Article

CMMC: How Department of Defense Contractors Can Comply with Evolving Cybersecurity Requirements

September 9, 2024
internet security and data protection concept

Key Takeaways

  • CMMC is a cybersecurity maturity model tailored for Department of Defense third-party contractors. It builds upon existing regulations like DFARS and NIST 800-171.
  • The phased rollout of CMMC requirements is slated to start soon.
  • CMMC does not change the current cybersecurity requirements for data protection; instead, it strengthens the enforcement of these established security standards.

The Cybersecurity Maturity Model Certification (CMMC) program provides a structured approach to assessing whether defense contractors meet the Department of Defense (DoD) security standards for safeguarding sensitive information.

Under CMMC, companies handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must achieve one of the three CMMC levels, as detailed in their contracts, to qualify for defense-related projects.

Understanding the CMMC Framework

Any contractor engaged with or seeking a contract with the DoD will need to obtain a CMMC. This applies to all tiers of the supply chain, including small businesses, commercial item contractors, and foreign suppliers.

CMMC is an information security maturity model designed specifically for DoD third-party contractors, building upon existing regulations like DFARS and NIST 800-171. The goal is to ensure comprehensive security across the DoD supply chain.

Two types of data are addressed within CMMC:

  • FCI: Non-public information provided by or created for the government under a contract for developing or delivering a product or service.
  • CUI: Data requiring protection or restricted dissemination according to federal laws, regulations, and government-wide policies.
CMMC does not alter existing cybersecurity requirements for protecting FCI and CUI but rather strengthens the enforcement of existing security standards.

CMMC Maturity Levels Explained

The CMMC framework includes three levels. The appropriate level for an organization depends on the sensitivity of the DoD information it handles.

graphic outlining the different levels of CMMC maturity

Level 1

Applicable to organizations working with FCI only. These organizations must focus on basic cyber hygiene and adhere to the practices outlined in FAR 52.204-21.

Level 2

Designed for organizations handling CUI. These organizations must comply with the 110 security controls specified in NIST 800-171.

Level 3

Organizations handling CUI and exposed to Advanced Persistent Threats must meet Level 3 requirements. These organizations must demonstrate advanced cybersecurity capabilities in line with NIST 800-172.

Steps to Prepare for CMMC Compliance

Preparing for CMMC compliance involves several key steps:

1. Conduct Discovery Activities

Begin by assessing your current cybersecurity posture:

  • Locate all assets: Inventory your organization’s hardware, software, and data.
  • Map data flows: Trace how FCI and CUI move through your systems.
  • Understand existing controls: Review current security controls and practices to identify strengths and weaknesses.

2. Determine CMMC Scope

Define the scope of your CMMC efforts:

  • Identify covered assets: Determine which parts of your organization handle FCI and CUI.
  • Segment systems: Isolate critical areas from other parts of your network to minimize compliance scope.
  • Document boundaries: Clearly outline the scope of your CMMC efforts to ensure all relevant components are included.

3. Perform Gap Assessment

Execute a thorough gap assessment to compare your current cybersecurity practices with CMMC requirements:

  • Review maturity levels: Identify the CMMC level required based on your contract requirements.
  • Assess existing controls: Evaluate your current controls against the CMMC practices for your target maturity level.
  • Identify gaps: Highlight where your current practices do not meet the required standards.
  • A CMMC Readiness Review helps measure your current compliance state and assesses the effectiveness of existing security procedures. Take our CMMC Readiness Quiz to get started.

4. Develop Action Plan & Milestones

Create a comprehensive action plan to address identified gaps:

  • Prioritize tasks: Determine the order in which gaps should be addressed based on risk and resource availability.
  • Set milestones: Establish KPIs to monitor progress.
  • Allocate resources: Assign the necessary resources, including personnel, budget, and time, to ensure successful implementation.

5. Remediate Identified Gaps

Begin remediation efforts to close the identified gaps and enhance your cybersecurity posture:

  • Implement security controls: Deploy necessary controls and technologies to meet CMMC requirements.
  • Update policies and procedures: Revise or create policies and procedures to align with CMMC standards.
  • Conduct training: Provide education to ensure staff members understand and can effectively implement new security measures.
  • Perform continuous monitoring: Establish ongoing monitoring and assessment to maintain compliance and address new vulnerabilities.

Although anyone can conduct a gap assessment, the expertise of your reviewer can impact your success in a CMMC audit. To ensure a thorough evaluation, consider working with a Registered Practitioner (RP). RPs, certified by the CMMC-AB, possess a deep understanding of CMMC standards and are authorized to guide contractors through the preparation process.

  • Our team includes Registered Practitioners, Certified CMMC Professionals, and Certified CMMC Assessors. We are equipped to prepare your organization for evolving regulations. Take the Readiness Assessment.

Next Steps Toward CMMC Compliance

Phased implementation of CMMC requirements is expected to begin soon. Taking proactive steps now is essential for organizations seeking to work with the DoD and handle sensitive information securely. By understanding the CMMC framework, determining the appropriate maturity level, and systematically addressing gaps in your cybersecurity practices, you can position your organization for success.

Not sure where to begin? Take our CMMC Readiness Assessment to gauge your organization’s preparedness and identify areas for improvement.

Expand Full Article

Minimize Risk and Maintain Compliance

CMMC Insight
Eide Bailly is a Registered Practitioner Organization and can help you prepare for CMMC requirements.
Talk to our Specialists

About the Author(s)

Anders Erickson

Anders Erickson, CISA, CISSP, CRISC

Risk Advisory Principal
Anders assists clients in establishing a culture of security within their organization. He leads organizations through the process of identifying their cybersecurity risks and brings practical solutions to help manage and mitigate those risks.