ComplianceForgeand DTC Globalteamed up to write an article that provides practitioner-level guidance on CybersecurityMaturity Model Certification (CMMC) that is focused on the practical steps ittakes to get compliant with these requirements and successfully prepare for aCMMC assessment. We get these questions on a daily basis, so we decided itwould be worthwhile to summarize the steps. The end result is a list of 14practical steps to prepare for a successful CMMC assessment.
Important acronymsto be familiar with that are used in this article:
Step 1: IdentifyThe Target CMMC Level
In order tostart, you have to know what target CMMC certification level your organizationneeds to attain. In terms of CMMC, that realistically means you are eithertargeting Level 1 or Level 3, since there are too many unanswered questions bythe DoD and CMMC-AB on Levels 2, 4 & 5. Size and maturity considerationshave no corresponding influence on CMMC levels - it is all about the dataclassification. CMMC is not a traditional “maturity model” and focusesentirely on the classification of data:
CMMC focuses onbusiness practices that are tied to data classification. For example, alandscaping company that has a DoD contract to mow lawns on a militaryinstallation could theoretically be a Level 1 OSC since the contract containsFCI. That same landscaping company will be a Level 1 OSC in 3, 5 or 10 years,since its business model will keep it at a Level 1 (e.g., mowing lawns withonly FCI-related contracts). There is no “continuous improvement” for mostLevel 1 OSCs as that example demonstrates.
There is awidely-held misconception that a Level 1 OSC is going to be limited to small“mom and pop” companies, but that is an inaccurate assumption. An organizationis designated a Level 1 when it only stores, transmits and/or processes FCI,not CUI. It is possible to have a Fortune 500 organization be a Level 1 OSCwith a robust, well-staffed and mature security program. It is equally possibleto have a small company with less than a handful of employees be a Level 3 OSC,even though it has no formal IT infrastructure or IT staff - just a completelyvirtual/remote workforce business model.
Step 2: DocumentFCI/CUI Data Flows
You have to knowwhere you fit in the “data flow food chain” for regulated data (FCI/CUI) to progressany further. This is also a requirement within CMMC: AC.2.016 - Control theflow of CUI in accordance with approved authorizations.
A DFD doesn’thave to be fancy, but it needs to accurately reflect two considerations:
With CMMC,everything starts with the DoD from a data flow perspective:
Taking it a stepfurther:
What you need todo is create a DFD that documents the data flows of regulated data (FCI/CUI):
If you are notsure what a DFD is, you can Google the term for examples. The following diagramis an example DFD from Network-Diagrams.com.Please note that the DFD also serves you well when validating that your networkdiagram is correct in a following step, so it is important to put some effortinto it to get it right.
The mostimportant part of a DFD is knowing your flow down requirement throughyour supply chain with CUI for level three and above. 32 CFRpart 2002.16 states that the contractor must have a “reasonable expectation”to disseminate CUI to an entity that is compliant with DFARS or CMMC. You, asan “authorized holder” of CUI, must reasonably expect that all intendedrecipients are authorized to receive the CUI and have a basic understanding ofhow to handle it. This means that youmust be confident that any contractor or TSP you share regulated data (FCI/CUI)with is compliant and trained on how to handle CUI responsibly. You are responsible for the data you transmitand responsible if they are not compliant.
Step 3: UpdateAsset Inventory
You have to knowwhat assets you have to progress any further. Asset inventories are reasonableexpectations in numerous laws, regulations and industry practices. CMMC is nodifferent in expecting accurate IT asset inventories: CM.2.061 - Establishand maintain baseline configurations and inventories of organizational systems(including hardware, software, firmware and documentation) throughout therespective system development life cycles.
CMMC is focusedon protecting the integrity and confidentiality of the data on the systems,applications and services that store, transmit and/or process regulated data(FCI/CUI). Therefore, this step requires documenting an inventory of allsystems, applications and services that includes, but is not limited to:
This step is alsowhere you need to evaluate, as an organization, where you can segment yourenvironment to use the smallest possible profile to store, transmit, and/orprocess regulated data (FCICUI). Theconcept is simple, but the implementation is more difficult. What is the smallest effective footprint Ican have for FCI/CUI and still operate efficiently? The less regulated data isdispersed in my organization, the easier it is to protect.
Step 4: UpdateNetwork Diagram
Now that you havean updated DFD and inventory, you can legitimately populate a network diagram. Ifyou are not sure what a network diagram is, you can see examples at Network-Diagrams.comfor what is a reasonable level of detail. The DoD provided specificguidance on documentation requirements that includes "A detailed topology narrative and graphic shall beincluded that clearly depicts the Contractor’s internal unclassifiedinformation system boundaries, system interconnections, and key components.
A network diagramdoesn’t have to be fancy, but it needs to accurately reflect:
The followingdiagram is an example network diagram. As mentioned earlier, the DFD should beused to validate the accuracy of the network diagram. If the DFD does not lineup, you need to determine the root issue for the disconnect to either updatethe DFD or network diagram.
