What it takes to be “CMMC Ready”

A person on top of a mountain representing an organization that is CMMC Ready.

DoD contractors that handle Controlled Unclassified Information (CUI) must be prepared to meet the DoD’s Cybersecurity Maturity Model Certification (CMMC) Level 2.  Most CMMC Level 2 organizations will have to hire a CMMC 3rd Party Assessment Organization (C3PAO) to perform a certification assessment.  These assessments are not cheap. Therefore it behooves the organization seeking certification (OSC) to ensure it will pass the CMMC Level 2 assessment before it engages a C3PAO.  If you’ve checked out our CMMC Compliance Roadmap, you know that the last step before CMMC Assessment is for the OSC to perform a CMMC Readiness review.   This post provides an overview of the criteria an OSC must meet to consider itself “CMMC Ready”.  To generate these criteria, we collaborated in one of our monthly Town Halls with the esteemed Kelly Kendall of KNC Strategic Services, an authorized C3PAO.

BTW, you can download our CMMC Compliance Roadmap at the end of the post. 

"CMMC Ready" criteria

The list below shows the criteria an OSC must meet before it considers itself CMMC Ready.  Where appropriate, links are provided to sources with more information regarding the activity.  An asterisk (*) means that criterion is supported by a workflow, module, or template in our Totem™ Cybersecurity Compliance Management toolContact us if you’d like a demo or free trial of this tool, or check out our tutorial videos highlighting various the workflows.

First you must know what information you must protect, how much info there is, where that info resides, who handles the info, and then describe the lifecycle of the CUI you possess, from first receipt / generation to final disposal or destruction.

Identify, document, and inventory all hardware, software, firmware, users, facilities, and documentation assets that support any of the phases of the CUI lifecycle as determined in the first criterion

  • Using the results of the CUI lifecycle characterization exercise and asset inventory, trace how and where CUI flows through your organization, and depict this flow in a data flow diagram.
  • Create a network topology diagram identifying how the assets within your assessment scope are interconnected and interrelated.
  • Overlay the network topology diagram with the CUI data flow diagram, if possible.
  • Include the Federal Contract Information (FCI, associated with CMMC Level 1) network topology and data flows, if there is overlap 
  • Conducting a self-assessment requires that you’ve developed a System Security Plan (SSP), Plan of Actions and Milestones (POA&M), and the necessary SSP-supporting artifacts.
  • Using the DoD Assessment Methodology, your organization should be at a full score of 110, or at least have a score of 88 with no deficient CMMC L1, 3-, or 5-point controls.
  • Post the resultant score to the DoD’s Supplier Performance Risk System (SPRS)
  • You can identify the sources of compelling evidence for each NIST 800-171 control in a requirements traceability matrix (like a spreadsheet), directly in the System Security Plan (SSP), or both.  This creates a map for you and the assessor and will speed up the assessment.
  • Assessors will choose from the three following types of evidence:
    • List of the documents or procedures to examine, 
    • List of the responsible personnel to interview, and/or,  
    • List of the processes, procedures, or systems to demonstrate. 
  • Organize the CE documents in folders or repositories, named by the control ID for quick reference.

There are several hundred Assessment Objectives in NIST 800-171 (320 in rev 2, 509 in rev 3).  Every Assessment Objective should be covered by at least one of the forms of compelling evidence identified above.

  • External Service Providers (ESP) include all Cloud Service Providers (CSP), Managed Service Providers (MSP, “day-to-day” IT), and Managed Security Service Providers (MSSP, the security operations folks that help you monitor your environment) that provide CUI processesing, storage, transmission, or protection services.
  • Get a NIST 800-171-based Shared Responsibility Matrix (SRM) from every ESP that is within your assessment scope, and reference the SRM from — or include it in — the SSP.
  • The SRM must show any consumer-shared responsibilities, and those responsibilities must be addressed in the SSP. 
  • Understand what controls/objectives your organization can and cannot inherit from from the ESP. 
  • The IRP must include both user- and organization-response procedures for dealing with cyber incidents in the covered system or affecting CUI. 
  • Run tabletop exercises, test your team, and document the lessons learned.
  • Totem’s CMMC Level 2 Readiness Workshop includes instructions on developing an IRP and a table-top exercise.

CUI incident reporting is a requirement of DFARS 252.204-7012. If an incident happens, and you are on a tight timeframe, you do not want to then learn your DIBNET login isn’t working.

  • Artifacts are separate documents, such as an Acceptable Use Policy, that support and/or provide compelling evidence for your SSP implemenation.  Gather these in a structured repository, and have them controlled and approved by your organization’s Information Security Officer (or designate).
  • A great tip is to name your documents with the applicable control number that it first applies to, e.g. “3.1.1-Access Control Policy”. This helps organize and structure your evidence.
  • If you say you do it in your SSP, then make sure you do it, and make sure you don’t contradict yourself in your policies, procedures, forms, etc. 
  • C3PAO are assessing you against your SSP. Scrub it at least 1-2 more times than you think you should.
  • A great example of a contradiction is a different password policy called out in the SSP vs. the Account Management procedure. 

Make sure that your organization has documentation that shows a senior official has approved and “signed off” on the SSP.  This indicates leadership “buy-in” and that your organization has “institutionalized” its cybersecurity program. 

This is an easy-to-miss step, especially on a revised version of the SSP.

Do not wait until the month of your actual assessment to try to get everything updated and ready. You will have plenty to do, and time goes fast. The more you have ready and done, the easier it will be for you, the fewer grey hairs you will acquire, and the better you will sleep before and during the assessment. 

Wrapping Up

So there you have the criteria your organization must meet before it is considered CMMC Ready.  It’s quite a bit to do, and in some of these criteria there is much “reading between the lines”.  For instance, scoring 88 or higher in SPRS involves implementing a NIST 800-171-based cybersecurity program, which is no small feat and takes most of us a year+ to accomplish.  As the last of our CMMC Readiness criterion emphasises: Do not procrastinate!

If you need help understanding these criteria or otherwise starting your organization on its journey to becoming “CMMC Ready”, Totem Tech is here to help.  Check out our CMMC Compliance Roadmap (below), and join us in one of our quarterly CMMC Level 2 Readiness Workshops, where we cover all these criteria in depth.

And when your organization is CMMC Ready, consider using KNC Strategic Services as your C3PAO.    

Good Hunting!

–Adam

Download Totem Tech's CMMC Compliance Roadmap

Like this post? Share it!

Get notified when new blogs are published!