CMMC Requirements Checklist

Any contractor or subcontractor in the supply chain of the Department of Defense must adhere to strict data compliance guidelines through CMMC certification. This article will detail the CMMC requirements checklist needed for a business to work in the Defense Industrial Base (DIB).

CMMC Overview

The U.S. Department of Defense (DoD) must ensure that the companies they contract with have strong cybersecurity measures in place to protect critical national security data they work with or handle. To ensure companies have adequate cybersecurity measures in place, the DoD has established the Cybersecurity Maturity Model Certification (CMMC) at levels that differ based on the sensitivity of the information that companies handle.

All companies contracting with DoD must achieve and maintain CMMC compliance appropriately for the sensitivity of the information they handle. In order to obtain CMMC certification, defense contractors must be prepared to go through a months-long process and ensure they understand the security requirements for controlled unclassified material for their maturity. Here’s what to know about CMMC 2.0 for defense contractors and subcontractors and a checklist to follow to ensure your company is on the road to compliance.

What Are CMMC and CMMC 2.0?

The Department of Defense announced the Cybersecurity Maturity Model Certification (CMMC) in 2019 and updated it in 2021. These are cybersecurity models for defense contractors and subcontractors that the Department requires to protect federal contract information (FCI) and controlled unclassified information (CUI) that the Department shares with them through acquisitions.

The CMMC 2.0 is aligned with the National Institute of Standards and Technology (NIST) and the Defense Federal Acquisition Regulation Supplement (DFARS) security requirements. Contractors and subcontractors across the supply chain with the DoD must achieve certification and meet criteria for their specific maturities to continue working with the DoD.

While CMMC was divided into five maturity levels, CMMC 2.0 has collapsed the levels into three. Companies that achieve certification at 2 or 3 must meet the criteria of each lower one as well as their own. Since all new DoD contracts are expected to mandate CMMC compliance by 2026, it is imperative for companies to begin working toward achieving full compliance now. Here is a checklist of steps to begin working toward compliance and full CMMC certification.

CMMC Compliance Checklist

If your organization is preparing for CMMC certification, you must achieve full compliance by the time you submit your application. Following this checklist can place your company on the right path and help to prevent omissions that could result in a denial.

1. Understand Your Requirements

The first step in the process involved with working toward CMMC certification is to understand the various requirements you will need to meet to achieve the certification you need for the type of information your organization handles. The new framework involves the following three levels of CMMC maturity for cybersecurity:

  • Level 1 – Basic cyber hygiene required of all DoD contractors and subcontractors that complies with 17 required practices and an annual self-assessment
  • Level 2 – Advanced cyber hygiene that includes 110 required practices in compliance with SP 800-171 and triennial reviews by a third party for critical national security information
  • Level 3 – Expert cyber hygiene that includes more than 110 required practices aligned with SP 800-172 plus triennial reviews led by the government

Reviewing what is required and what you are trying to achieve is a critical initial step for achieving certification and maintaining your organization’s compliance once you receive CMMC certification.

2. Assess Your Data

The next step is to review all of the data you hold in your various IT systems to understand which is considered controlled unclassified information (CUI) covered by CMMC 2.0. CUI includes a broad range of information, such as:

  • Intellectual property
  • Tax information
  • Enforcement actions
  • Legal processes
  • Sensitive information
  • More

Take time to identify the information that must be brought into CMMC compliance.

3. Identify Stakeholders

Early in the process, identify the stakeholders tasked with handling various aspects of your organization’s initiative, including the parties in charge of execution, maintenance of activities, funding, oversight, and sponsorship. This can include identifying a registered provider organization (RPO) that can assist your organization in achieving compliance.

4. Build on Existing Frameworks

The next step should be reviewing the existing frameworks your organization is using to see whether you can build upon them. For example, the DoD developed the original CMMC framework and CMMC 2.0 through some pre-existing federal cybersecurity standards that include overlapping principles, including the NIST Cybersecurity Framework, several National Institute of Standards and Technology publications, and the CERT Resilience Management Model, among others.

The following certifications can help your organization through its transition to achieve CMMC certification:

  • SP 800-171
  • ISO 270001 Framework
  • Federal Information Security Modernization Act (FISMA)
  • FedRAMP

Review any existing frameworks your organization has in place and see how they overlap with the requirements you are striving to achieve.

5. Become Compliant With NIST SP 800-171

Becoming fully compliant with NIST SP 800-171 will allow your company to achieve full CMMC 2.0 compliance if your goal is achieving Level 2 or 3 certifications. Level 2 certification incorporates 110 practices under NIST 800-171. Achieving Level 3 will require your organization to include all of these practices plus 20 additional practices aligned with NIST SP 800-172. Therefore, achieving compliance with NIST SP 800-171 will place your organization well on its way toward achieving both Level 2 and Level 3 certification and compliance.

Meeting the 110 controls found in NIST SP 800-171 can take your organization a year or longer. However, since all companies will need to achieve certification by 2025 or 2026, it’s important to get started as soon as possible.

6. Work With an Assessment Organization

Working with a security assessment organization can help your company remain on track as it works toward achieving CMMC certification. A third-party organization can review your cyber hygiene and identify gaps that must be closed to achieve and maintain compliance. You can also use risk assessment guides from the D0D to understand the requirements you will need to meet and identify changes that should be made to your current security protocols.

7. Documentation and Updates of Your System Security Plan

Under SP 800-171, you must document and update your SSPs to include how they relate to other systems within your organization, a diagram of your network, and identity any compliance issues.

8. Draft a Plan of Action With Milestones

Drafting an action plan with milestones to achieve along the way helps keep your organization on track as it moves toward achieving full compliance. An action plan can also help identify if your company goes off track so that you can take immediate remediation steps to bring it back in line with your goals.

9. Conduct a Gap Analysis

Once you understand your requirements, you should review your security to identify its gaps or vulnerabilities. To achieve certification, you will need to implement advanced security practices. Most defense contractors and subcontractors will find significant gaps that need to be filled to become CMMC compliant. Beyond simply filling in the gaps, you must also show that you have met the requirements through ongoing and consistent behaviors.

A third-party assessor (C3PAO) will likely want to see several types of evidence to demonstrate the consistency of your company’s meeting its obligations, including evidence obtained through testing, interviews, and documentation. Having these types of evidence available and organized can help demonstrate your organization’s compliance and the maturity of its processes. In addition, when you need to undergo third-party assessments later, being organized and prepared can also make the audit process much faster and less expensive.

Carefully review the 17 controls for CMMC Level 1 and the 110 for CMMC Level 2 and compare them to your existing cybersecurity controls to see where your gaps might be. Then, create policies to address and update the procedures to close any gaps. When your company undergoes an assessment, this will help to show your process and how the procedures are communicated within your organization.

10. Maintain a Central Documents Repository

Maintain all documents and policies as they are updated in a central repository so that assessors can review your process. Having a central repository can make it much easier to demonstrate the maturity of your approach and simplify the assessment process.

11. Conduct Practice CMMC Assessments

As your organization moves toward achieving full compliance, schedule regular practice CMMC assessments to analyze your progress and identify steps to take. Practice assessments can also help identify remedial actions that might be needed along the way to correct errors and verify whether your organization is meeting the DoD‘s requirements.

Achieving CMMC certification might seem like an insurmountable goal for government contractors, but it can be accomplished if you break the process down into digestible and actionable steps. The key is to start preparing now so that your organization will be in the best position to achieve full compliance within the next couple of years. To learn more about security risk management and the CMMC certification process, contact us today.