Step 5: DefineCMMC Assessment Boundary
You have to knowwhat your CMMC assessment boundary is to progress any further. The concept ofthe assessment boundary is where the OSC defines what is and what is not inscope, based on how regulated data (FCI/CUI) is stored, transmitted and processed.That process cannot legitimately be done without first having:
The mostefficient process to define an assessment boundary for NIST SP 800-171 / CMMCcan be found at CMMC-Scoping.comwith the downloadable NIST 800-171 & CMMC Scoping Guide for CUI &FCI: A Zone-Based Model For A Data-Centric Security Approach To Defining NIST800-171 & CMMC Scopingdocument. That scoping guide not onlycontains a detailed methodology, but also several examples that help bring theapproach to life.
Step 6: UpdateSystem Security Plan (SSP)
The SSP is a“living document” that is meant to document the who/what/where/when/why/how ofthe FCI/CUI environment. Maintaining a current a SSP is a CMMC requirement: CA.2.157- Develop, document and periodically update System Security Plans (SSPs) that describesystem boundaries, system environments of operation, how security requirementsare implemented and the relationships with or connections to other systems.
Expect the SSP tobe the first thing the C3PAO requests for two reasons:
It is importantto note that the SSP cannot have logical inconsistencies or that risks the OSC failingthe CMMC assessment, since errors on such an important document can put therest of the OSC’s documentation into question. Essentially, if you can’t getthe SSP right through missing or inaccurate information, what other problemsexist?
As you learn moreabout your network, FCI/CUI environment, third-party involvement or evolvingbusiness processes, simply update the SSP to reflect the current state of how everythingis being managed. The SSP should be written that if the smartest person onFCI/CUI in your organization won the lottery and never came back to work, thatsomeone else could pick up the SSP and completely understand both the processesinvolved and all the security controls that are applied to the FCI/CUIenvironment. If your SSP does not have that level of coverage, you should spendtime upgrading it.
Step 7: Update CybersecurityProgram Documentation
Concise andcomprehensive documentation can be “half the battle” in an assessment.Inconsistent, incomplete or unclear documentation creates confusion that leadsto opportunities for assessors to ask probing questions, is not a good thing ina third-party assessment. Cybersecurity documentation should follow the simplerule of “Say as you do. Do as you say.”
All too often,documentation is not scoped properly, and this leads to the governance functionbeing viewed as more of an obstacle as compared to being an asset. CMMCdocumentation should be concise, clearly-written and have direct mapping to allcompliance requirements. A multiple-page “policy” document that blendshigh-level security concepts (e.g., policies), configuration requirements(e.g., standards), and work assignments (e.g., procedures) is an example ofpoor documentation that leads to confusion and inefficiencies acrosstechnology, cybersecurity, and privacy operations. If you are not sure what youneed for cybersecurity policies, standards and procedures, you can see examplesat ComplianceForge.comthat are specific to NIST SP 800-171 and CMMC.
For Level 1 OSCs,the documented policies, standards and procedures need to cover FARcybersecurity requirements.
For Level 3 OSCs,the documented policies, standards and procedures need to cover:
Regardless if youare a Level 1 or 3 OSC, you need to have written policies, standards andprocedures.
Level 1:Contrary to what is put out in the CMMC model (v1.02), there is a documentationrequirement for Level 1 OSCs, based on existing FAR requirements. From FAR, anorganization that stores, transmits and/or processes FCI is required to “applythe following basic safeguarding requirements and procedures to protect coveredcontractor information systems” as it pertains to those fifteen basiccybersecurity requirements. FAR defines the term “safeguarding” to mean “measuresor controls that are prescribed to protect information systems.” If you look upthe term “control” in the NIST Glossary, you will see that the definitionrefers to documented policies, standards and procedures, so there is a tangibledocumentation requirement to address FAR 52.204-21.
Levels 2-3:From CMMC, there are process requirements that must be addressed that havedocumentation requirements:
Note: Thedocumentation surrounding the implementation of a cybersecurity program can beevidence of ML.3.997, since the budget requests, project plans or otherstrategic planning proves your organization has a plan to implement thepolicies necessary to address CMMC.
In accordancewith 32CFR2002.20 and the CUIMarking Handbook, and the Media Protection andPhysical Protection Policies, CUIsupply.comoffers products to label digital and physicalmedia such as computers, computer towers, monitors, tablets, CD’s, flashdrives, external hard drives, document covers, and signs.
Step 8: TrainPersonnel On Secure Practices
The common weaklink in most organization is the “people factor” that covers the individualsrequired to operate processes. OSCs are required to train personnel on CUIhandling practices, role-specific security training, insider threat awarenessand is some cases ITAR/EAR training for export control. While the Awareness and Training (AT) domainwithin CMMC is only required in CMMC levels 2 through 5, it is highlyrecommended that level 1 organizations have some sort of cybersecurity awarenessand insider threat training.
Training isexpected to be both at the time of hire (prior to accessing any systems ordata) and annually, thereafter. This is necessary to establish and maintain a“culture of security” within your organization that security is both takenseriously and is everyone’s responsibility.
