Building a CMMC Solution: The CMMC Certification Process
In this series—Building a CMMC Solution—we’ll be exploring the different steps and factors it takes to build a CMMC and NIST cybersecurity strategy for businesses from the ground up. From getting started to testing and auditing, we’ll be walking through each step to help you as you prepare to go through the CMMC certification process
Check out the first three articles in our Building CMMC Solutions series:
Thanks to the previous articles in this series, you’re all set and ready for your CMMC audit. But what does the CMMC certification process actually look like? Today, we’re exploring the different stages of the CMMC certification process, what to expect, and how to prepare for your audit.
CMMC Certification Process
The CMMC standard mandates that DIB contractors seeking NIST 171 and CMMC compliance undergo a third-party audit by a CMMC Third-Party Assessment Organization (C3PAO) certified by the CMMC Accreditation Body (CMMC-AB). The CMMC-AB maintains a list of all certified C3PAOs on its marketplace listings.
After undergoing a readiness inspection and engaging a CMMC auditor from the list of authorized C3PAOs, you’re ready to begin the audit process. During this process, you can expect to undergo the following steps.
Planning and Scoping
The first stage of the CMMC and NIST 171 audit process is planning and scoping the assessment. When scoping the assessment, an auditor will likely look at the structure of the business and the organization’s IT infrastructure.
Many defense contractors have multiple lines of business, with only a part of the business actively engaged in defense contracts and subject to the CMMC regulation. A C3PAO should take this into account and focus assessment efforts on these business lines.
Similarly, only a fraction of an organization’s IT systems may have access to the confidential unclassified information (CUI) that the CMMC is designed to protect. If a clear boundary exists between these systems and the organization’s other IT assets, then only the assets within the boundary may be included in the assessment.
After defining the scope of the assessment and developing a plan for completing it, it’s time for the next step in the CMMC certification process; the C3PAO will perform the actual assessment. During this phase of the process, the auditors will determine how well the organization meets CMMC requirements for the level they are trying to attain.
This includes assessing an organization’s security controls, policies, and procedures. If an organization has undergone a CMMC compliance assessment and addressed any discovered issues, it should have all of the necessary documentation in-hand to demonstrate compliance to the C3PAO and pass the assessment.
After performing the CMMC compliance audit, the C3PAO will generate a post-audit report. This report will be shared with the CMMC-AB.
If an organization has passed the audit and the audit meets the CMMC-AB’s quality assurance standards, then the CMMC-AB will certify the organization as compliant. Otherwise, the organization will have the opportunity to remediate any shortcomings identified in its CMMC compliance.
Making Necessary Changes
If an organization doesn’t pass a CMMC audit, it doesn’t need to start over from scratch. CMMC allows for a 90-day remediation window in which an organization can fix any gaps identified in its security controls, processes, and procedures.
The report generated by the C3PAO will describe any identified compliance shortcomings, providing an organization with a roadmap to become fully CMMC compliant If the assessor agrees that the issues can be fixed within 90 days, then the organization will be given the opportunity to do so. If the gaps are closed within the remediation window, the CMMC-AB can review the case and grant certification of compliance.
CMMC Requirements to Have Ready
The goal of a NIST 171 or CMMC audit is for the C3PAO to determine whether or not an organization meets the requirements of their desired level of CMMC compliance. The more easily that an organization can demonstrate compliance with various NIST 171 and CMMC certification requirements, the more quickly and painlessly an audit can go.
For this reason, developing clear, comprehensive documentation is a vital part of the CMMC compliance process. During a CMMC audit, a C3PAO will primarily be looking at two documents provided by the organization:
- System Security Plan (SSP): An organization’s SSP provides the relevant details about an organization’s CMMC compliance strategy. This includes information about the personnel with access to CUI, the systems that it will be stored on, the processes and procedures for using and securing it, etc. Filling out the SSP as completely as possible is essential to achieving CMMC compliance.
- Plan of Action & Milestones (POA&M): Most companies are not natively compliant with all of the requirements of NIST 800-171 and CMMC. An organization’s POA&M outlines the places where an organization falls short of requirements and a plan for addressing these gaps. Since CMMC compliance requires all POA&Ms to be closed, an organization should undergo a compliance assessment and develop, complete, and close all POA&Ms before engaging a C3PAO for a CMMC assessment. During an assessment, new POA&Ms may be generated and must be closed within the 90-day remediation window.
Making the SSP and POA&M as clear and comprehensive as possible is essential to passing a CMMC compliance audit. It is also wise to have a copy of a report from a CMMC readiness assessment on hand to make it easier to point the C3PAO to relevant solutions and documentation when assessing various CMMC requirements.
Preparing for a CMMC Audit
The DoD’s new CMMC certification requirements represent a major break from past practice, as the CMMC has more extensive requirements than NIST 800-171 and compliance requires a third-party audit. Most organizations are likely to have compliance gaps that must be filled before the CMMC-AB will sign off on a compliance certification.
As a CMMC-AB accredited registered provider organization (RPO), Hyper Vigilance is accredited to help organizations through the process of preparing for a CMMC audit by a C3PAO. Contact us to learn more about how Hyper Vigilance can help with identifying CMMC compliance gaps and closing them with our secure managed IT solutions.