3 Steps to Start Your CMMC Plan| Hyper Vigilance

In this series—Building a CMMC Solution—we’ll be exploring the different steps and factors it takes to build a CMMC system security plan for businesses from the ground up. From getting started to testing and auditing, we’ll be walking through each step to help you as you prepare for your own CMMC audit process. 

The Cybersecurity Maturity Model Certification (CMMC) is the new cybersecurity regulation rolled out by the US Department of Defense (DoD) to improve the information security of the defense industrial base (DIB). The goal of the CMMC is to replace the self-certified NIST 800-171 regulation with one that requires compliance certification by an accredited third-party auditor.

CMMC is still in its early stages, but the CMMC certification deadline will come faster than expected and the first auditors have been accredited and the CMMC “pathfinder” contracts have been identified. As the CMMC regulation ramps up and defense contracts begin requiring CMMC compliance as a prerequisite for bidding, companies must start working towards meeting the requirements of the new regulation as soon as possible.

Since CMMC is such a new regulation, it may be difficult to know where to start on the process. Here, we present three key steps to get you started building your CMMC system security plan and achieving CMMC compliance.

Step 1: Know What Applies to You

CMMC is designed to protect the confidential information entrusted to defense contractors as part of their contractual duties. An important distinction when determining the necessary level of CMMC compliance is the difference between two types of data that may be entrusted to an organization:

• Confidential Unclassified Information (CUI): CUI is information that is generated or held by a government agency. It must be protected in certain ways when it is disseminated to contractors. Safeguarding CUI is the top priority of CMMC. 
• Federal Contract Information (FCI): FCI is information that a defense contractor generates while fulfilling their contract. FCI is not intended for public dissemination.

FCI is a subset of CUI that does not require additional safeguards beyond blocking public dissemination. Properly safeguarded CUI requires either general safeguards (CUI Basic) or government-specified controls (CUI Specified).

The types of data that a contractor expects to have access to determine their required level of CMMC compliance. Contractors that only have access to FCI may only require Level 1 CMMC compliance, while any access to CUI requires Level 3 compliance at the minimum. Higher levels of compliance may be required based on the data entrusted to the contractor, their role on the contract, etc.

In general, any organization that participates in a defense contract requiring CMMC compliance as either the lead contractor or a subcontractor will require Level 1 CMMC compliance. Higher levels may be required based on the contractor’s role on the contract and the maturity of the CMMC program (the DoD plans to require higher levels of compliance over time).

Step 2: Establish What’s There

After identifying an organization’s target level of CMMC compliance, the next step in your CMMC system security plan is to begin determining the required scope of compliance. Any system on an organization’s network that might have access to FCI or CUI  must comply with CMMC regulations. Additionally, any system that provides security for segmentation of IT assets that processes CUI or FCI are also in scope and must comply with CMMC regulations.  For example, switches that are used to segment networks, firewalls to protect networks, antivirus that protects endpoints, etc.

Some questions to ask when determining an organization’s current posture with regard to CMMC compliance include:

• How many machines do you have? A basic asset inventory is essential to ensuring that systems are properly configured, updated, and otherwise compliant with the regulation. You can’t secure systems that you don’t know exist, and visibility and security gaps will show up during a CMMC audit.
• How are systems managed? A CMMC compliant organization must have policies and processes in place for managing their endpoints and network infrastructure. Without these processes and the automation to support them, it is difficult or impossible to effectively configure and manage an enterprise network.
• Where is your infrastructure? The modern enterprise is increasingly adopting cloud environments, and public and private clouds have very different security and compliance challenges. If systems are on-premises or in misconfigured cloud environments, this has a significant impact on usability, security, and regulatory compliance.

Read more: Cybersecurity Compliance Assessment

Step 3: Assemble Your CMMC Cybersecurity Team

Achieving and maintaining CMMC compliance requires access to several skill sets. Some major areas of expertise that an organization seeking CMMC compliance needs to have to build and execute your CMMC system security plan include:

• Regulations: Passing a CMMC audit requires the ability to demonstrate to an auditor that an organization’s existing security controls, policies, and procedures meet the requirements of the regulation. This requires a deep understanding of the CMMC regulation and how to operationalize its requirements.
• Security Policy: CMMC compliance above Level 1 requires documentation of controls, policies, and procedures. An organization needs a security policy writer with the ability to write and maintain policies that meet the regulation’s requirements.
• Security Technology: The CMMC requires an organization to implement various security controls to protect the CUI in its possession. Implementing and maintaining these controls requires security technologists who know how multi-factor authentication (MFA) and other security solutions work and how to implement them properly.
• Platform: Modern enterprise networks span on-prem, cloud, and remote environments, and performing the same task in each may require very different actions. Setting up CMMC-compliant security controls requires experts in each of the platforms that an organization uses.
• Project Managers: Starting up a CMMC-compliant security program requires coordination between policy writers, engineers, employee cyber-awareness training coordinators, and other stakeholders. Project managers are essential to ensuring that the process is successful and remains on schedule.

Achieving CMMC compliance requires access to a team with all of these skill sets, and many of them will also be necessary for the long term to maintain CMMC compliance. Staffing and retaining such a team in-house can be difficult and expensive. Partnering with a third-party compliance solution provider like Hyper Vigilance offers a more cost-effective, scalable, and sustainable alternative.

Getting Started Building Your CMMC Plan

Don’t let the CMMC certification deadline surprise you. The DoD has already defined the first contracts that will require CMMC compliance. Organizations wanting to bid on these contracts need to start the CMMC compliance process soon to ensure that they can achieve and certify their compliance in time.

Hyper Vigilance provides full-service support for organizations looking to deploy CMMC-compliant infrastructure. Instead of trying to hire and retain a team of specialists in-house, take advantage of our team and CMMC-compliant infrastructure to simplify and streamline your organization’s CMMC compliance. Contact us to get started today.