If You Need to Comply With CMMC 2.0, Here Is Your Complete CMMC Compliance Checklist
Given the complexity of the Cybersecurity Maturity Model Certification (CMMC) framework, it is essential for government contractors and subcontractors to have a comprehensive CMMC compliance checklist to ensure they meet all the requirements.
The CMMC certification process is arduous but our CMMC 2.0 compliance roadmap can help.
This blog post explores the CMMC 2.0 compliance requirements, provides a comprehensive CMMC Compliance checklist, and offers Department of Defense (DoD) contractors practical insights into how they can achieve CMMC compliance.
What Is CMMC Compliance?
CMMC is a cybersecurity framework regulating manufacturing contractors serving in the Defense Industrial Base (Defense Industrial Base), an extensive list of DoD supply chain partners. Any contractor or subcontractor that processes, sends, shares, or receives controlled unclassified information (CUI) or federal contract information (FCI) must demonstrate compliance with CMMC.
The goal of this framework is to take disparate requirements and standards, coupled with several models for self-assessment and attestation, and streamline them into reliable, rigorous, and robust security practices that any business can align with.
The components of CMMC that set it apart from other federal government regulations, like the International Traffic in Arms Regulations (ITAR), the Federal Information Security Management Act (FISMA), or the Federal Risk and Authorization Management Program (FedRAMP), include:
- Controlled Unclassified Information (CUI) and Federal Contract Information (FCI): CMMC covers the storage, processing, transmission, and destruction of CUI explicitly. CUI is a unique form of data that hasn’t been designated under Secret classification but requires special protections to preserve national security. Examples of CUI may include financial information related to government contracts, personally identifiable information (PII) of government employees, or sensitive technical data related to defense systems.
FCI is another lesser form of information related to the contractual relationships between contractors and agencies. CMMC is built to handle both cases.
- NIST Standards: CMMC, like other federal cybersecurity frameworks, draws from standards created and maintained by the National Institute of Standards and Technology (NIST). Specifically, CMMC relies on NIST 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”
Additionally, Level 3 of CMMC compliance will draw from NIST SP 800-172, “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171.”
- Maturity Levels: To help contractors and agencies align on the required security needed to enter into working relationships, CMMC divides compliance into three maturity levels based on the contractor’s implementation of NIST SP 800-171 (and potential SP 800-172) controls.
- Third-party Assessments: Like FedRAMP, CMMC relies on third-party assessments performed by Certified Third Party Assessor Organizations (C3PAOs) like the ones listed here.
CMMC 2.0 Requirements: Understanding the Updated Cybersecurity Standards
CMMC 2.0 represents a pivotal update and improvement in the DoD’s efforts to secure the Defense Industrial Base (DIB) against cyber threats. This updated framework has streamlined the original CMMC model, focusing on increasing clarity, aligning more closely with existing cybersecurity standards, and reducing the compliance burden on defense contractors. As with CMMC 1.0, it’s critical for defense contractors to fully understand the specific requirements of CMMC 2.0 in order to achieve compliance and secure contracts.
CMMC 2.0 Level 1 Requirements: Foundational Cybersecurity
Level 1 serves as the foundational tier in the CMMC 2.0 framework, primarily aimed at protecting federal contract information (FCI). It requires companies to implement 17 basic cybersecurity practices, derived mainly from the FAR (Federal Acquisition Regulation) Clause 52.204-21. The focus is on establishing fundamental cyber hygiene practices. There is no process maturity requirement at this level, meaning organizations need only to perform the specified practices. This level is designed for companies dealing with FCI that is not intended for public release, ensuring basic safeguarding measures are in place.
CMMC 2.0 Level 2 Requirements: Advanced Cybersecurity
Level 2 is a significant step up, focusing on the protection of controlled unclassified information (CUI). It aligns with the NIST SP 800-171 framework, incorporating all 110 security requirements from this standard. This level demands that organizations not only implement these practices but also establish and document mature processes to guide their cybersecurity efforts. The aim is to achieve a state of “good cyber hygiene” and includes a mix of technical and management controls to protect sensitive information. Companies at this level typically handle CUI and are required to undergo an assessment by a CMMC Third Party Assessment Organization (C3PAO).
