Step-by-step CMMC Guide for Government Contractors
Do you know what’s coming down the pipeline for DoD contractors? If not, you could be in for a surprise. The Department of Defense (DoD) is gearing up to release the updated rule of its Cybersecurity Maturity Model Certification (CMMC) in November 2023. CMMC compliance will be compulsory for any organization working with the Department of Defense (DoD).
But do you know what the CMMC entails and how it will affect your company? Read on to learn about CMMC for DoD contractors and how to prepare for its implementation.
Levels in CMMC for DoD Contractors:
The CMMC model has three maturity levels, each with its requirements and leading practices for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The levels range from basic cybersecurity hygiene at Level 1 to advanced practices and controls at Level 3. There are three CMMC maturity levels, each with a specific set of controls that fall within that level. You’ll need to fulfill the associated controls to achieve compliance with a particular level.
Level 1 requires 17 practices from NIST 800-171
Level 2 requires all 110 practices from NIST 800-171
Level 3 requires all 110 controls, plus additional controls based on NIST 800-172
To achieve maturity level 2, you don’t need a SPRS score of 110, but you will need to be evaluated under all 110 controls. If any controls aren’t fulfilled, you’ll need to provide a POA&M, essentially a remediation plan, that addresses the gaps. Check out our earlier blog for foundational insights on CMMC for DoD contractors.
Step-by-Step Process to Achieve CMMC for DoD Contractors:
Step 1: Confirm Certification Level
In this initial phase, the goal is to ensure clarity and alignment with the specific CMMC certification level that needs to be achieved. This step lays the foundation for the entire certification process.
Step 2: Conduct Self-Assessment
The assessment phase is a critical step in the CMMC certification process. It thoroughly evaluates the organization’s cybersecurity practices, policies, and controls to determine its compliance with the CMMC-level requirements.
Step 3: Identify Gaps
In this stage, a comprehensive gap analysis is performed to identify areas where the organization falls short of meeting CMMC levels. Document the gaps discovered during the analysis and prioritize remediation efforts.
Step 4: Remediate
Once gaps are identified, develop a detailed remediation plan outlining the necessary actions, responsible parties, timelines, and resources to address those gaps. After the remediation plan is ready, prioritize remediation efforts based on risk and criticality. Ensure the organization’s personnel are adequately trained and prepared to implement necessary changes.
Step 5: Reassess
After implementing the remediation plan, verify that the identified gaps have been adequately addressed and that the organization meets the CMMC requirements.
Step 6: Executive Attestation
Before proceeding with the submission, obtain executive attestation, which involves the organization’s leadership (e.g., CEO or CIO) providing formal confirmation that the organization has implemented the necessary controls and is compliant with the chosen CMMC level. Ensure that the attestation is documented and signed by the appropriate executive.
Step 7: Upload into SPRS for Level 2 & Level 3
Once the required attestation by the executives is done, prepare and compile all necessary documentation and evidence of compliance with CMMC Level 2 or Level 3 requirements. Access the Supplier Performance Risk System (SPRS) portal, which is the DoD’s official repository for storing and accessing supplier cybersecurity information. Upload the documentation and evidence into SPRS, following the specific guidelines and requirements outlined by SPRS.
Conclusion:
DoD Contractors looking to become compliant must begin their CMMC certification process in Q4 of 2023. It takes an average of 12-16 months to complete all the steps of CMMC. If you are new to the CMMC framework, read our previous blog, which explains the differences between CMMC 1.0 and CMMC 2.0, and start with CMMC for DoD Contractors.
iQuasar Cyber, Inc. is a Cyber-AB Registered Practitioner Organization (RPO). Our CMMC-certified consultants have a vast knowledge of NIST, NYDFS, HIPAA, and PCI. We can prepare you for CMMC compliance levels and provide recommendations for better self or external assessment preparation.