Five Steps to DoD’s Cybersecurity Maturity Model Certification (CMMC)

By Angela Dingle on August 10, 2020

 

In the past five years, cyberattacks and data breaches have become more sophisticated and more prevalent. No public or private sector entity is immune to a cyberattack – including the federal government and its host of supporting contractors.

 

For the Department of Defense (DoD), the Cybersecurity Maturity Model Certification (CMMC) is its response to securing the 300,000 or so companies that make up its supply chain. Katie Arrington, Chief Information Security Officer (CISO) at the Office of the Undersecretary of Defense for Acquisition and Sustainment has done a great job of keeping contractors informed. The CMMC-AB has laid out a roadmap for how they intend to get us there.

 

While COVID-19 has had a devastating impact on the economy and caused businesses to pivot, it has not delayed the Pentagon’s push to implement CMMC. According to Ms. Arrington, DoD’s efforts are still on track and “defense contractors should still expect to see new CMMC requirements in Requests For Proposals (RFPs) issued in November.”

 

Many contractors were caught off guard with the release of the 8(a) Streamlined Technology Application Resource for Services (STARS) III solicitation. The General Services Administration’s (GSA) decision to include a CMMC and Supply Chain Risk Management (SCRM) assessment in the RFP is forward thinking and a clear signal that “other Federal agencies are actively watching, exploring, and/or considering adoption of CMMC.

 

This is the wave of the future and has proven to be a viable approach for the government as a whole. Sooner rather than later, contractors that lack the appropriate CMMC level will become ineligible to compete for certain contracts. Now is the time to get ready. For contractors looking for a path forward, here are key steps to get you started.

 

1. Understand Your Responsibilities for CMMC

 

Start by reviewing your existing contracts to determine what level of certification you will be required to achieve. For example, Federal Acquisitions Regulation (FAR) Clauses 52.239-1, 52.204-21 and Defense Federal Acquisition Regulation Supplement (DFARS) 252.204.7012 define the type of information that requires protection and the level of safeguarding that you are required to achieve.

 

Determine what, if any, Controlled Unclassified Information (CUI) is being collected, stored, used, or transmitted on company information systems, as well as which company information systems will be assessed. Knowing this information will also assist you in the collection and preservation of information (e.g., records and other forensic evidence) related to cyber incident reporting requirements.

 

If you do not currently hold DoD contracts, it is a good idea to target Level 1, which requires a basic set of cybersecurity practices. If you have started practicing good cyber hygiene but have not implemented a formal cybersecurity program, you may want to target Level 2. If you are a current DoD contract holder and process CUI, you should target Level 3. If you handle sensitive information up to classified data, you may want to target a Level 4 or 5 certification.

 

2. Assess Your Risk

 

Next, you need an understanding of the gap between where you are now and what you need to meet CMMC requirements for your target level. The best way to do so is to conduct a readiness assessment. This is where some businesses tend to cut corners. The CMMC Model makes clear that it is an assessment of both the institutionalization of processes and the implementation of practices for a specific CMMC level within your company. In other words, it is not just a checklist. Ultimately, you should look to an independent third party to conduct your readiness assessment as it will give you an unbiased assessment of your risk.

 

If you have begun implementation of one of the available information security standards like International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) 27001 or General Data Protection Regulation (GDPR), congratulations, you are on your way! You will want to create a crosswalk between the security controls in that framework and CMMC to align the programs and avoid duplication of effort.

 

CMMC and other cybersecurity regulations will have a direct impact on your subcontracting and purchasing decisions, so while you are at it, be sure take a look at your subcontractors, vendors, and partners that make up your supply chain. You can use National Institute of Standards and Technology (NIST) Special Publication (SP) 800-161 and GSA Section 889 as guidelines.

 

3. Implement Security Controls by CMMC Level

 

By now, you should have a good sense of what CMMC level you are targeting and which security controls you need to implement. Your next step is to create a System Security Plan (SSP). It is a key component of any formal information security program and should provide a detailed description of how each security control has been implemented.

 

If you are targeting Level 2 or above, you will need to create documented policies and procedures for each of the security controls. Be mindful of creating generic documentation that doesn’t get to the heart of how you have implemented a security control. The penalties for a cyber incident can be costly and your failure to adequately safeguard government information can result in a breach of contract.

 

If you haven’t already created a Plan of Action and Milestones (POAM), now would be a good time to document any security controls that you were unable to implement as well as any vulnerabilities that have not been resolved.

 

4. Mind the Gap

 

Once you have a POAM, your next step on the path to CMMC readiness is pretty simple. You should be laser focused on eliminating and/or mitigating each of the vulnerabilities identified in the POAM. You will need to close this gap between the current state of your information security program and where you need to be to achieve CMMC.

 

5. Establish a Formal Governance Program

 

An effective cybersecurity program can give you a competitive advantage. However, you need a governance framework to continuously monitor risk, manage your supply chain and report cyber incidents. The days of self-attestation are gone. Now is the ideal time to create a roadmap to CMMC certification. Regardless of the level you target, it would be prudent to review the NIST SP 800-171 guidelines so you can make informed decisions.

 

The key to successfully navigating the path to CMMC is to ensure you understand how the program will impact your business. By following these steps, you will be well on your way. Getting to CMMC is not something that will happen overnight. It takes time, technology, and talent to implement an effective cybersecurity program. Over the past fifteen (15) years, I have implemented Information Security (InfoSec) programs for hundreds of federal information systems. The shortest timeframe I have been able to do so is six (6) months. Don’t wait until CMMC shows up in the next RFP before you get started on the path to readiness!

 

To learn more about CMMC and cyber readiness, be on the lookout for Angela’s appearance on our next installment of The New Normal in Government Contracting with our President & CEO, Courtney Fairchild.

For assistance with your cyber readiness needs, please reach out to Angela at [email protected].

For assistance with all your procurement needs at this time, please reach our to our GovCon experts at [email protected].

 

About Angela Dingle

Angela Dingle is President and CEO of Ex Nihilo. An award winning business owner, she is Certified in the Governance of Enterprise Information Technology (CGEIT) with 20+ years of experience in information technology, governance, cyber security, critical infrastructure protection, strategic planning, leadership, and process improvement. A proven leader, excellent communicator, and fact-based problem solver, Ms. Dingle has led the design, implementation, and approval of information security architectures necessary to achieve confidentiality, integrity, and availability requirements. As a Subject Matter Expert (SME), Ms. Dingle serves as a speaker on topics related to cybersecurity and women in leadership at local, national, and international forums.

 

Ex Nihilo Management, LLC

Ex Nihilo is a trusted advisor in the public and private sector, providing objective IT governance, risk management, and compliance services based on a thorough understanding of customer requirements and deep systems integration experience. We provide the expertise and training necessary to ensure compliance with a variety of regulations, policies, and directives governing the acquisition, development, and deployment of information systems throughout the enterprise such as FedRAMP, FISMA, FITARA, Clinger-Cohen, NIST, CMMC, COBIT, ITIL and ISO/IEC 27002.