How to Prepare for a CMMC Assessment
The Cybersecurity Maturity Model Certification is baffling enough on its own. So how do you prepare for a CMMC assessment? Do you know what maturity level your organization falls under? Can you fill in all the blanks to comply with the daunting NIST 800-171 standards?
Remember, CMMC mainly applies to Department of Defense contractors and subcontractors to safeguard the U.S. defense supply chain. Suppliers seeking CMMC levels two and beyond are required to undergo an audit and obtain an official certificate from an accredited third-party assessor (C3PAO).
Those assessors won’t be accredited until at least April 2021, so here are some tips on how to prepare for a CMMC assessment:
Step 1 – Determine your CMMC maturity level: CMMC compliance includes five cybersecurity maturity levels, depending on the necessary level of security clearance. Level 1 CMMC compliance focuses on maintaining sensitive Federal Contact Information; levels 2 and 3 establish CUI security; and levels 4 and 5 establish a strategy against advanced persistent threats. Contractors like yourself can determine their required level of CMMC compliance by taking inventory of data within their network and assessing their use of FCI and CUI, along with their storage methods and security levels.
Step 2 – Take the NIST 800-171 Self-Assessment: NIST 800-171 is a key part of the CMMC audit. The code refers to a set of guidelines that non-Federal entities must follow when storing, processing or transmitting CUI and its related security systems. Now, CMMC-compliant applicants need to submit a cybersecurity self-assessment based on the NIST SP 800-171 DoD Assessment Methodology.
Step 3 – Create your SSP & POA&M: As part of this assessment, your organization needs to create a System Security Plan and a Plan of Actions and Milestones that document that state of your network capabilities and compliance with NIST 800-171 as well as a plan to achieve 100 percent compliance.
Step 4 – Report the score to the SPRS: Applicants also are required to submit their scored assessment, SSP and POA&M to the Supplier Performance Risk System. This submission should include your system security plan’s name, network-supported CAGE codes, and an outline of its architecture. The submission should also include the date of the assessment, the total score achieved, and the expected date that a score of 110 will be reached.
Step 5 – Partner with a cybersecurity expert like 2W Tech: If you sell or are going to sell to the DoD, this affects you. There are many steps your business can be taking today to prepare for CMMC. You don’t need to go at it alone. Give 2W Tech a call today and let us help your business prepare for the Cybersecurity Maturity Model Certification and give you audit support. 2W Tech is a full-service IT Consulting firm that has a proven track record with our Cybersecurity Compliance Program.