The Department of Defense has made it clear that self-attestation is no longer adequate for their supply chain. Cybriant can help make the CMMC certification process easier.
You know you’ve done this; you’re watching a movie where the outcome of a scene or plot is obvious but the characters don’t seem to have any idea? That is how I feel about the coming Cybersecurity Maturity Model Certification (CMMC).
You see, I’ve audited and assessed enough companies to see the plot and be yelling at the screen. A majority of companies out there may know CMMC is coming. They may even know that it’s different than NIST 800-171r1 and that there are varying stages of compliance. What they’re missing, what I’m screaming at the screen saying “why are you running further into the woods?!?” is the amount of work needed to bridge the gap of where you are to where you need to go.
It’s a lot. Whatever you are thinking, it’s more than that. Much more.
Often companies, even those that are fully or mostly compliant with 800-171 will have possibly hundreds of man-hours to meet CMMC. What’s a security professional to do? Start working.
Step 1: Learn
The first step is to download a copy of the latest draft regulations. Download each document and get reading. What you’ll find there is a description of what the Department of Defense is trying to accomplish. The various levels, controls, and descriptions of those controls as well as further explanation.
Next, sign up for the CMMC Accreditation Board’s email alert list. This will keep you abreast of new developments in the CMMC certification process. I would also familiarize yourself with the website in general as there is a wealth of information about how everything is going to work.
Step 2: Plan
I wouldn’t suggest starting at the top of the Appendices PDF and going to town on controls. We must first understand what level we need to meet. This would be a question for your contract office contact. They will probably have a good idea of what is going to be needed on the next round of contracts that will require a CMMC component.
Most organizations are going to tell you that as soon as you understand your required level, start working on Level 1. That is true, but experience tells us there’s actually a few steps that should be tackled before starting work.
The Good, the Bad and the Ugly
Identify those controls that you already fulfill. The good news is that each control removed is time, money and effort saved. The bad news is that there aren’t going to be as many removed controls as you might expect.
The number one issue most people face when tackling this task is determining what exactly the government means on a particular word, phrase, or sentence. Shall vs. Must vs. Could. It’s quite confusing. Fortunately, the Appendices not only include clarification information but also the specific sections of documents, such as CIS or NIST, that helped guide the decision. However, at the end of the day, you can always call Cybriant to help you through the muddy waters. We eat and breathe this stuff and can help define for your environment what your options are.
Internal or Outsource
There’s a very good chance you’re not going to have the manpower, resources, budget, or capabilities to fulfill every control. Identify the controls you can tackle internally and those that an outside resource will need to be brought in to help or fully manage. Each company is different so this is going to be completely deterministic on a variety of metrics. A good rule of thumb is that you should outsource anything you are not an expert in. That does not mean you should be wholly ignorant of the subject. I’m a firm believer in learning enough about a subject so you have a BS meter.
Budgeting
Many organizations miss this. There’s a good chance you’re going to have to spend money on the upgraded system or security components, services (Level 4 requires a 24/7 SOC), and any number of minor or major expenses. Go through all the requirements and identify what products or services you may need to purchase.
The process to identify and acquire those items can occur in conjunction with internal efforts on the remaining controls. Vendors must be found, decision-makers convinced and any number of organization-specific purchasing hurdles jumped before the product/service ends up on your doorstep. Get started with this ASAP.
Implementation methodology
Once you have what you’ll be doing and what others will be doing it is time to identify the estimated time it will take to complete each requirement you are performing internally. A rough estimate is fine here as we are simply attempting to ensure that we don’t wait for the last two controls and they turn out to be a two-month project. We’ll want to always be chipping away at smaller controls while working towards the large encumbering ones.
Step 3: Implement the plan
Finally. The CMMC already outlines the path towards certification in the five levels. Ideally, you start with level one. Once you have successfully fulfilled all the requirements, move to level two and so on until you achieve the necessary level. That is easy in theory, not in practice.
As discussed in the previous section it is imperative you have identified what you insource or outsource, what needs to be purchased, and what will take the most man-hours. Concurrent action should be taken on purchasing equipment, outsource service provider contracts, and internal control implementation. Again, if planned accordingly the most amount of progress will be made with the least amount of effort.
Finally, we can start working on actually implementing controls. This is where you can take the CMMC at its word and begin on all your Level 1 tasks. Logically move to level 2 after you’ve gotten the basics down. In fact, the CMMC calls level 2 an intermediate step to level 3. No one is supposed to stay on level 2.
Final Thoughts
Notice, the bulk of this blog is related to planning. It is essential that planning receive the proper attention before actually pulling the trigger on enacting anything. If you don’t plan properly you’ll increase the work.
Or you could contact Cybriant and we’ll help you every step of the way.
CMMC Draft: https://www.acq.osd.mil/cmmc/draft.html
CMMC-AB Email Alert List Signup: https://www.cmmcab.org/subscribe
CMMC-AB Website: https://www.cmmcab.org
Jason Hill
Director of Strategic Services
With over 20 years of experience in the areas of IT Security, Infrastructure and Managed Services, Jason is an accomplished security consultant and security trainer.
Jason has had cybersecurity consulting responsibilities for a variety of clients encompassing the globe utilizing the NIST-RMF, NIST- CSF, and ISO 27001 frameworks as well as his experience as a PCI QSA. Having a background in system architecture and design, Jason brings a uniquely refreshing perspective on information security which provides clients and partners value beyond industry norms.