We’re talking with government contractors who are anxious about becoming CMMC compliant. They want to know what it’ll take to get their ducks in a row so the assessment goes without a hitch. They want to know what action steps they should take to be completely ready for the assessment. And they want to know what kind of a project this is going to be.
For any compliance standard, there’s a basic pattern to follow, and CMMC is no different. You can think of it as a four-phase process.
1) Prepare for the Engagement
Before you begin the actual work, it’s critical to put some things in place first:
Assign a point person
Your point person is the center of the engagement, and their job is to keep things on track and moving forward. They need to have strong organizational skills, be a liaison between multiple parties, and work well with third-party professionals. Your point person will be called on to develop and enforce the rules of the engagement while holding it all together.
Use a compliance tracking system
As you’re going down the path towards CMMC compliance, there will be an enormous number of moving parts. It’s always overwhelming for first-timers. You could be looking at hundreds of different items that you need to assign to people / vendors, organize, and monitor. A robust, flexible compliance management system will help keep you sane.
Hire a compliance consultant
I cannot stress enough the difference it makes to have someone to navigate you through the very complex and uncharted terrain of compliance. A compliance consultant can provide various solutions, walk you through options, and recommend tools and resources to make life immeasurably easier for your team. Look at them as the internal security / compliance expert you wish you had on staff. They’re also someone you can have open discussions with about the present state that you probably shouldn’t have with your Assessor.
The consultant will also make sure that you’re capturing appropriate evidence to prove the requirements are in place. They’re an internal and safe resource to use for validation. When you’re ready for the assessment, you’ll be confident that you truly have all your ducks in a row. That means fewer unpleasant surprises from the Assessor and a significantly easier assessment — without significant remediation afterwards.
2) Gather Your Documentation
Every company has some number of pieces of CMMC that are already in place. Your first task is to figure out where you’re at in the grand scheme of things.
The following documentation will be helpful (and necessary) as you walk into your CMMC compliance engagement. Make sure you have them, and that they’re up to date.
- Inventory of all the hardware and software in your environment.
- Accurate and up-to-date list of all your vendors. This should include service providers that physically come on-site or with logical (digital) access to your environment.
- Network diagram that illustrates the landscape of your IT network from both a physical and logical perspective. The point of these documents is to provide vital information about where your machines are located and what’s connected to what.
- Data flow documentation. What data are you receiving, and how are you receiving it? What are you doing with the data, where is it stored, and where does it go out to?
- Firewall rules for your environment, including a justification for why the specific rules exist.
- Any existing policies that apply to your technical environment. This might be one overarching security policy that covers everything, or you might have a different policy for each element that needs one.
Review these documents against one another, to make sure you have everything accurate and up to date. For example, if you have an external vendor connection open and justified in the firewall rules, but you don’t have it documented in your network diagram or your data flow diagram, you have some discrepancies that need to be resolved.
It is critically important to start the engagement having a clear understanding of the environment to start, as these are the artifacts that will facilitate all of the activity that follows. These documents will be referred to for a myriad of reasons as you progress, and the initial investment will be invaluable as you cross unfamiliar terrain.
3) Evaluate Your Current Situation
Before you know how to get to your destination, you need to know where you are. The same goes for achieving CMMC compliance. The most efficient way to get compliant is to figure out what you already have in place, and focus on the items that are missing or incomplete.
There are three tools to help you evaluate your current situation.
Look at all the requirements of the CMMC and compare them to your organization as it currently stands. Effectively, this involves going through all the requirements and asking, “What do we have in place?”
The gap assessment is more than checking off a list of requirements. As obvious as it may sound, you need to actually read the requirements. I’ve seen too many companies say to themselves, “Yep, we have antivirus” without realizing there are 11 different elements of antivirus that need to be in place, in a particular way. For example:
- Is the antivirus configured correctly?
- Is it deployed on all appropriate assets?
- Is it updating?
- Is it scanning?
- Is someone watching the output from the antivirus?
Gather evidence that shows requirements are in place. This could be a screen shot, or a document, or an extract of evidence from a system, or a diagram — anything that can serve as proof that you’re satisfying the requirement. It’s not good enough to add a note indicating that the requirement is in place. Comments are considerate, attachments are king. Attach the evidence in your system of record.
Generally, you’ll find that each requirement in CMMC is either completely in place already, not in place at all, or partially in place (some elements are in place, but some things need to be addressed).
A risk assessment looks at the overall organization and what risks your company faces from a business perspective. A third-party risk assessment will cross over into many of the realms that you’re looking at as you prepare for CMMC, but it will also extend beyond CMMC’s requirements. Many mistake a risk assessment as being IT-centric, whereas a well prepared and executed risk assessment will extend well beyond technical requirements and looking at the organization overall.
A third-party penetration test should be performed from outside and inside your organization. It should be done across all of your network applications, websites your organization is responsible for, any web-based APIs, as well as your wireless system. Penetration testing will give you a solid understanding of the state of your company from a technical perspective.
4) Fill in the Gaps
Now you’re ready to start resolving items that the assessments have revealed.
- Plug any holes that the gap assessment revealed.
- Address any risk assessment deficiencies that have impact on CMMC — for example, if you discover that you aren’t encrypting data properly.
- Address any penetration testing issues that are impactful from a CMMC perspective. Make sure to leverage the penetration testing team to provide third-party validation that the issue has been effectively remediated.
Your compliance consultant will prove to be an invaluable resource during this phase, because they’ll be able to help you understand the ins and outs of the requirements. The consultant can explain why this or that evidence won’t pass muster with the Assessor, and what will make the cut.
Their deep experience will also help you to develop an approach that makes your engagement more efficient, less stressful, and more effective.
How Long Will It Take to Achieve CMMC Compliance?
There’s a limited pool of CMMC Assessors, and a large demand for their services. For most contractors, that’s not a cause for concern — especially if your current DoD contract doesn’t end for a couple of years or more. By the time you need to hire an Assessor, you’ll have an easier time finding a good one with some CMMC experience under their belt.
But if you need to renew your contract within the next year, you’re under the gun. You’ll need to start moving now, and moving fast. This process will take you a good six to nine months, and that’s assuming you’re aggressive about it and have a dedicated team that’s focused on getting through this.
CMMC compliance isn’t for the faint of heart, but these action steps will help make your compliance efforts more organized, more efficient, and more successful.