KEY TAKEAWAYS
KEY TAKEAWAYS
- Understand CMMC 2.0 Compliance Requirements and Cost Considerations:
Costs vary based on organization size, complexity, and targeted CMMC level. - CMMC 2.0 Components and Requirements:
CMMC draws from NIST standards, categorizes compliance into three maturity levels, and mandates third-party assessments. - Compliance Checklist:
Assess desired maturity level, conduct self-assessment, leverage existing frameworks, create a POA&M and SSP, select a C3PAO, and set a timeline and budget.
CMMC 2.0 Level 3 Requirements: Expert Cybersecurity
Level 3 will contain all 110 requirements from Level 2, plus an additional 24 requirements from NIST SP 800-172, which is designed for protecting CUI against advanced persistent threats (APTs). Level 3 is anticipated to represent a smaller, more focused group of defense contractors that possess capabilities critical to national security interests. The specific requirements and assessment methodology for this level have been defined by the DoD in the Level 3 Guide and within Final Rule 32 CFR.
Cost of CMMC Compliance
Understanding the true cost of CMMC compliance is crucial for any organization seeking to work with the DoD. The cost can vary dramatically depending on several factors, such as the size of your organization, the complexity of your network infrastructure, and the level of CMMC compliance you are aiming to achieve. CMMC compliance costs might include cybersecurity upgrades, consultant fees, and additional training for staff.
Despite these expenses, achieving CMMC compliance is not only a requirement for DoD contractors but also a valuable investment in your organization’s cybersecurity posture.Subsequent to these initial costs, organizations must also consider the ongoing expenses that come with CMMC compliance. These may include regular cybersecurity audits, periodic network upgrades, and the need for continuous employee training to stay ahead of emerging threats. Additional costs could arise from maintaining the required documentation or if you choose to hire a third-party service provider to manage your compliance process.
One significant factor that affects the cost of CMMC compliance is the CMMC level that your organization aspires to achieve. The CMMC model consists of five levels, with Level 1 being the most basic and Level 5 being the most advanced. Each level requires a progressively more rigorous set of cybersecurity controls, meaning the cost will increase as you move up the levels. It is crucial for organizations to accurately assess their necessary level of compliance and budget accordingly.
Another cost consideration is the size and complexity of your organization. Larger organizations with complicated network infrastructures will likely face higher compliance costs due to the increased complexity of their cybersecurity needs. On the other hand, smaller organizations may find the cost more manageable, but should still be prepared to invest in necessary infrastructure and training to ensure compliance.
While the cost of CMMC compliance can be considerable, it’s essential to view it, once again, as an investment in your organization’s future rather than just an expense. By achieving CMMC compliance, your organization not only meets the requirements to work with the DoD, but also significantly strengthens its overall cybersecurity, potentially avoiding costly cyber-attacks down the line. Therefore, while managing and planning for the cost of CMMC compliance may be challenging, the potential benefits far outweigh the initial and ongoing costs. Furthermore, non-compliance can lead to loss of business with the DoD, which can be a major blow for organizations relying on these contracts, making the cost of compliance a worthwhile investment.
CMMC 2.0 Maturity Levels
The heart of CMMC 2.0 is its maturity level hierarchy. These levels denote the capacity of a contractor to implement controls from NIST SP 800-171, with higher levels denoting a more mature cybersecurity posture that can address more complex security threats. Likewise, each level carries more responsibilities in terms of assessment requirements.
The three CMMC 2.0 maturity levels are:
- CMMC 2.0 Level 1: The “Foundational” level is the bare minimum of CMMC certification. A contractor meeting CMMC 2.0 Level 1 requirements can implement a collection of 15 controls from NIST SP 800-171.
Furthermore, in lieu of a C3PAO audit, these contractors may provide annual self-assessments and affirmations of compliance. At this level, the contractor is authorized to handle FCI.
- CMMC 2.0 Level 2: The “Advanced” level of CMMC expects that the contractor has implemented all 110 security controls listed in NIST SP 800-171.
Additionally, the contractor must undergo triennial assessments via a C3PAO, with options for self-assessment depending on DoD approval for select programs. CMMC 2.0 Level 2 is the minimum maturity level contractors must meet to handle CUI.
- CMMC 2.0 Level 3: The “Expert” level of CMMC compliance sees contractors implementing all 110 controls of NIST SP 800-171 and specific controls in NIST SP 800-172 with no exceptions for triannual C3PAO assessments.
CMMC 2.0 Level 3 is reserved for cases where significant security threats, including advanced persistent threats (APTs), must be considered.
CMMC Compliance Checklist
CMMC certification, the precursor to CMMC compliance, is a rigorous process. To become CMMC certified, companies must meet an extensive set of requirements laid out by the DoD. Below is our CMMC checklist of items that organizations must address and meet if they wish to achieve CMMC certification.
