The Department of Defense has required that all contractors selling to the United States military be CMMC certified by 2025. CMMC, or “Cybersecurity Maturity Model Certification,” has caused a stir as well as confusion throughout the IT world. Many businesses want to know how they can accurately evaluate their cybersecurity measures in preparation for the CMMC certification assessment. Thankfully, the experts at Integris are here to help businesses successfully become CMMC certified so they can continue doing the work they do. Read on to learn how to ensure your business is ready for its CMMC assessment.
Step 1: Identify Your Current CMMC Level
CMMC is broken down into different levels. These levels are dictated by the sensitivity of the data being handled by the company in question. They are as follows:
Level 1: Basic: A company must be able to perform “basic cybersecurity practices,” such as using antivirus software and making employees change their passwords regularly.
Level 2: Advanced: A company must keep documentation of intermediate cybersecurity practices to protect any Controlled Unclassified Information (CUI). This can be done through the implementation of some of the United States of Commerce National Institute of Standards and Technology’s Special Publication security requirements. A company must have an institutionalized management plan to facilitate good cybersecurity practices to safeguard CUI. This involves implementing all of the United States Department of Commercial National Institute of Standards and Technology’s Special Publication security requirements.
Level 3: Expert: A company must have implemented a process to review and measure the effectiveness of the aforementioned practices. A company must have standardized and optimized processes established across the organization along with additional enhanced practices that provide more sophisticated capabilities to detect and respond to advanced persistent threats.
Every company needs to be certified at the level that best matches the type of data they handle, information that should be found on the contract of any given job. Additionally, every contractor is required to meet the requirements of level 1, the very base level required for contractors to process Federal Contract Information (FCI).
Most contractors and subcontractors will need to meet the requirements for a level 1 or level 2 CMMC certification. Larger contractors that handle sensitive CUI will have to certify for level 3.
Step 2: Know What Kind of Sensitive Data Your Company Handles and How It Is Stored
The Department of Defense needs to be reassured that any part of your company that handles FCI or CUI is properly secured against advancing threats in cybersecurity. Because of this, you must understand what type of data your company handles as well as how it is stored and transmitted. Understanding this will uncover any gaps in your cybersecurity model, allowing you to make changes to ensure your company isn’t vulnerable. This will also enable you to identify the proper CMMC training for your company and what to do in order to reach the level needed for your work. Ultimately, this will save time, money, and resources by ensuring that you meet only the necessary requirements.
Step 3: Document Every Step Taken
You will need documentation on every step taken from training to results to what security measures are in place. You will also want to have established and documented any incident response plans (IRPS), as these are essential to show that your company has a higher level of cybersecurity maturity.
Step 4: Schedule Your Assessment
Once you have addressed the gaps in your cybersecurity practices and documented your new cybersecurity strategy and training, schedule an assessment with a Certified Third-Party Organization (C3PAO). This assessment will determine whether or not your organization will be able to earn a CMMC certificate that can be used with the DoD.
Step 5: Make Changes If Necessary
During the assessment, the C3PAO may find some issues that are holding your company back from getting the certification it needs. They will notify you of these issues and give you 90 days to resolve them before the assessment is finalized.
Want to Ensure You Pass Your Assessment?
CMMC is still developing to meet the needs of quickly changing threats. This means you may have to update your security controls again in the future to meet updated requirements. The best way to ensure that you are always able to meet your CMMC certification needs is to partner with an experienced managed security service provider such as Integris. Our expert IT professionals keep up with the latest developments in CMMC compliance. Contact us today for more information on our services or to schedule a consultation.