The Cybersecurity Maturity Model Certification (CMMC) is an assessment program designed to ensure that DoD contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.
With CMMC 2.0 as the latest revision, there have been significant changes to the original model structure to further align with NIST standards.
If your organization is embarking on the journey to CMMC 2.0 compliance, here are the steps you can take to make sure you’re ready for CMMC ahead of time.
6 Steps to Prepare for Your CMMC Audit
Step 1: Start Now
The first thing you need to know about preparing for a CMMC audit is simple: start now. CMMC is more stringent than most cybersecurity frameworks, so it’s highly likely that reaching CMMC compliance will be more arduous than you’re expecting.
The worst thing you could do is try to ‘rush through’ a compliance exercise at the last minute. To successfully gain CMMC accreditation, you’ll need a mature cybersecurity and information security program — that’s not something you can build overnight.
According to the CMMC Accreditation Body (CMMC-AB), DoD contractors should begin preparations at least six months before their audit — and possibly much earlier if they don’t already have a robust cybersecurity program.
Step 2: Determine the CUI Environment
Like PCI-DSS, the first step in preparing for a CMMC audit is to determine which assets and systems are in scope. This will include all assets that directly or indirectly come into contact with Controlled Unclassified Information (CUI). Collectively, these assets form your CUI environment.
In practice, your CUI environment will be set by your contracting official at the DoD or, if you’re a subcontractor, by the prime contractor. To properly prepare for your first CMMC audit, you’ll need to identify the scope of this environment in advance — either through internal assessments or by working with a professional services provider.
Note that while CMMC controls represent best practices — and are sensible precautions to take throughout your environment — they are only mandatory within the CUI environment.
Step 3: Readiness Assessment
CMMC is built on the foundation of previous, widely accepted cybersecurity standards (e.g., NIST 800-171). As a result, it’s likely existing DoD contractors already have many of the necessary controls in place, particularly for the lower maturity levels.
However, regardless of your cybersecurity program’s current status, you can’t prepare for an audit without knowing where you currently stand. A readiness assessment — including a thorough gap analysis — is essential to determine which aspects of your cybersecurity program need work. In particular, your assessment should focus on how CUI is stored, processed, and transmitted and ensure all systems and processes have an ‘owner’ who will establish and maintain the necessary CMMC controls.
You can think of CMMC as being divided into two categories: human systems and technical systems.
You may want to consider having an impartial assessment completed by an external party for human systems and controls. This will provide a realistic evaluation of your current readiness and will help to avoid unpleasant surprises when the real audit is completed.
For technical controls, consider using an automated solution to identify areas of technical non-compliance. These issues can be challenging and time-consuming to identify manually and prone to falling out of compliance during normal operations. An automated solution that regularly scans your environment for changes will mitigate this problem.
Step 4: Identify Steps (and Cost) to Remediation
Once you know where your gaps are, it’s time to identify the risks associated with each gap and quantify the steps needed to bring your organization into compliance. You should also estimate the cost associated with resolving each gap — this will help you prioritize and plan your compliance program.
Naturally, if your current cybersecurity program falls significantly short of CMMC compliance, the cost of gaining compliance may be significant. CMMC audits — and the work needed to pass them — are a cost of doing business with the DoD.
While part of the audit cost may be recoupable by organizations successful in winning a contract, the cumulative resources required to achieve compliance are not. Given that achieving CMMC compliance is more challenging than with other frameworks, there is a genuine possibility that becoming CMMC compliant will prove expensive. While official costs have yet to be published, it is estimated that the cost for CMMC compliance can range between $30,000 and $200,000, depending on the circumstance.
Naturally, it’s up to you to decide whether these costs are worthwhile. Keep in mind, however, that CMMC controls are based on best practices. It may be that you’ll ultimately need to take these steps anyway — particularly if other government agencies adopt CMMC — so making an effort to comply now could work in your best interest.
Step 5: Creating a Compliance Roadmap
Once you have identified and assessed all of the gaps in your current program, the next step is to create a remediation roadmap. This should be ordered based on the priorities and costs calculated during the previous phase.
While the specifics of your roadmap will be individual to your organization, we would venture one piece of advice: don’t waste time.
To be safe, make sure your roadmap can accommodate delays without the risk of failing to be ready ahead of your audit date.
Step 6: Ongoing Monitoring
A CMMC audit is a point-in-time assessment of compliance. However, that doesn’t mean you can afford to let compliance lapse between assessments. Not only would this force you to reestablish compliance ahead of your next audit, but you would also run the risk of losing DoD contracts in the event of a breach.
The key thing to understand is that — without careful planning and execution — it’s easy to fall out of compliance with CMMC. To avoid this, implement a monitoring process to ensure routine changes to systems, controls, and processes don’t introduce non-compliance issues.
And monitoring isn’t only for your sake. The DoD requires contractors to monitor systems on an ongoing basis and report incidents. For large contractors with established security programs, this shouldn’t be a significant challenge. Smaller contractors may find it more difficult and will need to ensure the necessary systems and processes are in place.
Prepare for Your CMMC Audit with CimTrak
With CMMC, DoD contracts require certification, forcing current and hopeful DoD contractors to make substantial changes successfully to pass a CMMC audit.
CimTrak is an IT integrity, security, and compliance tool that makes it easy for organizations to substantially improve cybersecurity maturity. CimTrak continuously monitors your environment and detects changes to assets, files, and accounts. When specified changes occur, CimTrak raises an alert and a report, making it easy to identify security issues in hardware and software assets.
Crucially, CimTrak’s functionality maps directly to many of the control objectives of CMMC.
- AC - Access Control
- AM - Asset Management
- AU - Audit and Accountability
- CM - Configuration Management
- IR - Incident Response
- RE - Recovery
- RM - Risk Management
- SA - Security Assessment
- SC - System & Communication Protection
- SI - System & Information Integrity
To learn more about how CimTrak can help your organization prepare for a CMMC audit — and maintain CMMC compliance over time — download the CMMC Solution Brief today or schedule a free consultation with one of our experts.
