The Step-by-Step Guide to Prepare for the CMMC

Table of Contents

  1. Introduction
  2. Step-by-Step Guide
    1. Choose a CMMC Level
    2. Scope your CUI & FCI
    3. Establish Policies, Procedures, and Plans
    4. Create a System Security Plan (SSP)
    5. Establish an Evidence-Driven CMMC Compliance Workflow
      1. Identify Key People
      2. Choose Tools
      3. Start with the DFARS Interim Rule
      4. Conduct a CMMC Pre-Assessment
      5. Choose a Certified Third-Party Assessor Organization (C3PAO)
      6. Get Certified
  3. About Recertification
  4. Conclusion

1. Introduction

Preparing for the Cybersecurity Maturity Model Certification (CMMC) can be a daunting task. If you’ve already conducted or started preparing for a NIST 800-171 Basic Assessment as required by the DFARS Interim Rule, you’re about halfway through being prepared for the CMMC. Your next major task will involve conducting a CMMC Pre-Assessment, an integral internal tool you need to employ to identify gaps and create a Plan of Action & Milestones (POA&M). In this Step-by-Step Guide, we cover everything you need to know to ace your certification including establishing documentation, establishing an evidence-driven compliance workflow, conducting the CMMC Pre-Assessment, and getting certified.

2. Step-by-Step Guide

2.1. Choose a CMMC Level

Every Department of Defense (DoD) contract is different, which means your CMMC level will vary. However, at a minimum, all DoD contracts require CMMC Level 1; it is the basic level to process Federal Contract Information (FCI). If your contract involves Controlled Unclassified Information (CUI), it will require CMMC Level 3. If you are a Tier 1 contractor with a large contract, it will most likely require CMMC Level 4 or 5.

2.2. Scope your CUI & FCI

The DoD considers any part of your organization that touches CUI & FCI (i.e., where it’s stored, how it’s processed, and how it’s transmitted) to be “in-scope” when it comes to an official certification assessment. For example, your organization may have other unrelated departments (e.g., marketing, sales, etc.) where CUI & FCI will not be stored, processed, or transmitted. To make compliance as smooth and cost-effective as possible, you’ll want to isolate only the relevant parts of your organization into its own network.

2.3. Establish Policies, Processes, and Plans

The CMMC is all about “Process Maturity.” It’s an organization’s commitment to and consistency in performing specific practices. To do this successfully, you need to establish several governing documents describing what the organization should abide by (policies), how they should be implemented (processes), and how those tasks will be funded and managed (plans). Over time, and depending on your organization’s commitment to cybersecurity, you can mature your processes to a level where the organization is not only performing (CMMC Level 1), documenting (CMMC Level 2), managing (CMMC Level 3), and actively reviewing (CMMC Level 4), but also continuously optimizing (CMMC Level 5) their practices and processes. You can read more on the CMMC Appendices.

2.3.1. Policies

Policies are the high-level guidelines for the entire organization. They communicate the organization’s vision and values and its day-to-day operation. An example of a policy might be, “Multi-Factor Authentication (MFA) shall be enabled for all users.”

2.3.2. Processes

Processes break down the policies into practical details that anyone can follow. It may include specific activities involved in satisfying the intent of a related policy. An example of a process using the MFA policy above might be, “Use a smartcard and a PIN for Windows remote login.”

2.3.3. Plans

Plans describe how to implement, resource, schedule, and maintain processes at the organization. An example of a plan using the MFA process above might be, “Employ a third-party vendor to implement the MFA Windows project and hire a full-time system administrator to maintain the project and perform annual audits, etc.”

2.4. Create a System Security Plan (SSP)

As the name states, the SSP is your organization’s plan to secure its systems. More specifically, it is a collection of documents that paint a picture of your environment, the associated security requirements, the implemented or planned controls, and the expected behaviors of all individuals who access the system. In addition to other documents, you will need to reference your previously established policies, processes, and plans as they relate to each domain. Depending on your organization, your SSP might include your entire, a subset, or multiple subsets of your organization.

2.5. Establish an Evidence-Driven CMMC Compliance Workflow

If you’ve already undertaken your NIST 800-171 Basic Assessment, you should already have some evidence-driven compliance workflow in place. You’ll use that work to conduct a CMMC Pre-Assessment next. Regardless, because compliance can be very resource-intensive, you should constantly identify ways to leverage automation to improve inefficiencies in your workflow. Doing so can help save your organization a lot of time and money.

2.5.1. Identify Key People

An integral part of any compliance workflow is people. Firstly, identify the person(s) responsible for executing the SSP and other information security plans. Every organization is different, but this individual could be the one in charge of information security (e.g., Chief Information Security Officer, Director of Technology, etc.), regulatory compliance (Chief Compliance Officer, Director of Compliance, etc.), or sponsored research projects (e.g., VP of Research, Director of Sponsored Projects, etc.). If you’re reading this, it might be you! Secondly, identify people who will be performing relevant tasks. Tasks are low-level elements that are required to ensure the organization is executing its policies and processes.

  • An example of a specific person and task using the MFA plan above might involve the system administrator tasked with enabling the security feature to particular users and devices in scope. Additionally, it might also involve the business analyst who developed the policy.

