6 Essential Steps for Streamlining Your CMMC Certification Process

There are two common questions from companies. The first is how to make the Cybersecurity Maturity Model Certification (CMMC) assessment as efficient as possible. The second is how to reduce the complexity that comes with any assessment, especially CMMC. Here are six steps to assist companies in managing their CMMC journey.

1. Understand the requirements

First, determine what level of CMMC you must achieve. If you’re not sure, contact your contracting officer.

Next, make sure your scope is clearly defined. The scope is the single most important step when determining the duration and cost of implementation and the assessment. A limited scope may result in a more cost-effective build, shorter assessment, and reduced costs across all factors of the environment.

Finally, familiarize your team with NIST SP 800-171r2 and NIST SP 800-171a. These two standards state the requirements and assessment objectives. There’s a newer version of NIST SP 800-171, which is revision 3, but it’s important to know the requirements and assessment objectives are targeted against the Rev 2 version until further notice.

2. Perform a gap analysis

The gap analysis can be conducted internally or with an external consultant who can provide remediation options and recommendations. A CMMC Third-Party Assessor Organization (C3PAO) may conduct your internal assessment, but you may not use this same C3PAO to conduct your formal certification assessment. This is important to remember during the vendor evaluation process. You either need to select two C3PAOs or conduct the internal assessment on your own and select one C3PAO for the formal certification assessment.

3. Train employees

Provide security awareness training to all employees across the organization to recognize controlled unclassified information (CUI), phishing, social engineering, insider threats, and cybersecurity threats. Ensure everyone, not just the information technology (IT) department, understands how to adhere to CMMC security controls, policies, and procedures. This training should be ongoing, with employees from the CEO to the newest team member participating in the training.

4. Develop and maintain required documentation

Develop and maintain IT and security policies, procedures, and system security plans (SSPs). This includes audit and response logs, employee training records, and access control logs. Track remediation efforts using a Plan of Action & Milestones (POA&M). Keep in mind, each document has different requirements in terms of how long they must be maintained, but never go past one year without a review. Your assessor will look to make sure your documentation is current and easily accessible.

5. Contact a CMMC C3PAO 6 to 9 months before you are ready

C3PAOs can’t provide consulting or recommendations, but they can help clarify the assessment process and offer explanations of documentation requirements and how the assessment will be conducted. The average assessment based on planning, a pre-assessment, and the formal assessment can range from 3 to 5 months.

6. Conduct a pre-assessment

This is different from an internal assessment or gap assessments. Conducted outside the DOD’s purview, it allows your organization to go through the formal process without risk. The pre-assessment process and results must be conducted to the same standards as the formal assessment and won’t include recommendations or remediations. You may use the same C3PAO for a pre-assessment and your formal certification assessment.

These six steps don’t guarantee your CMMC implementation and assessment will be successful, but they can improve your internal preparations and the conduct of the formal assessment.

Questions?

What questions do you have about these six steps or CMMC in general? Feel free to contact me. I’m always happy to help companies in the Defense Industrial Base.

About the author: Robert McVay is a senior consultant for information security services in Smithers Quality Assessments Division.

https://calendly.com/robert-mcvay/defense-munitions-meeting-15-min

Smithers
https://www.smithers.com