If your company does business with the Department of Defense (DoD), then chances are good you’re familiar with Cybersecurity Maturity Model Certification (CMMC) implementation. This recently developed training and assessment program is designed to protect valuable data from cybercriminals throughout the DoD supply chain. If you want to continue doing business with them, you’ll need to implement CMMC into your cyber security efforts, and this guide outlines what those steps will look like for your organization.
Understanding the CMMC implementation process.
1. Know your required CMMC level.
CMMC compliance can be broken down into three levels, and the one you’ll need depends on the sensitivity of the data your business handles.
Level 1 (Foundational)
This is for DoD contractors and subcontractors who handle Federal Contract Information (FCI) or information that shouldn’t be released to the public. It’s the easiest level to attain, and you can reach certification through an annual self-assessment.
Level 2 (Advanced)
Level 2 is intended for contractors and subcontractors who handle controlled unclassified information (CUI). It’s more stringent, with organizations having to document their processes, and it requires the organization to pass a third-party assessment every three years if they handle data critical to national security.
Level 3 (Expert)
Companies that handle CUI for DoD programs with the highest priority require Level 3 certification. This model protects a system from advanced persistent threats (APTs) and requires the organization to establish, maintain, and resource a plan to manage its cyber security protocols.
2. Perform a CMMC gap analysis.
Once you know what level you need, you’ll need to perform a readiness assessment. This helps you identify any problem areas in your security systems and understand what new solutions you’ll need to implement to remain compliant with CMMC requirements.
3. Start CMMC implementation.
After you’ve identified the problem areas in your systems, it’s time to start the CMMC implementation process. This includes the development of missing documentation, inserting the newly required controls, identifying the risk, and creating management solutions. These steps help you fix the gaps you discovered in the analysis, and, depending on which level you need, can take 6-8 weeks or as long as a year.
4. Take the CMMC assessment.
Following the implementation phase, your organization must undergo a certification assessment. The assessment is performed by a Certified 3rd Party Organization (C3POA), but you have the choice of which provider you want to complete the assessment of your system. They review your documentation, perform an on-site evaluation to monitor individual controls, and then take about two weeks to write their report.
5. Continuous monitoring.
If you pass the assessment and become CMMC certified, then you can continue doing business with the DoD. However, that doesn’t mean you’re done with your CMMC implementation, because compliance isn’t a “set it and forget it” process. You’ll need to set up around-the-clock management of everything from the tools used to the policies the organization follows and procedures that are in place. Depending on your CMMC level, you might also need additional C3POA assessments in the future, so continual monitoring is essential.
Do you need help with CMMC implementation?
It’s Just Results is the security and compliance partner you need. We understand that remaining compliant with the DoD’s CMMC requirements can have a significant impact on your company’s bottom line. You need a partner who will get the results you need within a budget you can afford, and that’s precisely what we provide.
We offer security and compliance services for businesses just like yours, and we can tailor the compliance services we offer to meet your attestation requirements. Learn more about our compliance support services, or contact us online to schedule your initial consultation.