CUI training expectations:
Security trainingexpectations:
Insider threatawareness expectations:
Step 9: AssignControl Ownership & Document Procedures
Now that you’veaddressed the core documentation requirements, the time-consuming process beginsof putting it into practice. Evidence of both due diligence and due care isneeded to successfully pass a CMMC assessment. Documented policies andstandards provide evidence of due diligence; whereas, documented proceduresprovide evidence of due care. Documenting step-by-step procedures is the most time-consumingactivity related to cybersecurity documentation for CMMC. For the most part,you cannot easily outsource this requirement to a consultant since documentingprocedures requires a subject matter expert from your organization to provideinput on how a process operates, which requires internal staff to take asignificant role in documenting procedures.
To identify thestakeholders and assign control ownership, it is necessary to formally identifyCMMC-related roles and responsibilities. Realistically, this process can be asstraightforward as going through the CMMC practices and assigning each practiceto one or more stakeholders. In smaller companies, this might mean a handful ofpeople do all the work. For medium-to-large companies, there will likely bedozens of teams/individuals assigned as stakeholders. These stakeholders are“control owners” from the perspective of the CMMC assessment - those are theteams/individuals who are assigned the responsibility to implement and maintainthe required practice(s) to pass CMMC.
What many peoplefail to realize is that CMMC documentation has many different stakeholders:
Step 10: Perform QualityControl & Validate Assumptions - Perform Annual Risk and SecurityAssessments
Relying on assumptionswill cause you to fail a CMMC assessment. This is where it is vitally importantto conduct independent “quality control” activities to ensure that CMMC-relatedwork is being done properly. This is where you need to validate any assumptionsto identify if gaps exist and then adjust accordingly. When working withproject teams and control owners, you need to operate by the “trust but verify”mindset to look at evidence of compliance and not on assumptions orundocumented practices.
There is an annualrequirement for a Risk and Security Assessment. This allows to organization to touch all systems and determine anydeficiencies that exist in their compliance program which provides thefoundation for the Plan of Action & Milestones (POA&M).
Step 11: Update Planof Action & Milestones (POA&M)
Starting in Step8, as stakeholders start getting into the details for how CMMC practices areimplemented, deficiencies will likely be identified. This is completely expected,and deficiencies must be tracked through remediation via a “risk register” orPOA&M document. This provides evidence of due diligence and due carespecific to the identification and remediation of CMMC-related deficiencies.
Even though theDoD is putting out conflicting guidance on POA&Ms as it pertains to CMMCassessments, having a POA&M is a CMMC requirement: CA.2.159 - Develop andimplement plans of action (e.g., POA&M) designed to correct deficienciesand reduce or eliminate vulnerabilities in organizational systems.
As it currentlystands, the DoD is requiring a completed or blank POA&M for an OSC tosuccessfully pass a CMMC assessment. If there are any open deficiencies, thatwill cause the OSC to fail the CMMC assessment. Therefore, it is vital toperform the quality control processes called out in Step 9 to ensure there areno areas of non-compliance.
Step 12: Conduct Pre-AssessmentTesting
Similar to Step 9with an internal quality control process, it is common practice to conductpre-assessment testing to mimic a C3PAO assessment. This is a cost-savingmeasure, since it does not make sense to contract a C3PAO to conduct a formalCMMC assessment unless you are confident that your documentation and staff are“audit ready” and you fully-expect to pass the assessment.
Pre-assessmentsshould be conducted by an independent party, either internal to the OSC or athird-party (not affiliated with the C3PAO). Independence is necessary toprovide an honest look and remove biases, which are likely to exist whenstakeholders have spent such considerable time and resources in preparation.
If deficienciesare identified in the pre-assessment testing, those issues need to bedocumented in the POA&M and remediated (Step 10). Ideally, the person/teamwho conducted the pre-assessment testing should be used to validate theremediation efforts were successful.
Step 13: ContractC3PAO
Once you areconfident that all CMMC-related practices and processes are sufficientlyaddressed, this is when the OSC will directly contract with a C3PAO to conducta CMMC assessment. More details are forthcoming from the CMMC-AB and DoD on howan OSC will be able to select a C3PAO. If you are an OSC, the CMMC-ABcreated a page to address OSC-specific concerns about the certificationprocess.
Once the OSC hasselected a C3PAO, the C3PAO will need to conduct some form of fact finding toscope the assessment. This is likely where an OSC will be expected to securelyshare information (e.g., SSP) so the C3PAO can legitimately identify the levelof effort required to conduct the CMMC assessment (e.g., travel to locations,specialized technologies, complexities, etc.).
Step 14: Conduct CMMCAssessment
The CMMC-AB isworking on the details that will govern the actual assessment process, so moreinformation is forthcoming from the CMMC-AB on what to expect during theassessment, as well as how results will be reported to the DoD.
Ongoing “Care& Feeding” For NIST 800-171 & CMMC Compliance
CMMC compliancedoes not end once an OSC passes a CMMC assessment. Underlying NIST SP 800-171compliance is still required on an ongoing basis, where failure to maintaincompliance may result in a FCA violation. While CMMC assessments are designedto be 3-year cycles, NIST SP 800-171 is a 24x7 requirement, so that is animportant consideration to keep in mind that compliance does not end once anOSC successfully passes a CMMC assessment.
