Preparation for CMMC Certification
The CMMC combines security controls from NIST 800-171, NIST 800-53, ISO 27001, ISO 27032, DFARS 252.204.-7012, and FedRAMP to build a single maturity model based on current frameworks and standards. The CMMC also refers to the Federal Acquisition Regulations System, which outlines basic security controls for securing CUI that must be followed by all enterprises under the CMMC. These cyber practices and activities are organized by the CMMC into five stages of cumulative maturity, ranging from basic cyber hygiene to advanced security operations.
Even though full implementation of the cmmc certification will take approximately five years, businesses should begin certification efforts as soon as possible. It will take a long time to develop policies, implement solutions, and implement essential modifications. Your organization should prepare for at least six months to reach compliance, depending on your current environment and level of cyber hygiene. With the Department of Defense expecting to issue recommendations requiring CMMC compliance by the end of the year, there is no time to waste in preparing for certification.
To begin working on CMMC certification, your organization should:
- Determine which CMMC level your firm aspires to achieve, and begin researching the cyber hygiene criteria required for compliance.
- Begin developing a budget for CMMC compliance, taking into account the costs of improving security standards, changing policies, leveraging applications, hiring a third-party assessor, and any other steps.
- Configure your existing security environment to meet the standards of NIST 800-171; contractors who have implemented all controls should be able to achieve CMMC Level 3.
- Create a Plan of Action and Milestones (POA&M) to assure ongoing compliance with NIST 800-171 and current contracts, as well as to set timelines and resource needs.
- While CMMC compliance cannot be obtained until C3PAOs and independent assessors are accredited, you can begin planning for an initial readiness assessment with a competent cybersecurity consulting firm such as Focal Point.
- Keep up to current on the newest CMMC developments by checking the DoD’s website regularly.
The CMMC is the Department of Defense’s first attempt to establish explicit cybersecurity rules for its contractors and ensure that they are implementing the proper level of security before handling sensitive defense information. Although the CMMC is still in its early stages, your organization should begin preparing for certification now by learning about its standards, seeking advice from compliance professionals, and aligning security controls and policies with its framework.