Key Takeaways
- CMMC compliance is mandatory for DoD contractors to continue handling sensitive government data.
- Organizations meeting CMMC standards can help them strengthen their cybersecurity posture and protect their sensitive data. (Secureframe)
- Early preparation and compliance provide you with a competitive edge and avoid contract delays or disqualification.
Introduction
CMMC 2.0 is now a primary requirement for any business looking to work with the U.S. Department of Defense. This standard outlines the guidelines that companies need to follow to protect government data and the steps they must take to remain eligible for DoD contracts. Some companies can understand and follow these guidelines, while others find them confusing due to the involvement of controls, documentation, audits, and security practices.
In this guide, we will discuss the entire process in detail, so you can understand the importance and steps to implement these rules effectively.
How to Find Out the Type of Compliance Level You’ll Need (CMMC Level 1 or 2)
The process begins with choosing the right CMMC level. For this, you need to answer one simple question: Do you handle FCI (Federal Contract Information) or CUI (Controlled Unclassified Information)?
- If you only handle FCI, then you will only need CMMC Level 1. These are basic security practices such as device protection, passwords, and simple access rules.
- If you handle CUI, your requirement will be CMMC Level 2. Level 2 has a higher level of requirement because there are additional controls needed, such as logging, monitoring, responding to incidents, and managing risk.
You may also create a document that lists all the types of government data that are stored, processed, and/or transmitted by your company to assist in determining your CMMC level. If you work with a department that shares CUI with you, you must comply with CMMC Level 2. If you are unsure of what level you need to comply with, it is best to assume you will need CMMC Level 2, considering there are many DoD contractors that are required to comply with Level 2.
Role-Based CMMC Compliance Checklist (Management, IT, HR, Vendors)
Having a role-based approach is always helpful, as it avoids confusion since everyone knows their responsibilities.
Management Responsibilities
- Approve budgets for security tools
- Make sure policies are actually followed
- Assign one person as compliance owner
- Approve the SSP (System Security Plan) and POA&M
IT & Security Team Responsibilities
- Set up MFA and strong password settings
- Maintain firewalls, antivirus, and EDR
- Monitor logs and alerts
- Control who has access to what systems
HR Responsibilities
- Conduct cybersecurity awareness training for employees
- Provide onboarding security briefings for new employees
- Maintain termination checklist (remove access immediately)
Vendor & Contractor Responsibilities
- Vendors and contractors should also follow the same CMMC level
- They should sign all the security agreements
- They should confirm that all third-party tools provided by them meet DoD expectations
- A clear outline of the above responsibilities makes it easy to define which teams are responsible for the various CMMC certification processes.
CMMC Level 1 Checklist: Foundational Security Requirements
CMMC Level 1 is meant for protecting FCI, and therefore, it includes basic but essential security practices. These are easy steps that any small or mid-size contractor can implement.
Key requirements include:
- To protect against unauthorized access, make sure you have a strong password that is hard to guess, and enable Multi-Factor Authentication (MFA).
- You should restrict access so that only those who need access can see the information.
- Make sure your devices are protected with an antivirus program and a firewall. Also, ensure that the operating systems and applications on the devices are regularly updated.
- Be sure to secure remote access for employees working remotely.
- Backup data so you can recover it if something goes wrong.
- Scan for vulnerabilities and fix issues quickly.
- Limit physical access to systems that store government data.
To meet these controls, you don’t need advanced tools or expensive solutions. Most controls can be handled with standard business software. The only thing that matters is having proof of consistently following each practice.
CMMC Level 2 Checklist: Expanded Controls for Protecting CUI
Level 2 is built on the basics but also focuses on protecting CUI using the 110 controls from NIST 800-171. If you are handling sensitive DoD data, then you must follow this level.
Important Level 2 requirements include:
- Advanced access control that includes role-based access and session monitoring
- Continuous monitoring of systems, logs, and network activity
- Incident response plan to guide your team during a breach
- Regular risk assessments to identify weaknesses
- Security training focused on phishing, social engineering, and safe data handling
- Audit logging for all important actions
- System integrity protection, such as EDR, anti-malware, and configuration control
- Encryption of data both in transit and at rest
If you're at level 2, you will most likely have additional requirements for documentation and ongoing monitoring. Following these steps above will help you stay in compliance with DoD expectations and ensure you're prepared for the audit.
Documentation Required for CMMC (SSP, POA&M, Evidence Examples)
Many people find the documentation portion of the CMMC to be most confusing. However, once you identify all the necessary documentation, you will be better prepared.
Important documentation required for CMMC certification includes:
- SSP (System Security Plan): Comprehensive information regarding all systems, tools, policies, and how security is implemented.
- POA&M (Plan of Action and Milestones): This includes a list of any outstanding issues that need to be corrected, with deadlines.
