Tips for preparing for Cyber Security Maturity Model Certification (CMMC)?

CMMC
Written By Ross Seay

CMMC – How do I get started?

Maverc will be posting several articles and the latest news with guidelines on getting ready for CMMC, a new cyber security standard for defense contractors on our blog. Let’s start with an summary of CMMC and how to get started with piloting the certification process.

What is CMMC

CMMC stands for Cyber Security Maturity Model Certification and it is replacing NIST 800-171 as the cybers security standard for associates of the Defense Industrial Base (DIB). Until CMMC is fully implemented, NIST 800-171 will still be the obligatory standard, and companies are encouraged to be in compliance with NIST 800-171 until they are compliant with CMMC.

The big distinction is that NIST 800-171 permits contractors to self-attest to their compliance while CMMC involves third-party verification of compliance. Also, NIST 800-171 includes 110 controls for all contractors regardless of the products and services they provide while CMMC includes five possible levels of cyber security maturity that contractors may achieve, starting with just 17 required controls to achieve level 1.

Therefore, for businesses that only need to comply at level 1, it will be a reprieve compared to trying to comply with NIST 800-171’s 110 controls. Also, the 17 required controls for Level 1 are mostly concentrated on cyber hygiene and less challenging to achieve than the more superior controls required by higher levels. The next lesson will focus on Levels 1 and 2 of CMMC.

Who is Who?

There are large number of acronyms related to CMMC – a few important ones include OSCs, CAs, RPs, RPOs and C3PAOs

OSCs
Organizations Seeking Certification (OSCs) are DIB contractors considering to be certified. OSCs need to start with an understanding of the sensitivity of the data they handle on projects completed for DoD contracts. OSCs should acquaint themselves with what might be categorized as Federal Contract Information (FCI), Controlled Unclassified Information (CUI), and Controlled Technical Information (CTI) as a preface point. We will review each of these classifications in additional detail later but for now, it’s important to recognize how they affect your required level of maturity. If you only handle FCI, then you will just be required to comply at Level 1. If, however, you also handle data labelled as CUI, then you must comply at Level 3.

Developing an understanding of both FCI and CUI  and what type of data falls into each category figuring out whether with either is present in your system is a great place to start your compliance journey.

Certified Assessors, Registered Practioners and Consultants
The CMMC accreditation board has been diligently working to develop training for individuals that desire to partake in assisting companies through the assessment process. Certified Assessors (CAs) will perform the assessments of organizations seeking certification OSCs that will result in a approval to the C3PAO and then the CMMC accreditation board on whether the OSC should receive certification

.
Registered Practitioners (RPs) are individuals who have been taught to help companies prepare for the assessment. RPs will walk companies through a evaluation of their policies, procedures, existing and necessitated technologies, and provide suggestions for configuration changes and other process and policy enhancements that will push the company towards a prosperous certification.

Advisors with prior NIST 800-171 or other linked experience, who do not hold the RP certificate from the CMMC-AB may also assist an OSC prepare for CMMC. Also, an individual who is a CA may deliver consulting guidance to an OSC. It is very important to understand, however, that anyone who aids an OSC in preparation for a CMMC assessment can NOT be a part of the official assessment team. In fact, no one from the associated company can partake in the assessment process as it has been deemed a conflict of interest by CMMC-AB. A conclusion on this subject is that individuals may make request for and obtain training as both a CA and an RP but again, that individual cannot offer both services to the same customer.

System Security Plan (SSP ) and Plan of Action and Milestones (POA&M)
Okay so you’ve figured out whether you have FCI or CUI or both or neither and you have made a choice concerning whether you need assistance obtaining an readiness for an assessment. What do you do now?

If you don’t already have one, you should create a System Security Plan (SSP), to fingerprint changes and enhancements to your security posture. Basically, any major updates, investments and remediations should be chronicled and examined by the appropriate personel within your company. Employees who work on cyber security, any documentation of policies and procedures, network diagrams, administrative roles and other applicable cyber security information should be documented in your SSP. For the purposes of NIST 800-171 and/or CMMC, the SSP must also include specific details regarding handling of FCI, CUI and CTI.

The Plan of Action and Milestones, (POA&M), is your shopping list of things that must be done going forward. A POA&M should include due dates and task allocations to people within your organization in order to be the most effective. Also, as items are completed, it is important to update both the POA&M and the SSP. The definitive objective for the limited scope of CMMC is to have a robust SSP and zero items on your POA&M.

So that’s a quick overview at a high level of the overall progression involved. In the subsequent chapter we will dive in a bit more on Levels 1 and 2 and what you can and cannot do with those certifications. Thanks for reading and see you soon.





 

Ross Seay
Previous

MAVERC selected to provide CMMC remediation and consulting services to Manufacturers in the state of Virginia
Next

In the Cyber Trenches: Threat hunting for Windows Authentication Attacks