Five Steps in Your CMMC Compliance Checklist

CMMC is coming in 2021. Take care of these five steps on your CMMC checklist to get ready.

Governmental data around the world has been under increasing attack from threat actors. Look no further than the stunning SolarWinds supply chain attack in late 2020 to see just how determined, sophisticated, and subtle these hackers can be. It’s no surprise that governments, including the U.S., are responding to cybersecurity threats with increased regulations.  

While organizations may be aware of long-standing frameworks and certifications such as the Federal Risk and Authorization Management Program (FedRAMP) and the Federal Information Security Management Act (FISMA), there is a new regulation on the block that has organizations of all sizes asking questions: the Cybersecurity Maturity Model Certification (CMMC). 

Since the U.S. Department of Defense (DoD) shared the initial draft in early 2020, organizations have been working to understand CMMC, the five levels of the framework, and how it applies to their businesses. For organizations not familiar with federal frameworks, CMMC can be a head-scratcher, even with the official CMMC FAQ. 

While many questions have yet to be answered and the final framework is not expected until later in 2021, organizations can create a CMMC compliance checklist and prepare for the final rule. Not only can they, but they should—because CMMC will require full compliance at the time of submission. Organizations preparing for CMMC have little wiggle room for error. Read on to get prepared. 

1. Assess Your CUI 

One of the best things you can do to prepare for CMMC is understand your data and identify which data is subject to CMMC. 

The CMMC model is intended to cover controlled unclassified information (CUI) in non-federal IT systems. Per the National Archives, CUI covers a multitude of different types of information, such as: 

  • Sensitive intelligence information 
  • Patents and other intellectual property 
  • Tax-related information 
  • Information related to legal actions and law enforcement
  • And much more 

The CMMC’s focus on CUI in non-federal systems is a crucial distinction, as many organizations have pre-existing certifications such as FedRAMP and FISMA, and, as such, their systems (or parts of their systems) may be classified as federal.  

However, it’s important to note that even organizations with FedRAMP and FISMA authorization to operate (ATO) may still have CUI that is subject to CMMC.  

For example, your organization may: 

  • Generate derived CUI, which is new CUI created based on how your organization works with existing federal data 
  • Store, transfer, or process designated CUI in systems that don’t fall under FedRAMP or FISMA 

This is why a holistic analysis of your organization’s systems is crucial. Understand what data is subject to CMMC and right-size your approach to bringing that data under full compliance before submitting for CMMC certification. 

2. Leverage other Federal Frameworks 

The CMMC is exploring the possibility of reciprocity with other frameworks. However, this concept is still in the preliminary stages of discussion, and organizations can’t assume that compliance with existing frameworks or regulations will be accepted in lieu of CMMC. 

That said, organizations seeking CMMC certification should consider how best to leverage existing frameworks. CMMC was developed from various other existing frameworks, and there is overlap between its criteria and that of others, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), several NIST special publications, the CERT Resilience Management Model (RMM), and more. Due to the complex nature of CUI and IT systems, leveraging and complying with existing cybersecurity frameworks can give a leg up to organizations. 

Some of the certifications that could ease the transition to CMMC in part or in whole are: 

  • ISO 27001: A rigorous international framework focused on ensuring that organizations manage information with best practices and industry standards. 
  • FISMA: A U.S. law that regulates how U.S federal agencies (and the organizations that work with them) securely manage and process data.
  • Risk Management Framework (RMF)Part of NIST, the RMF is designed to help organizations implement the controls and processes necessary to manage their risk when handling federal data. 
  • FedRAMP: A domain-specific version of the RMF, FedRAMP is a U.S. regulation targeted at cybersecurity for cloud services providers that work with U.S. federal agencies. 
  • NIST Special Publication 800-171 (NIST SP 800-171): A special publication that specifically details the guidelines for managing CUI in non-federal IT systems (more on this below). 

