7 Steps to CMMC Compliance
A step-by-step guide to CMMC compliance.
7 Steps to CMMC Compliance Overview
Aerospace and defense contractors in the Defense Industrial Base looking to achieve CMMC compliance should be taking the following steps:
- Define Your Required CMMC Level
- Identify Assets for CMMC
- Choose a Technical Design For CMMC
- Implement Microsoft Government For CMMC
- Find a Managed Service Provider for CMMC
- Prepare and Document for CMMC
- Complete a CMMC Assessment
Step 1: Define Your Required CMMC Level
To start your CMMC compliance journey you must first identify which Level of CMMC your organization must adhere to. CMMC 2.0 is broken down into three levels:
- Level 1 (Foundational)
- Level 2 (Advanced)
- Level 3 (Expert)
CMMC 2.0 affects organizations supporting the Department of Defense in handling the following types of data:
- Federal Contract Information (FCI)
- Controlled Unclassified Information (CUI) / Covered Defense Information (CDI) / Controlled Technical Information (CTI)
- ITAR or export-controlled data etc.
The level you need is based on the type of data/information handled by your business. In this blog, we'll outline the first step in the process of your CMMC compliance journey.
Step 2: Identify Assets for CMMC
When it comes to current compliance mandates for the DoD supply chain, identifying assets and data in your existing IT environment can be a challenge because of the potential areas in which contract information (FCI) and sensitive data (CUI) can flow.
Some of the things to consider when identifying assets for CMMC:
- Data flow in and out of your current environment
- Finding where your FCI and CUI lives
- Maintaining control over the systems holding contract information/sensitive data
Step 3: Choose A Technical Design For CMMC
If sensitive data only flows to a small representation of your information system and can be easily isolated, then the cloud enclave could be an ideal solution in choosing a technical design. However, if there is a large percentage of assets discovered to be within the CMMC assessment scope, the enclave approach should not be considered, and could potentially do more harm than good.
Aerospace and defense contractors should be asking themselves as well as their cloud providers the following questions:
- Does my cloud solution adhere to my contractual requirements?
- Does this solution provide the necessary protections for my applicable assets?
- Is my cloud provider and/or cloud application compliant?
Step 4: Implement Microsoft Government For CMMC
With the assumption that Microsoft Government Cloud is your platform of choice for CMMC, this blog will focus on implementing Microsoft 365 GCC and/or GCC High for CMMC.
Steps to implement Microsoft Government for CMMC:
- Choose your implementation plan (Lift and Shift or Enclave)
- Select the right Microsoft Gov licensing for your needs (GCC or GCC High)
- Migrate your existing IT environment and implement the appropriate CMMC solution
Step 5: Find A Managed Service Provider For CMMC
The right Managed Service Provider (MSP/MSSP) can be a critical component of your cybersecurity program and play a major role in your ability to pass a CMMC assessment. They provide a broad range of services that can help you manage and secure your IT infrastructure. MSP/MSSPS are an important part of the DoD supply chain cybersecurity ecosystem and selecting the right business to work with is essential to maintaining the security of your systems.
- Do they have a Shared Responsibility Matrix (SRM)?
- Is their SRM mapped to NIST 800-171A?
- Can they provide artifacts or proof for the items covered on the SRM?
- Do they have other DoD Contracting customers?
- Is their staff made up of US persons?
- Can they support you through a CMMC assessment?
- Do they have the SAWCE?
When selecting an MSP, it is important to consider their experience working with similar organizations, their technical capabilities, their business continuity plans, and their customer service policies.
Step 6: Prepare and Document for A CMMC Assessment
Failing to properly map CMMC documentation to the correct standards could result in a failed assessment and the loss of contracts for organizations in the Defense Industrial Base (DIB).Here are the two most common problems we see in improper documentation for CMMC:
- Companies don’t believe that documentation is essential because policies and procedures are not explicitly specified in the practices
- Organizations will solely look at the CMMC requirements (practices) and not the assessment objectives listed in NIST 800-171A (110 controls vs. 320 controls)
- Incorporating CMMC / NIST 800-171A into the System Security Plan (SSP)
- Updating infrastructure maps and data flow diagrams
- Generating asset inventory lists by category for CMMC Level 2
- Ensuring your self-assessment report and POA&M are completed for review
- Defining organizational responsibilities vs. your service provider
- Gathering FIPS 140-2 validated URLs and screenshots
Step 7: Complete a CMMC Assessment
Having a proper CMMC assessment completed is the final, and obviously most critical step in a company's journey to CMMC certification.
The CMMC C3PAO will likely provide a readiness checklist of items that will be reviewed to ascertain whether your team has prepared for a true assessment stature.
The CMMC C3PAO readiness checklist list will ask for items such as:
Pre-assessment or formal CMMC Level 2 assessment
The defined scope of assessment
- The chosen assessment initiation date
- The provision of contractual requirements
- Shared contact information and specific roles