Assess the Appropriate CMMC Maturity Level for Your Organization
The first step to achieving CMMC 2.0 compliance is to determine which CMMC maturity level is most appropriate of your organization. The CMMC certification process is a tiered approach, and companies must choose the right level to pursue based on the sensitivity of the data they handle. There are three levels of CMMC certification (see above).
Perform a CMMC Self-assessment to Gauge Your Readiness for CMMC Compliance
Once you have determined the maturity level your organization wants or requires, the next step is to perform a self-assessment of your organization’s cybersecurity profile. This assessment should include a review of your organization’s cybersecurity maturity, including your policies and procedures, network security, access control, and incident response capabilities.
Leverage Other Cybersecurity Frameworks to Streamline CMMC Compliance Efforts
While achieving CMMC certification can be a complex process, organizations can make the transition easier by leveraging existing frameworks and certifications that align with CMMC requirements. CMMC was developed from existing frameworks, and there is significant overlap between CMMC and other established cybersecurity frameworks that are relied upon for regulatory compliance.
One such framework is the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), which provides a set of guidelines and best practices for managing and mitigating cybersecurity risks. By implementing the CSF, organizations can align their cybersecurity practices with CMMC requirements, which will likely make the certification process easier and more streamlined.
Other frameworks and certifications that can help organizations achieve CMMC certification include FedRAMP, FISMA, the International Organization for Standardization 27000 standards (ISO 27001), and NIST Special Publication 800-171. By leveraging these frameworks and certifications, organizations can ensure that they also improve their overall cybersecurity posture and can demonstrate compliance with CMMC requirements.
Build a Plan of Action and Milestones (POA&M) for CMMC Compliance
A Plan of Action and Milestones (POA&M) is a critical document that outlines an organization’s strategy to address its weaknesses and deficiencies in its cybersecurity measures. It plays a significant role in demonstrating CMMC compliance. Building a POA&M requires a series of steps. After you have identified the appropriate level, identify the gaps between your current cybersecurity posture and the required certifications. This requires a thorough assessment of your organization’s existing policies, procedures, and technical measures.
Based on the gaps identified, prioritize the areas that need to be addressed first. Then, develop a timeline for each task, including deadlines for completion of each action item. Assign tasks to team members with clear responsibilities and hold them accountable for staying on track. Lastly, document all the steps taken toward compliance and keep track of progress regularly, updating the plan of action and milestones as necessary. This approach ensures a structured and methodical approach to CMMC compliance, leading to better efficiency and timely results.
Develop a System Security Plan (SSP) to Achieve CMMC Compliance
To achieve CMMC compliance, organizations must create a system security plan (SSP) that includes details about each system in their IT environment that stores or transmits controlled unclassified information (CUI) in accordance with NIST 800-171.
The SSP outlines information flow between systems and authentication and authorization procedures, as well as company regulations, staff security obligations, network diagrams, and administrative duties. The SSP is a living document that must be updated whenever significant changes are made to a business’s security profile or procedures.
During the contract bidding and award process, the Defense Department evaluates contractors’ SSPs. To win DoD business, contractors must have an active and legitimate SSP.
Creating (and updating) the SSP can be a resource-intensive process, but it is essential for maintaining CMMC certification criteria. Therefore, contractors must ensure they have the necessary resources available to create and update the SSP.
Select a CMMC Third Party Assessor Organization to Ensure CMMC Compliance
After completing the self-assessment, you will need to select a CMMC Third Party Assessor Organization (C3PAOs). A C3PAO is an organization that has been authorized by the Accreditation Body (AB) to conduct CMMC assessments. The C3PAO will be responsible for assessing your organization’s compliance with the CMMC framework.
Partnering with a C3PAO is a critical step in the process of achieving CMMC compliance. There are however several C3PAOs in the marketplace, and selecting the right one can be overwhelming.
Here are some considerations to keep in mind while selecting and working with a C3PAO:
- Check the CMMC-AB website for a list of authorized C3PAOs
- Look for a C3PAO with experience in your industry
- Check the C3PAO’s accreditation status
- Ask for references and feedback from previous clients
- Consider their pricing structure
Once you have selected a C3PAO, you will need to work closely with them to achieve CMMC compliance. The C3PAO will provide guidance throughout the compliance process, and they will assess your organization’s compliance with the CMMC framework.