- Network diagrams: A simple illustration of how various devices and systems are interconnected.
- Asset inventory: This includes inventory lists for all laptops, servers, applications, and their users.
- Incident response plan: This document is used by your incident response team during incidents.
- Access control matrix: A graphical representation of which users have access to which systems.
Auditors may also check the documentation you provide and match it against your actual practices. So, you need to ensure that all relevant documents are handy, including screenshots, tool reports, log samples, policies, and training records.
CMMC Readiness Scoring: A Simple Method to Measure Your Progress
The easiest way to determine your path toward certification is by using a simple score to assess how far you are from achieving certification, which will allow you to pinpoint your areas of greatest concern. A simple scoring method is:
- 0 - Not Implemented: You haven't implemented a control yet.
- 1 - Partially Implemented: You have started, but lack evidence and/or consistency.
- 2 - Fully Implemented: You meet the requirement and can show evidence.
- 3 - Managed & Monitored: You have the control, and it is regularly reviewed.
You should score yourself for every Level 1 or Level 2 control. If your average score turns out to be below 2, you will need to put in more work before facing a C3PAO. If your average score is 2 or higher, then it means you are in good shape and only need some fine-tuning.
Common CMMC Audit Failures and How to Avoid Them
Many companies fail CMMC audits because of simple mistakes. Knowing these mistakes can help you avoid unnecessary delays.
Common failures include:
- Missing or incomplete SSP, which is the most important document
- No evidence, even if controls are in place
- Unclear data flow for CUI within the company
- Outdated software or unpatched systems
- No logging or monitoring, especially for admin activity
- Remote access without MFA
- Subcontractors not following the same CMMC level
It is possible to avoid the problems mentioned above by conducting an internal audit, reviewing documentation, testing controls, and collecting evidence on an ongoing basis. Most failures occur when teams do not collect evidence early, typically waiting until the last minute to gather everything together for submission.
30-Day Roadmap to Prepare for CMMC Certification
Week 1:
- Identify whether you handle FCI or CUI
- Confirm your required CMMC level
- Map data flows and list all assets
Week 2:
- Implement Level 1 or Level 2 controls
- Enable MFA, logging, monitoring, and backups
- Train employees
Week 3:
- Build your SSP and POA&M
- Prepare network diagrams and policies
- Collect screenshots, logs, and reports as evidence
Week 4:
- Perform an internal assessment
- Fix remaining issues
- Prepare to create a certification plan (if Level 2)
- Following this roadmap helps manage the process easily.
Following this roadmap helps manage the process easily.
Tools and Technologies That Help You Meet CMMC Requirements
You do not need expensive tools to achieve compliance with CMMC. Most companies already have the necessary functionalities built into their current tools. However, there are certain tools that make compliance much easier.
Here are some categories that can assist with compliance:
- Endpoint security tools such as EDR or antivirus
- SIEM or log monitoring tools for monitoring user activity
- Password and access management tools for multi-factor authentication (MFA) and role-based access
- Backup solutions for FCI and CUI
- Vulnerability scanners for identifying weaknesses
- Documentation tools that help build the SSP and POA&M
- Cloud security controls if you store or process data online
It is necessary for you to select the tools that integrate with your existing systems and provide auditors with reports that are easy to read.
When You Need a C3PAO and What Certification Typically Costs
If you are looking to achieve CMMC Level 2, then you will need a C3PAO (Certified Third-Party Assessment Organization). Whereas level 1 requires only a self-assessment every year.
A C3PAO assessment for Level 2 can vary in terms of cost based on:
- Size of your company
- Number of systems and users
- Complexity of your environment
- Time needed to review your documentation and evidence
However, if you prepare well in advance of the audit, it may reduce the cost because assessors spend less time identifying gaps.
Final CMMC Compliance Checklist
Here is a quick recap you can use as your final checklist:
- Identify CMMC level (1 or 2)
- Assign responsibilities
- Implement Level 1 or Level 2 controls
- Prepare documentation (SSP, POA&M, diagrams)
- Enable MFA, logging, backups, and monitoring
- Complete security training
- Score your readiness
- Fix remaining gaps
- Prepare evidence for every requirement
- If you are Level 2, then schedule your C3PAO audit
This summary is to help keep you up to date as you progress through CMMC 2.0.
Conclusion
Although CMMC 2.0 can appear complicated, if you break it into individual and identifiable steps, it becomes less overwhelming. If you pick the most appropriate level for your organization, follow the checklists associated with that level, build the necessary documentation, and evaluate your physical security and security controls, you will increase your ability to certify at that level. With proper preparation, your organization will remain compliant with the requirements of this regulation while also maintaining its ability to conduct business with the DoD. SafeAeon can support you through the preparation process. Their team can help with documentation and other steps needed to get your organization ready for CMMC compliance.