The Cybersecurity Maturity Model Certification (CMMC) is here, and defense contractors need to be compliant with the new standard or lose valuable business.
That ultimatum has companies scrambling to get compliant, fast. And it has put a lot of pressure on compliance managers to get their arms around CMMC. If you’re in that boat, this article will help you figure out what you need to do to get CMMC compliant.
Hiring the right C3PAO is only one small piece of successfully navigating the Cybersecurity Maturity Model Certification. Get fully equipped with TCT’s online guide to CMMC.
What Is CMMC?
CMMC is designed to protect important DoD information, called Controlled Unclassified Information (CUI) and Federal Contractor Information (FCI).
CMMC is based on NIST, so you’ll notice several similarities with NIST 800-171 and DFAR 52.204-21. But even if you have some familiarity with NIST, that doesn’t mean CMMC will be a cakewalk. Learn as much as you can about the certification before diving into it.
A third-party Assessor will evaluate your readiness, based on the technical controls you’ve implemented, your documentation, and your policies. CMMC offers three levels of certification, based on how secure you need to be for the work that you’re providing and information your organization possesses or is exposed to. The three levels are tiered, and each level builds on the one below it.
The higher your level, the more sophisticated and comprehensive your security readiness, and the more contracts you’ll be eligible for.
Do We Need to Be CMMC Compliant?
Every DoD contract is assigned to one of the levels, based on the sensitivity of the information the contractor will be handling. If you’re in the DOD supply chain, then your company needs to be CMMC compliant. Otherwise, you can expect to lose contracts.
Most companies in the DOD supply chain only need to achieve a level 2 certification. If you’re already compliant with PCI or another robust standard, you’re probably well on your way to CMMC compliance at that level.
Level 2 is aimed at companies that receive, process, or create CUI. Level 3 requires the most advanced security practices available, and it’s usually reserved for organizations that handle “high value assets CUI.” If you don’t do anything related to CUI, but you’re in the DOD supply chain, then you’ll probably need to comply with level 1.
So You Need to Be CMMC Compliant. What Now?
If you’re in the DOD supply chain, you’ll need to become certified under CMMC. That much is certain. But everything after that might seem as clear as mud. Here’s your path forward toward clarity.
Know your level
The very first thing you need to do is find out what level of CMMC your organization needs to be compliant with. A good place to start is simply asking the client that needs you to become compliant.
You could have several clients that need you to be level-1 compliant, but one client that requires level 2 certification. It’s important to know the highest level you’ll be required to meet.
Be sure to get it in writing, so you have a documented record at your fingertips.
Generally speaking, if you’re just doing low-level activities for your clients — stuff that isn’t particularly technical or highly involved with data — then you’ll probably fall into Level 1.
Each level has its own set of requirements that you’ll need to comply with. Make sure you’re targeting the right set, or you could be sent back to square one — which could cost you some clients.
Perform a gap assessment
Next, review the list of CMMC requirements for your level. This is essentially a gap assessment to understand where you stand against the requirements, today. Identify precisely what needs to be done and what items are already covered.
When you’re done identifying the gaps, you’ll have a set of items that are done and good to go. The remaining bucket of items will either be not completed or partially completed. This gives you a clear roadmap to determine what you need to do to achieve CMMC compliance.
Already you’re gaining clarity and the engagement is taking shape.
Fulfill the CMMC requirements
At this point, it’s a matter of going through each requirement and making sure you’re fulfilling it properly. On the one hand, it’s a fairly straightforward process — but on the other hand, you’ll need to correctly understand how each requirement needs to be fulfilled.
Plug any holes that the gap assessment revealed, and address any deficiencies that have impact on CMMC — for example, if you discover that you aren’t encrypting data properly.
Use Compliance Management Software
Don’t attempt to get certified under CMMC without using a holistic, end-to-end compliance management tool. Find one that automates and streamlines your entire CMMC engagement, from start to finish.
Having the right tool for a monstrous security standard can reduce man-hours by 50 percent and eliminate the vast majority of your sleepless nights.
TCT Portal is ideal for companies that need to be CMMC compliant. TCT Portal delivers real-time insights, common-sense organization, and automated functions, making it easier to manage the compliance standard, even if it’s your first time through it.
Even better: TCT Portal can also manage every other compliance standard you need to meet. It can also map common controls between your various compliance frameworks.
TCT Portal organizes your compliance engagement to give you clarity and order. You’ll know what needs to be done — by whom, when, and how. The platform includes all of the requirements, the requirements language, and additional reference materials — right at your fingertips.
Move forward with the framework and confidence you need to gain CMMC certification.
Hire a CMMC Consultant
Pair TCT Portal with a CMMC Consultant who can assist you with preparations for the assessment. Don’t try to go it alone — rely on someone who knows the lay of the land and can eliminate problems before they arise.
The difference between CMMC with a consultant and without one is like night and day. A good CMMC Consultant will make sure you’re fully prepared for your assessment so you can get through it with ease.
TCT knows a number of exceptional professionals who can assist you along every step of the CMMC journey. We’re happy to provide referrals to you (nothing in it for us, other than wanting to help clients in need). When you’re going through something as stressful as this — especially for the first time — it’s immeasurably valuable to have a guide who knows the terrain.
Tackle CMMC with Confidence
CMMC is an important certification that you need to take seriously. The DOD won’t give you a high-five for whitewashing it. They take this stuff seriously, and they expect you to, as well. If your business depends on being in the DOD supply chain, CMMC could impact the health and viability of your company.
But with the proper approach, you can make sense of CMMC requirements and create a streamlined workflow. Take the overwhelming task of managing a new standard and tackle it with confidence.