In June 2020, Requests for Information (RFIs) began to list CMMC requirements, and in September 2020, Requests for Proposal (RFPs) began to list CMMC requirements. This means that in order to continue to win business with the Department of Defense, your organization must be prepared for CMMC assessments. Unless a higher CMMC Level is specified in the contract, all contractors and subcontractors will be required to meet CMMC Level 1.
Some key steps in preparing for a CMMC assessment include creating or updating policies and procedures related to cybersecurity, ensuring that all employees are trained on these policies and procedures, and ensuring that adequate resources are allocated to implementing and maintaining them. Additionally, it is important to create a plan for responding to potential incidents or breaches. By taking these steps now, your organization can be better prepared when CMMC assessments begin.
The Cybersecurity Maturity Model Certification (CMMC) is a unified approach to protecting Controlled Unclassified Information (CUI). The website offers resources for those wanting to learn more about the CMMC credentials. It includes an overview of the model, an explanation of how it works, and a list of most frequently asked questions. In addition, the site provides access to the official CMMC certification guide, as well as white papers and other resources that can help you better understand the process. While becoming certified requires working with a third-party assessor like, We Help You Secure, taking the time to review these materials will help ensure that you are fully prepared for what is involved.
The first step in solidifying scope is to create an inventory of all business processes related to FCI. This will help to identify which areas of the organization will be most impacted by the change. Next, a data inventory should be created. This will help to identify which data sets will need to be migrated and how they are currently being used. A system inventory should also be created, detailing all of the systems that will be impacted by the change. Finally, an inventory of in-scope personnel should be created. This will help to identify who will need to be trained on the new system and who will need access to the data sets that are being migrated. By creating these inventories, the organization can create a clear picture of the scope of the project and ensure that all stakeholders are aware of the changes that will be taking place.
Access control is an important part of any CMMC audit. Before the audit, both logical and physical access control should be evaluated. Logical access includes things like making sure all individuals have been screened before being given access to systems containing FCI. Physical access control includes making sure all individuals have been screened before being given access to sensitive areas that contain systems processing, transmitting, or storing FCI. Other things that should be considered as part of physical access control are business processes that result in FCI being stored on removable media or printed on paper. By ensuring that proper access control measures are in place prior to the audit, you can help ensure a successful outcome.
As your organization gathers more and more data, it is essential to develop clear and concise policies for handling that data. All employees should be aware of what information is considered confidential and take steps to protect it accordingly. Any data that is considered FCI should be encrypted at rest and in transit, and employees should be prohibited from sharing it via internal chat systems or email. At the end of the data lifecycle, all information should be securely destroyed, both digitally and physically. By taking these precautions, your organization can ensure that its confidential data remains safe and secure.
Your organization’s incident response plan should be reviewed on a regular basis to ensure that it is up-to-date and responsive to the current threat landscape. In addition to the review of the plan itself, the organization should also evaluate supporting processes that can help to prevent incidents from occurring in the first place. One example of such a process is an incident reporting practice. A robust incident reporting practice can help your organization to quickly identify potential security issues and take steps to mitigate them before they result in an actual breach. Furthermore, an incident reporting practice can also help your organization to keep track of trends in malicious activity so that you can adjust your response plan as needed. By establishing and maintaining a strong incident reporting practice, your organization can improve its overall security posture and be better prepared to respond to incidents when they do occur.
As your organization may be aware, the Department of Defense (DoD) has been working diligently to improve their cybersecurity posture through the Cybersecurity Maturity Model Certification (CMMC) initiative. As part of this effort, the DoD has published guidance on what is expected of contractors who wish to continue working with the department. In order to ensure that your organization is prepared for CMMC Level 1 compliance, we have compiled a list of next steps that should be taken:
- Understand the CMMC model and how it applies to your organization.
- Determine which CMMC level is required for your specific contracting work.
- Identify any gaps in your current cybersecurity practices that would need to be addressed in order to meet the requirements of the selected CMMC level.
- Create a plan to address those gaps, including timelines and responsibilities.
- Implement the plan and track progress towards compliance.
- Undergo an independent assessment to verify compliance with CMMC Level 1 requirements.
By taking these steps, your organization will be well on its way to meeting the DoD’s Security Requirements Guide for Contractors (SRG-CON).