2.5.2. Choose Tools Communication

You’ll need a reliable and secure communication platform where you can communicate and share information with relevant people at your organization. Most organizations choose to use email or software tools like Slack. Whatever platform you use, make sure it is reliable and secure. Data Collection

You’ll need an efficient and secure platform to collect sensitive information about compliance. Most organizations choose to use spreadsheets or other surveying tools (e.g., Qualtrics, Survey Monkey, etc.). However, these tools usually require manual work and aren’t very secure. Instead, you can opt for an automated assessment platform like Isora GRC, which provides a plug-and-play solution for CMMC compliance. Evidence Storage

You’ll need a place to collect and store relevant evidence artifacts. Most organizations choose to use cloud storage platforms (e.g., Google Drive, Microsoft OneDrive, Dropbox, etc.) then, using spreadsheets, ask people to provide a link to the artifact. However, this method is neither efficient nor secure. Instead, you can opt for an automated assessment platform like Isora GRC, enabling you to upload all evidence within the app and store it on a FedRAMP compliant AWS GovCloud server. Business Intelligence

You’ll need a way to aggregate all the data you collect to extrapolate insights. Even if you’re a pro at spreadsheet tools, it’ll still take a lot of resources to create models and reports that are relevant to your organization. Instead, you can opt for business intelligence tools. You’ll still need to aggregate the data somehow, but creating visual reports will be a bit easier. It is even easier to leverage an automated assessment platform like Isora GRC, which automatically aggregates all assessment data and makes it easy to export the data into relevant pre-built reports on business intelligence tools.

Fast-Track your CMMC Compliance

Learn how Isora GRC helps fast-track DFARS Interim Rule compliance and CMMC preparation across your systems.

2.6. Start with the DFARS Interim Rule

Per the DFARS Interim Rule, all contractors must first conduct a NIST 800-171 Basic Assessment and submit a score to the Supplier Performance Risk System (SPRS) in the interim while the CMMC certification process rolls out over the next few months.

2.7. Conduct a CMMC Pre-Assessment

We like to consider the CMMC Pre-Assessment as the necessary internal tool to prepare for the actual certification assessment. It is the only way to know which practices your organization is missing, collect evidence about processes and plans, and create a Plan of Actions & Milestones (POA&M) for missing practices, processes, and plans.

2.7.1. Identify Gaps

Ask the relevant people (e.g., Principal Investigator, System Administrator, Network Administrator, etc.) at your organization about the state of compliance with the specific practices specified at each CMMC level. Wherever there are gaps, you’ll also want to ask about the plan of action and projected date to achieve compliance.

  • If you’re using Isora GRC, you can either build off of your existing NIST 800-171 Basic Assessment or launch a CMMC assessment to specific individuals in your organization and collect all data in a single, end-to-end assessment platform.

2.7.2. Collect Evidence

To be certified, you need to prove that you have implemented all practices and have a specific level of process maturity. If people at your organization indicate they implemented a practice, you’ll want to collect, at minimum, two evidence artifacts.

  • If you’re using Isora GRC, you can ask people, as they answer questions, to securely upload the relevant evidence artifacts and add additional comments.

2.7.3. Create a POA&M

We like to consider the POA&M a roadmap for your organization to be officially certified. You will take all of your missing controls and create a formal document that describes the specific steps your organization will take to implement a particular practice (actions) fully and over what period (milestones).

  • If you’re using Isora GRC, you can easily export this document with a single click after completing any of your assessments (e.g., NIST 800-171 Basic Assessment, CMMC Level 3 Pre-Assessment).

2.7.4. Repeat

You need to, without a doubt, prove during a certification assessment that your organization implements all practices. To ensure there are no gaps left after your initial POA&M, it is wise to conduct a follow-up pre-assessment. If there are still gaps present, amend your POA&M and continue working on remediation. Every organization is different, but you should have scheduled pre-assessments that align with your certification schedule.

  • If you’re using Isora GRC, you can easily create a follow-up assessment that builds upon previous responses and measures improvements.

2.8. Choose a Certified Third-Party Assessor Organization (C3PAO)

A Certified Third-Party Assessor Organization (C3PAO) is an official organization certified to provide CMMC certifications by the CMMC Accreditation Body (CMMC-AB). There are currently over 100 C3PAOs that you can work with on the CMMC-AB Marketplace. It would be best if you chose to work with a C3PAO that not only fits your budget but has previous experience with your industry.

2.9. Get Certified

Your C3PAO and its CMMC Certified Professionals (CCP) and CMMC Certified Assessors (CCA) will use the CMMC-AB assessment guidelines to conduct a CMMC assessment for your entire organization or a specific CUI Enclave. CCPs and CCAs will gather information and evidence to independently verify that an organization meets the stated assessment objectives for all of the required practices and processes. If the C3PAO can successfully demonstrate the organization implements all practices and has the appropriate process maturity, they will grant the official certification.

3. About Recertification

Your certification will last for three years, which means that you will need to recertify every three years. The recertification process is the same as the initial process.

4. Conclusion

Going zero to certification involves a well-oiled machine with many moving parts, from scoping your organization, to establishing policies, processes, and plans, to establishing an evidence-driven compliance workflow, to hiring a C3PAO to certify you. While some organizations might be well resourced to undertake this process, others might struggle to get started. It is not unwise to seek out help from the many accredited organizations on the CMMC-AB Marketplace. SaltyCloud is a Registered Practitioner Organization (RPO). We provide an end-to-end assessment platform, Isora GRC, which offers plug-and-play functionality that helps organizations manage and fast-track their compliance efforts.