Again, none of these certifications, regulations, or frameworks guarantee compliance with CMMC. Depending on how your organization uses CUI, portions or all of your organization may be subject to CMMC anyway.  However, if you are already pursuing ISO 27001, FedRAMP, or FISMA compliance, now is a good time to review the reach of those certifications with a trusted auditing and assessment firm to determine any overlap with CMMC and the potential of reciprocity. Plus, those with experience speaking “federalese” will have an advantage when it comes to understanding CMMC.  

Bottom line: In some cases, the lessons you learn from other frameworks can be applied to your CMMC certification process.  

3. Read the CMMC Appendices and Assessment Guides 

The DoD has been consistent from early on with their CMMC framework and appendices. Reviewing these documents should be one of the first stops on your CMMC compliance checklist, as they are one of the best sources for understanding: 

  • Which controls CMMC establishes 
  • The intent of each control 
  • How controls are defined 

Additionally, the DoD has provided assessment guides to understand the five levels of CMMC. Each assessment guide explains the criteria for assessment, various controls and practices that will be assessed, and more.  

Currently, information on CMMC Level 1 and CMMC Level 3 are available. Reviewing these documents can help organizations determine their current level, or what they need to do to meet the criteria of their desired level. The difference between Level 1 and Level 3 is a matter of controls and maturity capabilities; Level 1 has no maturity capability requirements, but requires 17 controls, while Level 3 encompasses three maturity capability requirements and a 113 further controls, for a total of 130 controls.  

Most organizations will likely be either at CMMC Level 1 or CMMC Level 3. Reading the appendices and assessment guides can help determine what level your organization actually needs or wants to aim for, or can help with moving from CMMC Level 1 to Level 3.  

Level 2 is largely considered to be a stepping stone between Levels 1 and 3 and not a level to attain for its own sake. Details for CMMC Levels 4 and 5 will become available in the future.  

4. Complete NIST Special Publication 800-171 

Beyond CMMC, there is an existing publication that addresses the use of CUI in non-federal IT systems: NIST Special Publication 800-171 (NIST SP 800-171). 

For organizations planning to seek CMMC Level 3 compliance, adhering to NIST SP 800-171 offers a head start. By complying with NIST SP 800-171, organizations will have hit on 110 of the same controls covered by CMMC. As the CMMC framework includes only 20 more controls than SP 800-171, organizations would only need to add a handful of further controls to be Level 3 compliant. 

This step on your CMMC compliance checklist may, in fact, be mandatory for your organization. The DoD requires, via the updated Defense Federal Acquisition Regulation (DFARS) 7012 clause, organizations to prove NIST SP 800-171 compliance for any new contracts, as a means of easing the transition to CMMC in the coming years.  

Regardless of whether your organization is seeking a new contract or just working toward becoming CMMC-ready, NIST SP 800-171 is a good interim step toward this new rule. 

5. Find the Right Partners 

CMMC certification must be completed through a certified CMMC third-party assessment organization (C3PAO). As with most audits, finding the right firm is paramount. And a good firm will be more than a vendor; they’ll be a partner.  

Many of the certifications and ATOs you pursue will interact with CMMC in various ways, and the right long-term partner can help you pursue a smart strategy to address your compliance needs and goals. For example, at A-LIGN, we worked with our client Aires to streamline their audits and get ready for CMMC. 

A good auditing firm will be paying close attention to CMMC right now, attending the CMMC-AB town halls, and becoming a CMMC expert. Before the final rule comes down in 2021, find a partner who can help you prepare, guide you through the process, and keep you updated on CMMC news. 

Start Your CMMC Checklist Today 

Getting started with CMMC may seem daunting; this is a new framework, and there are many unanswered questions. However, organizations can make a CMMC compliance checklist and tick off several steps in the meantime to prepare. By understanding the use of CUI internally, implementing controls ahead of time, and more, organizations can face the final rule in 2021 with confidence. 

Learn About CMMC Today 

Contact an Expert at A-LIGN