If You Need to Comply With CMMC 2.0, Here Is Your Complete CMMC Compliance Checklist
Given the complexity of the Cybersecurity Maturity Model Certification (CMMC) framework, it is essential for government contractors and subcontractors to have a comprehensive CMMC compliance checklist to ensure they meet all the requirements.
This blog post explores the CMMC 2.0 compliance requirements, provides a comprehensive CMMC Compliance checklist, and offers Department of Defense (DoD) contractors practical insights into how they can achieve CMMC compliance.
What Is CMMC Compliance?
CMMC is a cybersecurity framework regulating manufacturing contractors serving in the Defense Industrial Base (DIB), an extensive list of DoD supply chain partners. Any contractor or subcontractor that processes, sends, shares, or receives controlled unclassified information (CUI) or federal contract information (FCI) must demonstrate compliance with CMMC.
The goal of this framework is to take disparate requirements and standards, coupled with several models for self-assessment and attestation, and streamline them into reliable, rigorous, and robust security practices that any business can align with.
The components of CMMC that set it apart from other regulations include:
The components of CMMC that set it apart from other federal government regulations, like the International Traffic in Arms Regulations (ITAR), the Federal Information Security Management Act (FISMA), or the Federal Risk and Authorization Management Program (FedRAMP), include:
- Controlled Unclassified Information (CUI) and Federal Contract Information (FCI): CMMC covers the storage, processing, transmission, and destruction of CUI explicitly. CUI is a unique form of data that hasn’t been designated under Secret classification but requires special protections to preserve national security. Examples of CUI may include financial information related to government contracts, personally identifiable information (PII) of government employees, or sensitive technical data related to defense systems.
- NIST Standards: CMMC, like other federal cybersecurity frameworks, draws from standards created and maintained by the National Institute of Standards and Technology (NIST). Specifically, CMMC relies on NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”
- Maturity Levels: To help contractors and agencies align on the required security needed to enter into working relationships, CMMC divides regulatory compliance into three maturity levels based on the contractor’s implementation of NIST SP 800-171 (and potential SP 800-172) controls.
- Third-party Assessments: Like FedRAMP, CMMC relies on third-party assessments performed by Certified Third Party Assessor Organizations (C3PAO).
FCI is another lesser form of information related to the contractual relationships between contractors and agencies. CMMC is built to handle both cases.
Additionally, some advanced levels of CMMC compliance will draw from NIST SP 800-172, “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171.”
CMMC 2.0 Maturity Levels
The heart of CMMC 2.0 is its maturity level hierarchy. These levels denote the capacity of a contractor to implement controls from NIST SP 800-171, with higher levels denoting a more mature cybersecurity posture that can address more complex security threats. Likewise, each level carries more responsibilities in terms of assessment requirements.
The three CMMC 2.0 maturity levels are:
- CMMC 2.0 Level 1: The “Foundational” level is the bare minimum of CMMC certification. A contractor meeting CMMC 2.0 Level 1 requirements can implement a collection of 15 controls from NIST SP 800-171.
- CMMC 2.0 Level 2: The “Advanced” level of CMMC expects that the contractor has implemented all 110 security controls listed in NIST SP 800-171.
- CMMC 2.0 Level 3: The “Expert” level of CMMC compliance sees contractors implementing all 110 controls of NIST SP 800-171 and specific controls in NIST SP 800-172 with no exceptions for triannual C3PAO assessments.
Furthermore, in lieu of a C3PAO audit, these contractors may provide annual self-assessments and affirmations of compliance. At this level, the contractor is authorized to handle FCI.
Additionally, the contractor must undergo triennial assessments via a C3PAO, with options for self-assessment depending on DoD approval for select programs. CMMC 2.0 Level 2 is the minimum maturity level contractors must meet to handle CUI.
CMMC 2.0 Level 3 is reserved for cases where significant security threats, including advanced persistent threats (APTs), must be considered.
CMMC Compliance Checklist
CMMC certification, the precursor to CMMC compliance, is a rigorous process. To become CMMC certified, companies must meet an extensive set of requirements laid out by the DoD. Below is our CMMC checklist of items that organizations must address and meet if they wish to achieve CMMC certification.
