The Fundamentals of Cybersecurity Maturity Model Certification: What You Need to Know to be CMMC Compliant
If you work for an organization that’s a part of the Defense Industrial Base (DIB), or for any manufacturing company for that matter, you’ve likely heard of Cybersecurity Maturity Model Certification (CMMC) compliance. Although you may be familiar, you may not be entirely sure what CMMC is and what it means for your business, so SUCCESS has outlined the basic principles to help you start your journey to compliance.
What is Cybersecurity Maturity Model Certification (CMMC)?
CMMC compliance is a set of security standards that organizations must meet to be qualified to accept supply chain contracts from the Department of Defense (DoD).
You may then wonder how CMMC applies to your business. And it’s a fair question, especially if you’re a smaller manufacturing organization that doesn’t directly receive contract work from the government. But the bottom line is, if your business falls anywhere on the DoD supply chain, you may be accountable for meeting one of three levels of compliance based on the following qualifications:
Level 1: Your organization is allowed to see Federal Contract Information (FCI) from the government. To achieve level 1 compliance, you must meet 17 security controls to see FCI but can self-attest that you are meeting them. No outside audit or assessment is required.
Level 2: Your organization generates or receives contract work that contains Controlled Unclassified Information (CUI), or information that is not considered confidential but also cannot be seen by the general public. To achieve level 2 compliance, organizations must meet 110 security controls and be assessed by a registered auditor.
Level 3: Your organization is considered a ‘Prime’ (large manufacturing companies such as Boeing or Northrop Gruman, e.g.) and receives or generates CUI deemed most critical to national security. To achieve level 3 compliance, you must meet the 110 security controls required for level 2, as well as additional expert controls yet to be determined by the DoD.
When do I need to be CMMC compliant?
In short, by May of 2023, at the earliest. As of now, CMMC requirements are in the rulemaking process and are currently being reviewed by lawmakers, with an anticipated publication date of March 2023. In addition, there will be a 60-day feedback period before CMMC requirements start making an appearance on new contracts.
However, it’s never too early to get started. The process can take a minimum of six to nine months, so it’s in the best interest of your business to start working to comply with CMMC standards now, while there’s still time to work with your IT provider to confirm you’re meeting all necessary controls before you need to seek out an auditor for an assessment.
How do I know if I’m on track to meet compliance standards?
CMMC follows the NIST 800-171 framework, which consists of security controls including, but not limited to, security assessment, risk assessment, identification and authentication, and incident response. In order to know if your organization is meeting the controls of NIST 800-171, the following documents and tools will help identify where you are in your compliance journey:
- Plan of Action and Milestones (POAM): a document that outlines the steps your organization is taking to address any gaps in your security and how you intend to resolve them.
- Supplier Performance Risk System (SPRS): an online application that reveals your past performance as a supplier with a score between -120 and +110. Your SPRS score must be at +110 before you are considered ready to request an official audit.
- System Security Plan (SSP): a document that details your network plan, as well as how data flows through your network. Your SSP should also define who is responsible for accessing protected information and what the expectations are for those who have access.
- Security Information and Event Management (SIEM): a tool that offers threat detection, investigation, and alerting capabilities and can also be used to store logs and analyze reports.
Additionally, if your organization is accountable for meeting level two compliance or above, you’ll need to seek out a registered organization, a CMMC third party assessor organization (C3PAO), to perform your assessment at the appropriate time. There are limited C3PAOs compared to the high volume of organizations in need of an assessment, which is another reason it’s essential to begin the process sooner rather than later.
How do I get started?
The best way to get started is to partner with SUCCESS, of course! Our security experts recommend starting with our standard CIS assessment, which identifies where your organization’s security is at in relation to the controls set by NIST 800-171. From there, we work to manage to the gaps in your security framework still needed to be fully compliant with CMMC.
Ready to take the first step on your journey to compliance? Schedule a security consultation today and receive a free network assessment.