There are a lot of updates going on with regards to the Cybersecurity Maturity Model Certification (CMMC) rollout that have many in the DIB worried. What can I do? Where do I start? When do I start preparing? The short answer is you need to start preparing now, and there are plenty of resources to help you prepare. Until the updates to Defense Federal Acquisition Regulation Supplement (DFARS) 7012 are finalized later this year the Department of Defense (DoD) will not be including CMMC requirements in RFPs per Katie Arrington, CIO for the DoD’s Acquisition and Sustainment Office.
Where to start? The CMMC is comprised of various Frameworks like NIST SP 800-171, NIST SP 800-53, NIST CSF, and the list goes on. Keep in mind that most of the DIB will need to adhere to the CMMC Levels 1 to 3 depending on whether you are just working with Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) based on recent comments from Katie Arrington. That means you will need to adhere to as little as 17 and as much as 130 controls with many of them coming straight out of NIST 800-171. If you need to reach Level 3 of the CMMC then you will be looking at 130 controls with 110 coming straight from NIST 800-171. Time to dust off your System Security Plan (SSP) that you likely put together back in 2016/2017 when the DFARS 252.204-7012 was initially released by the DoD in October of 2016. This is going to be a process and will no longer be a set it and forget it.
You will probably need a guide on where to start. There is a lot of reference material out there, but it is best to get it from the DoD. Before you say “Wait, but that is too much work and I do not speak tech”, make sure to grab the CMMC Model Appendices. This document is broken down into several areas, and the ones I find useful are the Model Matrix and Process and Practice Descriptions. Here is a great example:
Domain – ACCESS CONTROL (AC)
Capability – C001 – Establish system access requirement
Level 1 – AC.1.001 – Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). – NIST SP 800-171 Rev 1 3.1.1
Process and Practice Descriptions:
|CMMC Clarification – Control who can use company computers and who can log on to the company network. Limit the services and devices, like printers, that can be accessed by company computers. Set up your system so that unauthorized users and devices cannot get on the company network.|
It goes on to provide examples that break it down further, but as you can see it does take the technical language and boils it down to a more understandable terminology. Now that it is more understandable it becomes a question on how to get it done and if you need professional assistance. This is a process that will take time, which is why it has been recommended in recent CMMC webinars that you need to provide yourself around 6 months to prepare for a CMMC assessment.
One important step since you will be investing time and effort into this task is to make sure that you bake all the processes and practices into your company culture. It will be high fives across the office once you have achieved CMMC Accreditation Body certificate, but that won’t mean you’re are compliant tomorrow if individuals in your organization don’t understand why certain practices and processes are in place and fully embrace it. Certification is valid for 3 years, but if there is a breach you can be sure compliance to CMMC will be investigated. Always Be Compliant (ABC). You practiced your ABC’s till you knew them like the back of your hand. Now your organization needs to practice its ABC’s till it becomes an everyday occurrence.