Assess the Appropriate CMMC Maturity Level for Your Organization
The first step to achieving CMMC 2.0 compliance is to assess the maturity level of your organization. The CMMC certification process is a tiered approach, and companies must choose the right level to pursue based on the sensitivity of the data they handle. There are three levels of CMMC certification (see above).
Perform a CMMC Self-assessment to Gauge Your Readiness for CMMC Compliance
Once you have determined the maturity level your organization wants or requires, the next step is to perform a self-assessment of your organization’s cybersecurity profile. This assessment should include a review of your organization’s cybersecurity maturity, including your policies and procedures, network security, access control, and incident response capabilities.
Leverage Other Cybersecurity Frameworks to Streamline CMMC Compliance Efforts
While achieving CMMC certification can be a complex process, organizations can make the transition easier by leveraging existing frameworks and certifications that align with CMMC requirements. CMMC was developed from existing frameworks, and there is significant overlap between CMMC and other established cybersecurity frameworks.
One such framework is the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), which provides a set of guidelines and best practices for managing and mitigating cybersecurity risks. By implementing the CSF, organizations can align their cybersecurity practices with CMMC requirements, which will likely make the certification process easier and more streamlined.
Other frameworks and certifications that can help organizations achieve CMMC certification include FedRAMP, the Federal Information Security Management Act (FISMA), the International Organization for Standardization 27000 standards (ISO 27001), and NIST Special Publication 800-171. By leveraging these frameworks and certifications, organizations can ensure that they also improve their overall cybersecurity posture and can demonstrate compliance with CMMC requirements.
Build a Plan of Action and Milestones (POA&M) for CMMC Compliance
A Plan of Action and Milestones (POA&M) is a critical document that outlines an organization’s strategy to address its weaknesses and deficiencies in its cybersecurity measures. It plays a significant role in demonstrating CMMC compliance. Building a plan of action and milestones (POA&M) requires a series of steps. After you have identified the appropriate level, identify the gaps between your current cybersecurity posture and the required certifications. This requires a thorough assessment of your organization’s existing policies, procedures, and technical measures.
Based on the gaps identified, prioritize the areas that need to be addressed first. Then, develop a timeline for each task, including deadlines for completion of each action item. Assign tasks to team members with clear responsibilities and hold them accountable for staying on track. Lastly, document all the steps taken toward compliance and keep track of progress regularly, updating the plan of action and milestones as necessary. This approach ensures a structured and methodical approach to CMMC compliance, leading to better efficiency and timely results.
Develop a System Security Plan (SSP) to Achieve CMMC Compliance
To achieve CMMC compliance, organizations must create a system security plan (SSP) that includes details about each system in their IT environment that stores or transmits controlled unclassified information (CUI) in accordance with NIST 800-171 and CUI regulations.
The SSP outlines information flow between systems and authentication and authorization procedures, as well as company regulations, staff security obligations, network diagrams, and administrative duties. The SSP is a living document that must be updated whenever significant changes are made to a business’s security profile or procedures.
During the contract bidding and award process, the Defense Department evaluates contractors’ SSPs. To win DoD business, contractors must have an active and legitimate SSP.
Creating (and updating) the SSP can be a resource-intensive process, but it is essential for maintaining CMMC certification criteria. Therefore, contractors must ensure they have the necessary resources available to create and update the SSP.
Select a CMMC Third Party Assessor Organization to Ensure CMMC Compliance
After completing the self-assessment, you will need to select a CMMC Third Party Assessor Organization (C3PAO). A C3PAO is an organization that has been authorized by the Accreditation Body (AB) to conduct CMMC assessments. The C3PAO will be responsible for assessing your organization’s compliance with the CMMC framework.
Choosing the right C3PAO is a critical step in the process of achieving CMMC compliance. There are currently several C3PAOs in the market, and selecting the right one can be overwhelming.
Here are some considerations to keep in mind while selecting and working with a C3PAO:
- Check the CMMC-AB website for a list of authorized C3PAOs
- Look for a C3PAO with experience in your industry
- Check the C3PAO’s accreditation status
- Ask for references and feedback from previous clients
- Consider their pricing structure
Once you have selected a C3PAO, you will need to work closely with them to achieve CMMC compliance. The C3PAO will provide guidance throughout the compliance process, and they will assess your organization’s compliance with the CMMC framework.
