3 Steps to Prepare for Your CMMC Assessment

The Cybersecurity Maturity Model Certification (CMMC), drafted by the Department of Defense, is a new standard that verifies the implementation of processes and practices associated with cybersecurity maturity levels. CMMC leverages cybersecurity best practices, including those specified in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, to ensure the protection of classified data and processes.

What makes the CMMC different from NIST SP 800-171 is the requirement of a third-party assessment that identifies a cybersecurity maturity level based on your organization’s ability to demonstrate critical requirements and capabilities. The CMMC framework contains domains similar to those of the NIST 800-171 and the security-related areas of Federal Information Processing Standards (FIPS), with the addition of asset management, recovery, and situational awareness.

Is your cybersecurity stack prepared for its CMMC assessment? Here is our recommended course of action to ensure success.

Gather Evidence

It’s vital to understand your current security posture so that you can adapt and perfect your processes before an assessor arrives. Your CMMC assessment will evaluate compliance at five different levels, each with its own criteria for sensitive information and cybersecurity infrastructure. Below is a high-level overview of these levels:

Level 1: Performing basic cyber hygiene practices. This level focuses on the protection of Federal Contract Information (FCI) and is concerned with basic cybersecurity processes appropriate for small companies.

Level 2: Documenting intermediate cyber hygiene processes. This level requires that you meet universally accepted cybersecurity best practices, in addition to a subset of the security requirements specified in NIST SP 800-171 and practices from other standards and references.

Level 3: Managing good cyber hygiene processes. This level focuses on safeguarding Controlled Classified Information (CUI). This includes coverage of all NIST SP 800-171 controls and additional CMMC components.

Level 4: Proactive reviews. This level focuses on the effectiveness of protecting CUI from advanced persistent threats (APTs), encompassing a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other sophisticated cybersecurity best practices.

Level 5: Optimizing advanced & progressive processes. This level requires that your entire organization meet highly advanced cybersecurity practices and standards. Like Level 4, it also focuses on the protection of CUI from APTs.

Perform Gap Analysis

In order to properly prepare for your CMMC assessment, we strongly advise that you reach out to a managed security service provider (MSSP) to perform a gap analysis. Gap analyses and risk assessments are designed to identify areas where your infrastructure is not fully compliant with cybersecurity regulations. They are helpful in understanding how close you are to meeting the minimum CMMC requirements.

Ronathan can support your organization by conducting a risk assessment. During this analysis, Ronathan can evaluate your current policy, procedures, and evidence to identify compliance issues that violate CMMC regulations.

Some issues commonly revealed during gap analysis can include:

• Improper measures regarding information access.
• Informal training of information system administrators and managers.
• Insecure data record storage.
• Inadequate implementation of security controls.
• Lack of incident response plans.

A thorough understanding of your risk areas will help you prepare for the changes that your company needs to undertake in order to meet CMMC level requirements.

Mitigate Gaps

Once you’ve identified the gaps in your cybersecurity infrastructure, you can begin implementing a remediation plan as directed by your MSSP. Depending on the severity of your gaps, this process could range from inexpensive, straightforward fixes to more extensive and involved procedures.

After applying your revisions, your MSSP will reevaluate these changes in order to deem them acceptable for CMMC requirements. You will be provided with proof in the form of credible documentation that can be presented to CMMC assessors. Additionally, you will be responsible for upholding the functionality of your cybersecurity infrastructure with consistent monitoring and reporting.

Learn More About CMMC Requirements

Wondering if you’ll be compliant with regulations? ESR’s holistic approach seeks to provide the disciplines necessary for successful transition of new cyber capabilities into organization. We offer risk & control analysis automation, cyber program management support, and more.

Get in touch with us for more information on how our services can better prepare you for your CMMC assessment.