Set a Timeline for CMMC Compliance
The CMMC certification process is a time-consuming task, and companies must plan accordingly. Here are some factors that companies must keep in mind while planning the certification process:
- Organization size
- Current cybersecurity posture
- The certification process can take up to 12 months, depending on the level of certification
- The C3PAO performs a gap analysis before the actual assessment, which can take up to three months
- The certification process requires ongoing maintenance and periodic assessments
Allocate Sufficient Resources to Achieve CMMC Compliance
The CMMC certification process can be a costly affair in terms of both financial and personnel allocation, and companies must budget accordingly. Contractors should expect to incur costs related to cybersecurity assessments, remediation, and ongoing maintenance. Here are some factors that companies must keep in mind while planning their budget:
- The cost of the certification process can vary depending on the CMMC level
- The cost of hiring a C3PAO can vary depending on their experience and accreditation status
- The certification process requires ongoing maintenance, which can add to compliance costs
How to Prepare for a CMMC Assessment
There are specific steps organizations can take to prepare for a CMMC assessment. Some of these steps include:
- Understand NIST Requirements: NIST publishes security documentation freely on their website. As such, there is little or no reason that your organization needs to have a basic grasp of the categories of security controls that an assessment would investigate. If nothing else, having a person or group within your organization who can interface with assessors and the government will be critical.
- Perform a Gap Analysis: Hire a security firm to analyze your IT infrastructure and map out how it compares against CMMC requirements. This will provide a clear picture of where you are versus where you need to be so that you can make the required changes and upgrades.
- Conduct a Risk Assessment: While the standards of CMMC are clearly defined, you can consider industry standards or business goals before adopting them as a checklist. Conducting a risk assessment can help you understand what you need to implement for compliance without limiting your business’s ability to grow.
- Select a C3PAO: The CMMC Accreditation Body (CMMC-AB) provides an online marketplace directory of accredited C3PAOs. Use this utility to select a company you want to work with.
However, the CMMC-AB disallows contractors to work with a C3PAO outside of their assessment relationship. For example, to avoid conflicts of interest, a C3PAO cannot provide consulting or cybersecurity IT work before their work assessing the company.
- Prepare for Ongoing Assessment: After the initial CMMC certification, your organization will be required to handle ongoing re-certification and monitoring. Depending on the maturity level of your certification, this could mean annual self-assessments or triannual C3PAO audits.
Get Ready for CMMC Compliance With Kiteworks
Modern, data-driven businesses will rely on secure and frictionless IT infrastructure to support their operations. When it comes to government contractors, this means using secure file sharing solutions that are CMMC-compliant.
The Kiteworks Private Content Network is just such a solution.
With Kiteworks, defense contractors and other organizations operating in highly regulated industries get secure, using our exclusive Private Content Network. This private and protected communication platform provides organizations with secure and compliant email, file sharing, managed file transfer (MFT), web forms, and application programming interfaces (APIs).
Kiteworks features a hardened virtual appliance, end-to-end encryption, secure deployment options including a FedRAMP virtual private cloud, granular controls, authentication, security infrastructure integrations, and comprehensive logging and audit reporting enable organizations to demonstrate compliance with security standards easily and securely.
Kiteworks helps organizations demonstrate compliance with numerous federal and international data privacy regulations and standards that include FedRAMP, Federal Information Processing Standards (FIPS), FISMA, ITAR, the General Data Protection Regulation (GDPR), Australia’s Information Security Registered Assessors Program (IRAP), NIST CSF, ISO 27001, UK Cyber Essentials Plus, the European Union’s NIS 2 Directive, and many more.
Finally, Kiteworks enables DoD contractors and subcontractors in the DIB to achieve compliance with nearly 90% of CMMC Level 2 practices right out of the box.
Request a custom demo to learn more about Kiteworks and how the Private Content Network can help you achieve your CMMC compliance requirements, including demonstrating compliance with CMMC 2.0 Level 2.
Additional Resources
- Blog Post A Roadmap for CMMC 2.0 Compliance for DoD Contractors
- Blog Post 12 Things Defense Industrial Base Suppliers Need to Know When Preparing for CMMC 2.0 Compliance
- Guide CMMC 2.0 Compliance Mapping for Sensitive Content Communications
- Video Join the Kiteworks Discord Server and Connect With Like-minded Professionals for CMMC 2.0 Compliance Support
- Blog Post Navigating the Road to CMMC Level 2 Compliance: Insights and Tips From an Expert