Level 2: Advanced
Companies looking for Level 2 compliance need to meet 100 practices outlined in NIST 800-171. In some situations, an enterprise will need to perform the same annual self-assessment as those looking for Level 1 compliance must undergo.
However, those looking for advanced CMMC clearance also must conduct third-party assessments regularly. These take place once every 3 years. These assessments look into the most critical national security information that the organization works with.
Note that these third parties do not always need to be government-led. They simply need to be certified to conduct CMMC assessments. These parties have a thorough understanding of compliance regulations, best practices, artificial intelligence in DoD tech, testing methods, and more.
Level 3: Expert
Expert compliance is the top level of CMMC compliance. It is similar to advanced level certification, but it requires compliance with 110 or more practices outlined in NIST 800-172.
Unlike previous compliance levels, Level 3 compliance requires a government-led clearance test. This must happen every 3 years if you want to continue legally working with government data.
Luckily, there are several online tools that you can use to score your compliance before these testing periods. Applying for a membership with NSTXL gives you the means to find ways to score yourself. It also gives you the chance to ask any questions about your cybersecurity certificates and compliance strategies.
What Level of CMMC Must Your Organization Attain?
The clearance level that you need to achieve depends on the amount of DoD information you’re working with. It also depends on what type of data you need access to.
Some enterprises only work with non-classified DoD information. In these cases, they may only need Level 1 clearance. Note that any DoD data work necessitates some level of certification, even if you’re working with low-level information.
If you work with classified data, you’re going to need Level 2 or Level 3 clearance. Most organizations that work with DoD data aim for advanced Level 2 certification. This is generally the standard, but it is not always sufficient.
If you’re operating with high-value information such as military intelligence or foreign policy data, you are going to need Level 3 clearance. The bottom line is that the requirements are determined by your project and the data you have access to.
How Do Companies Get CMMC Certified?
The CMMC certification process depends on what type of certification you’re looking to get. For Level 1 clearance, you’re going to need to conduct a self-assessment. This is also occasionally required for Level 2 clearance.
The self-assessment process requires that you:
- Select 2 security controls that you’re looking to meet based on your business needs, processes, and technical environment
- Create and submit a spreadsheet that discusses these 2 security controls that you’re using to meet compliance regulations
- Submit a Plan of Action and Milestones (POAM) to show how you are moving towards compliance with the requirements
- Demonstrate that you are making progress toward better cybersecurity
Level 2 and Level 3 clearance require third-party assessments.
Third-Party Assessment Procedure
The person assessing the enterprise will have a set of quantifiable assessment objectives to look into. Each of these sections will have determination statements, which explain the way that the objective can be met.
They let the person administering the assessment know how effective the cybersecurity system should be. In the most basic terms, they’re documentation of controls.
Each assessment objective will have smaller assessment objects within it. These objects are documents of hardware/software mechanisms, activities, and behaviors that you look into prior to the assessment. You will prepare this evidence before your assessment and present it to the assessor.
The assessor will then:
- Examine your assessment objects to ensure that they are in place
- Interview people about the behaviors that they engage in when dealing with controlled unclassified information (CUI)
- Test how the cybersecurity system responds by triggering/demonstrating a control
Each control will then be recorded as met, not met, or not applicable.
Locate Controlled Unclassified Information
The first step of the CMMC assessment process is to figure out what data you’re protecting. If you have to keep CUI safe, you’ll need to figure out:
- Exactly where it is stored
- Its precise location
Guesswork is not sufficient when answering these questions. This sounds simple, but many enterprises are unsure of where data is stored in their network.
To locate CUI, it’s important to first understand what you’re looking for. This data includes:
- Contractual information between your enterprise and other parties (both governmental and non-governmental)
- Names and personal information of employees that handle sensitive data
- Purchase order numbers
- Technical data regarding operations, network functionality, applications, etc
Dig up this information and set it aside somewhere accessible.
After finding all CUI within your network, it’s important that you set the scope for compliance. This means identifying the areas where you need to increase your cybersecurity the most. Focusing only on DoD-controlled data keeps you goal-oriented and helps you save money on your professional audit.
Analyze and Eliminate CMMC Gaps
At this point, you can easily identify CMMC gaps within your digital framework. You should:
- Perform a self-assessment of gathered data
- Talk with a CMMC consultant to get assistance with an expert assessment
- Document each control
- Find 2 pieces of evidence for each control
This lets you analyze weak points and eliminate gaps within your system.
The first step is to build a security baseline. You already have identified your required cybersecurity level (Level 1, 2, or 3). You also know how to meet the compliance regulations for each tier.
You can use this information to come up with a plan to identify and eliminate gaps in your cybersecurity. Use a tool like the Microsoft 365 Compliance Manager and perform an initial assessment. This will let you know how much your enterprise has already done and what more you need to do to meet DoD standards.
You then can figure out different pathways toward compliance in areas where you do not meet regulations.
NSTXL can help you with this. Members who are trying to get cybersecurity model certificates can access 3 Pathways to Compliance via their membership program. If you register, you also can receive discounts from companies that we have partnered with that can help you meet CMMC standards.
Create a Remediation Plan
Creating a remediation plan is the final step you must take prior to your CMMC audit. This plan is a list of tasks that you need to perform prior to assessment.
Many enterprises expect that they’ll need to buy a lot of new hardware and software during this step, but this isn’t the case at all. You may not need to purchase anything, which saves on equipment and associated fees.
Instead, you’ll need to identify security controls, which are barriers that fight against network penetration. These walls can be technical, but they don’t always need to be. Sometimes, a pre-made firewall will be a sufficient barrier.
You will also need to implement practices and processes associated with the controls. Make sure that you detail how controls will be managed after implementation as well as discussing the implementation process. In the end, you can talk to CMMC assessors about these plans to show them how you’re on the path toward achieving best practices.
Remediation Plan Contents
If a control is in place, all you need to do is document it. This means making a note of the control and providing evidences for it.
If a control is not in place, the remediation plan will recommend methods to add, document, and support the control with evidences.
Your remediation plan also should include:
- Ways that you can limit the scope of compliance
- Network segmentation strategies
- Confines of compliance (limited to those who are fulfilling the DoD contract)
Once you have a well-written plan and gather evidences for each control, you’re ready for your audit.
Get Started With Cybersecurity Maturity Model Certification
CMMC compliance may sound like a challenge, but it’s easier when you enlist network security experts that understand the ins and outs of cybersecurity certificates. If you work with Department of Defense data, it’s critical that you reach out to professionals so that they can help you prepare for your compliance assessment.
NSTXL is committed to assisting enterprises that need to meet compliance standards to continue working with sensitive government data. We’re excited to discuss DoD opportunities with you and your enterprise so that you can make the most of your daily operations. Contact us with any remaining questions that you have or to learn more about becoming a member.