Set a Timeline for CMMC Compliance
The CMMC certification process is a time-consuming task, and companies must plan accordingly. Here are some factors that companies must keep in mind while planning the certification process:
- Organization size
- Current cybersecurity posture
- The certification process can take up to 12 months, depending on the level of certification
- The C3PAO performs a gap analysis before the actual assessment, which can take up to three months
- The certification process requires ongoing maintenance and periodic assessments
Allocate Sufficient Resources to Achieve CMMC Compliance
The CMMC certification process can be a costly affair in terms of both financial and personnel allocation, and companies must budget accordingly. Contractors should expect to incur costs related to cybersecurity assessments, remediation, and ongoing maintenance. Here are some factors that companies must keep in mind while planning their budget:
- The cost of the certification process can vary depending on the CMMC level
- The cost of hiring a C3PAO can vary depending on their experience and accreditation status
- The certification process requires ongoing maintenance, which can add to compliance costs
How to Prepare for a CMMC Assessment
There are specific steps organizations can take to prepare for a CMMC assessment. Some of these steps include:
- Understand NIST Requirements: NIST publishes security documentation freely on their website. As such, there is little or no reason that your organization needs to have a basic grasp of the categories of security controls that an assessment would investigate. If nothing else, having a person or group within your organization who can interface with assessors and the government will be critical.
- Perform a Gap Analysis: Hire a security firm to analyze your IT infrastructure and map out how it compares against CMMC requirements. This will provide a clear picture of where you are versus where you need to be so that you can make the required changes and upgrades.
- Conduct a Risk Assessment: While the standards of CMMC are clearly defined, you can consider industry standards or business goals before adopting them as a checklist. Conducting a risk assessment can help you understand what you need to implement for compliance without limiting your business’s ability to grow.
- Select a C3PAO: The CMMC Accreditation Body (CMMC-AB) provides an online marketplace directory of accredited C3PAOs. Use this utility to select a company you want to work with.
- Prepare for Ongoing Assessment: After the initial CMMC certification, your organization will be required to handle ongoing re-certification and monitoring. Depending on the maturity level of your certification, this could mean annual self-assessments or triannual C3PAO audits.
However, the CMMC-AB disallows contractors to work with a C3PAO outside of their assessment relationship. For example, to avoid conflicts of interest, a C3PAO cannot provide consulting or cybersecurity IT work before their work assessing the company.
Get Ready for CMMC Compliance With Kiteworks
Modern, data-driven businesses will rely on secure and frictionless IT infrastructure to support their operations. When it comes to government contractors, this means using CMMC-compliant communication and file management systems.
The Kiteworks Private Content Network is just that system.
With Kiteworks, you get secure, end-to-end encryption using our exclusive Private Content Network. This private and protected communication platform provides organizations with secure and compliant email, file sharing, managed file transfer (MFT), web forms, and application programming interfaces (APIs).
Kiteworks features a hardened virtual appliance, secure deployment options including a FedRAMP virtual private cloud, granular controls, authentication, security infrastructure integrations, and comprehensive logging and audit reporting enable organizations to demonstrate compliance with security standards easily and securely.
Kiteworks helps organizations demonstrate compliance with numerous federal and international data privacy regulations and standards that include FedRAMP, Federal Information Processing Standards (FIPS), FISMA, ITAR, the General Data Protection Regulation (GDPR), Australia’s Information Security Registered Assessors Program (IRAP), NIST CSF, ISO 27001, UK Cyber Essentials Plus, the European Union’s NIS 2 Directive, and many more.
With respect to CMMC, Kiteworks achieves compliance with nearly 90% of Cybersecurity Maturity Model Certification (CMMC) Level 2 practices, right out of the box.
Request a custom demo to learn more about Kiteworks and how the Private Content Network can help you achieve your CMMC compliance requirements, including demonstrating compliance with CMMC 2.0 Level 2.
- Blog Post A Roadmap for CMMC 2.0 Compliance for DoD Contractors
- Blog Post 12 Things Defense Industrial Base Suppliers Need to Know When Preparing for CMMC 2.0 Compliance
- Guide CMMC 2.0 Compliance Mapping for Sensitive Content Communications
- Video Join the Kiteworks Discord Server and Connect With Like-minded Professionals for CMMC 2.0 Compliance Support
- Blog Post Navigating the Road to CMMC Level 2 Compliance: Insights and Tips From an Expert