We Value Your Privacy

We use technology such as cookies on our website, and through our partners, to personalize content and ads, provide social media features, and analyse our traffic. To find out more, read our privacy policy and Cookie Policy. Please also see our Terms and Conditions of Use. By accepting these terms you agree to your information being processed by Inbox Insight, its Partners or future partners, that you are over 18, and may receive relevant communications through this website, phone, email and digital marketing. For more information on how we process your data, or to opt out, please read our privacy policy. Our policies and partners are subject to change so please check back regularly to stay up to date with our terms of use and processing.

Accept Terms Settings

5 Essential Tips to Meet CMMC Requirements

{authorName}

Zac AmosFeatures Editor at ReHack

Friday, January 20, 2023

Cybersecurity outfits already have to obtain a medley of compliances. Still, if you’re a company seeking to work as a government contractor, CMMC is another one to add to the list.

Article 4 Minutes
5 Essential Tips to Meet CMMC Requirements

As assessments begin, it’s critical to know how to meet CMMC requirements to pass on the first try. Meeting these requirements will not only further verify a company’s knowledge, but it will solidify competitive advantage.

What is CMMC compliance and why is it important?

CMMC represents the Cybersecurity Maturity Model Certification. The United States Department of Defense (DoD) requires it to become a Defense Industrial Base (DIB) contractor. CMMC is in its second revision and officially beginning to administer assessments for official compliance.

CMMC aims to test analysts’ capabilities to protect controlled unclassified information (CUI) and federal contact information (FCI). It requires them to intimately understand the regulations for protecting government information based on its designation. Because FCI should never reach the public and CUI needs safeguarding — though it could be distributed — it tests contractors’ abilities in multiple avenues, not just defense.

The original compliance certification for contractors was the Defense Federal Acquisition Regulation Supplement (DFARS), but critiques have caused it to evolve into CMMC for a more comprehensive and inexpensive protocol. It’s also easier to verify how well contractors adhere to it over time with stricter requirements and more frequent evaluations — aspects the DFARS didn’t contain as thoroughly.

Because the DoD is making CMMC a blanket requirement, it means if a company doesn’t have compliance, it won’t be able to bid for government contracts. If it chooses not to become CMMC compliant, it must search for other vectors for stability.

Registering now is critical because there are perks to adopting CMMC early. The final documentation won’t be released until 2023 or 2024, but it doesn’t stop companies from lining up and beginning inspections.

What tips are there for meeting CMMC requirements?

The framework is still under construction, meaning some aspects are still up in the air. However, there is enough information out there to create a strategy now.

1. Know the levels

There were five levels in the first write-up of CMMC compliance, but now there are only three. They are distinct in their purpose and knowing them beforehand will help the process go smoother:

  • Level 1: Primarily contains self-assessment concerning how well contractors commit to cybersecurity education, with confirmation from another internal representative.
  • Level 2: Primarily contains third-party assessment from CMMC Third Party Assessment Organizations.
  • Level 3: Primarily contains government assessments — the specifics are still under evaluation.

Not every DIB outfit will need every level, so familiarize yourself with what effort you’ll have to make for your purposes. Based on your goals, you can determine the gaps in knowledge and strategy your organization has based on the requirements for each level and begin taking action.

2. Get an interim assessment

Interim assessments happen before the official certification assessment process. These began as a response to the cybersecurity crisis — the demand for compliance and protection of government information is high. Therefore, urgency increased.

Receiving an interim assessment could provide incentives which they are still solidifying. Early interim assessment-takers will also be honored three years after the final rule is published, meaning companies could hold onto compliance longer than standard.

3. Familiarize yourself with NIST 800-171

One unintentional incentive is the test may be more straightforward if performed early. Since the compliance requires NIST 800-171 knowledge to pass, CMMC assessment ties to the most recent version of NIST 800-171 — revisions to NIST 800-171 in the future could make the exam more challenging. Following NIST 800-171 is the cornerstone of implementing necessary security controls and passing the audit.

4. Create POAMs and know the deadlines

The official deadline has yet to be determined because the draft still needs completion. However, another deadline to keep an eye out for is remediation. The assessment process permits recovery from mistakes with a Plan of Action and Milestones (POAM).

If you fail, they will guide how to improve and ask organizations to outline how they plan to fix issues. Improvements and reevaluation must happen within 180 days of that decision to progress through the rest of the steps.

5. Keep records of everything

Providing documentation to your assessors will make the process happen more seamlessly. It doesn’t matter what the documentation is — it could be risk assessment strategies, a system security plan or what training employees received to become more qualified. Regardless of whether CMMC requirements explicitly require it doesn’t matter because every bit of information helps inform assessors of your qualifications.

Obtaining CMMC compliance is essential

There appears to be a lot of time to adjust operations to meet requirements and get assessments in before the deadline, but it’s not as much time as it looks. The process is thorough and time-consuming, so the best time to start is now.

When it comes to CMMC compliance, early adopters obtain an industry advantage. If you ensure contractors have up-to-date knowledge in the cybersecurity sector, you will meet CMMC requirements for compliance which is crucial for success.

Zac Amos

Zac Amos

As the Features Editor at ReHack, Zac Amos writes about cybersecurity and the tech industry.

https://rehack.com/

Comments

Join the conversation...

10/04/2023 Matt Palguta CISSP, GICSP, PMP, CMMC Provisional Assessor #0070
Great advice to be familiar with the security practices in NIST 800-171. There is a companion document 800-171A that list the assessment objectives. These are the bullet points under each practice that an assessor will verify. Also included are a narrative about the practice and examples.

Further Reading