How To Prepare for a CMMC Audit
CMMC is one of the most significant compliance shakeups of the last two decades.
After years of allowing contractors to self-assess their readiness, the DoD will now require all contractors and subcontractors to pass a stringent audit of their cyber and information security programs.
With CMMC version 1.02 already released, organizations are asking themselves, “how do you prepare for an audit that’s never been done before?”
If your organization finds itself in this position, here are the steps you can take to make sure you’re ready for CMMC ahead of time.
6 Steps to Prepare for Your CMMC Audit
Step #1: Start Now
The first thing you need to know about preparing for a CMMC audit is simple: start now. CMMC is more stringent than almost any previous cybersecurity framework, so it’s highly likely that reaching CMMC compliance will be more arduous than you’re expecting.
The worst thing you could do is try to ‘rush through’ a compliance exercise at the last minute. To successfully gain CMMC accreditation, you’ll need a mature cybersecurity and information security program — that’s not something you can build overnight.
According to the CMMC Accreditation Body (CMMC-AB), DoD contractors should begin preparations at least six months before their audit — and possibly much earlier if they don’t already have a robust cybersecurity program.
Step #2: Determine the CUI Environment
Like PCI-DSS, the first step in preparing for a CMMC audit is to determine which assets and systems are in scope. This will include all assets that directly or indirectly come into contact with Controlled Unclassified Information (CUI). Collectively, these assets form your CUI environment.
In practice, your CUI environment will be set by your contracting official at the DoD or, if you’re a subcontractor, by the prime contractor. To properly prepare for your first CMMC audit, you’ll need to identify the scope of this environment in advance — either through internal assessments or by working with a professional services provider.
Note that while CMMC controls represent best practices — and are sensible precautions to take throughout your environment — they are only mandatory within the CUI environment.
Step #3: Readiness Assessment
CMMC is built on the foundation of previous, widely accepted cybersecurity standards (e.g., NIST 800-171). As a result, it’s likely existing DoD contractors already have many of the necessary controls in place, particularly for the lower maturity levels.
However, regardless of your cybersecurity program’s current status, you can’t prepare for an audit without knowing where you currently stand. A readiness assessment — including a thorough gap analysis — is essential to determine which aspects of your cybersecurity program need work. In particular, your assessment should focus on how CUI is stored, processed, and transmitted, and ensuring all systems and processes have an ‘owner’ who will establish and maintain the necessary CMMC controls.
You can think of CMMC as being divided into two categories: human systems and technical systems.
You may want to consider having an impartial assessment completed by an external party for human systems and controls. This will provide a realistic evaluation of your current readiness and will help to avoid unpleasant surprises when the real audit is completed.
For technical controls, consider using an automated solution to identify areas of technical non-compliance. These issues can be challenging and time-consuming to identify manually and prone to falling out of compliance during normal operations. An automated solution that regularly scans your environment for changes will mitigate this problem.
Step #4: Identify (and Cost) Steps to Remediation
Once you know where your gaps are, it’s time to identify the risks associated with each gap and quantify the steps needed to bring your organization into compliance. You should also estimate the cost associated with resolving each gap — this will help you prioritize and plan your compliance program.
Naturally, if your current cybersecurity program falls significantly short of CMMC compliance, the cost of gaining compliance may be significant. CMMC audits — and the work needed to pass them — are now a cost of doing business with the DoD.
While part of the audit cost may be recoupable by organizations successful in winning a contract, the costs of becoming compliant are not. Given that achieving CMMC compliance is more challenging than with previous frameworks, there is a genuine possibility that becoming CMMC compliant will prove expensive — perhaps exceeding $250,000 for level 3 compliance.
Naturally, it’s up to you to decide whether these costs are worthwhile. Keep in mind, however, that CMMC controls are based on best practices. It may be that you’ll ultimately need to take these steps anyway — particularly if other government agencies adopt CMMC — so making an effort to comply now could work in your best interest.
Step #5: Creating a Compliance Roadmap
Once you have identified and assessed all of the gaps in your current program, the next step is to create a remediation roadmap. This should be ordered based on the priorities and costs calculated during the previous phase.
While the specifics of your roadmap will be individual to your organization, we would venture one piece of advice: don’t waste time.
It’s true that — for most organizations — CMMC won’t be fully implemented for several years. However, depending on the amount of change needed to bring your organization into compliance, that timeline may already be tight.
To be safe, make sure your roadmap can accommodate delays without the risk of failing to be ready ahead of your audit date.
Step #6: Ongoing Monitoring
A CMMC audit is a point-in-time assessment of compliance. However, that doesn’t mean you can afford to let compliance lapse between assessments. Not only would this force you to reestablish compliance ahead of your next audit, you would also run the risk of losing DoD contracts in the event of a breach.
The key thing to understand is that — without careful planning and execution — it’s easy to fall out of compliance with CMMC. To avoid this, implement a monitoring process to ensure routine changes to systems, controls, and processes don’t introduce non-compliance issues.
And monitoring isn’t only for your sake. The DoD requires contractors to monitor systems on an ongoing basis and report incidents. For large contractors with established security programs, this shouldn’t be a significant challenge. Smaller contractors may find it more difficult and will need to ensure the necessary systems and processes are in place.
Prepare for Your CMMC Audit with CimTrak
The CMMC is a significant upheaval of the status quo. Within a few years, all DoD contracts will require certification, forcing current and hopeful DoD contractors to make substantial changes to pass a CMMC audit successfully.
CimTrak is an IT integrity, security, and compliance tool that makes it easy for organizations to substantially improve cybersecurity maturity. CimTrak continuously monitors your environment and detects changes to assets, files, and accounts. When specified changes occur, CimTrak raises an alert and a report, making it easy to identify security issues in hardware and software assets.
Crucially, CimTrak’s functionality maps directly to many of the control objectives of CMMC.
- AC - Access Control
- AM - Asset Management
- AU - Audit and Accountability
- CM - Configuration Management
- IR - Incident Response
- RE - Recovery
- RM - Risk Management
- SA - Security Assessment
- SC - System & Communication Protection
- SI - System & Information Integrity
To find out more about how CimTrak can help your organization prepare for a CMMC audit — and maintain CMMC compliance over time — download the CMMC Solution Brief today.
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".