Build Your CMMC Roadmap Now for More DoD Business in the Future
If your company does work for the U.S. Department of Defense, you need to start planning for CMMC today, whether you build the battleships or the nuts and bolts that bind them together.
All contractors and subcontractors that work with the DoD will need to comply with the Cybersecurity Maturity Model Certification (CMMC) in some form by 2025. The DOD will incorporate these rules into its contracts as part of a broader effort to protect its supply chain and the Defense Industrial Base (DIB) against cybersecurity threats, so it’s imperative that you start planning today.
2025 might sound like the distant future when you operate in an industry where the most important contract is often the next one you land, but the path to compliance can be daunting if you aren’t prepared. Also, these regulations are already being rolled into some contracts and the pace will only accelerate as the final CMMC deadline approaches.
Thankfully, the DoD’s benchmarks are all achievable with proper planning and execution. In this blog, you’ll get a high-level overview of how to build your CMMC roadmap, so business leaders and IT decision makers can position their organizations to hit the ground running and win more DoD contracts as CMMC goes into effect.
Identify the Appropriate Level for your Business
The first step for any DoD contractor is to assess which of three CMMC levels likely applies to their business. The levels are defined by different cybersecurity practices, or technical activities related to the usage of, and access to different types of sensitive data in the course of the contract, with Level 1 being the easiest to attain and Level 3 the hardest.
- Level 1 (Foundational). Consists of 17 practices and allows for annual self-assessments that are uploaded to the Supplier Performance Risk System (SPRS). This is used by the DoD to identify, monitor, and analyze these self-reported assessments.
- Level 2 (Advanced). Includes 110 security measures from the NIST 800-171 standard. Participating Companies will likely need tri-annual C3PAO (CMMC Third-party Assessor Organization) audits.
- Level 3 (Expert).The 110 NIST 800-171 controls will be in play, but the final requirements will be announced at a later date. Level 3 assessments will be performed by the government instead of a C3PAO.
Each ascending tier will have fewer and fewer applicants. An estimated 140,000 contractors will be subject to Level 1 because they handle Federal Contract Information (FCI); another 80,000 DIB contractors will need Level 2 certification because they handle Controlled Unclassified Information (CUI); and 5,000 will need Level 3 certification because they handle Controlled Defense Information (CDI).
Most contractors that have previously worked with the DoD should have a good sense for which level applies to them, based on previous contracts. Plus, each future contract subject to CMMC will spell out which level of certification is expected for the work.
However, a small subset of customers may make the leap from Level 1 to Level 2 because data that was originally pegged as FCI is now bucketed with CUI. It could also open the business to a broader set of contracts to bid on. In those cases, we recommend starting with a smaller-scope environment that utilizes secure data enclaves.
Editor’s note: CMMC Model 2.0 is the second iteration of the federal framework. For more information on how it differs from Model 1.0, check out this webinar, which addresses some of the biggest changes between the CMMC versions. And read this guide for a closer look at the various components of CMMC compliance.
Evaluate Your Current Cybersecurity Posture
Once you determine which tier applies to your business, the next step in your CMMC roadmap is to assess your preparedness by analyzing your IT infrastructure and cyber security operations. At a high level, each of the practices outlined in CMMC falls under these six core areas:
- Roles and responsibilities for IT security personnel, senior management, risk management
- Access control for CUI across your organization and measures to prevent unauthorized access to that data
- Partner relationships, including vendor onboarding and offboarding and any evaluation of those partners’ cybersecurity postures
- Incident Response, including how incidents reported, tracked and reviewed.
- Business continuity plans for how you expect to recover from a security incident or natural disaster
- Training and education of staff on the security measures and policies implemented
If you don’t know how your business handles these areas or if you’re starting a new business, it’s imperative that you get answers as soon as possible. As the saying goes, you don’t know what you don’t know. You can’t begin to fix existing shortcomings if you don’t even know what policies and procedures are currently in place.
Of course, your ability to do those assessments goes hand in hand with the number of IT resources at your disposal. The more IT staff you have, the more likely you are to already have these controls in place, or at very least the proper documentation to get those answers more quickly.
Larger companies may need some assistance codifying those practices into formal records that can be audited for compliance, but organizations with smaller IT staff will struggle with CMMC compliance on their own. It could take them months to complete this exercise, especially if they need to sort out the 110 practices related to CUI data.
In those cases, the best approach is to partner with a trusted advisor that specializes in this field, either through consulting work or technology that can automate many of the tasks.
Close Your CMMC Gaps
The final step before submitting your compliance assessment is to create and execute a plan to remediate any gaps that surfaced during your assessment. This will bring you closer to CMMC compliance, and it will be money well spent because you’ll be that much closer to being eligible for DoD contracts.
Again, your ability to close these gaps directly aligns with your existing resources and practices, so plan your CMMC roadmap accordingly. If you’re very early in this process, reach out to a third party to conduct a readiness assessment. They’ll be able to give you a holistic view of where you’re at and what you still need to do.
And if you’re analyzing your partner relationships, choose a product or technology that lets you inherit some of the controls from the provider so you don’t have to worry about them. This could include security techniques like data encryption or multi-factor authentication.
And keep in mind that there is shared-responsibility to CMMC compliance. While a technology partner can carry much of the load, there are certain elements that will fall on your shoulders, such as training employees on cybersecurity best practices.
Egnyte Simplifies CMMC Compliance
As you can see, there’s a lot to consider as part of your CMMC roadmap, so the path to success requires a proactive approach. That’s why Egnyte has developed a powerful and easy-to-use solution for CMMC.
Egnyte for CMMC Compliance is built on a framework that includes Google Cloud and Truyo, and it shortens the time it takes to reach compliance from months to weeks. It includes configurations to help identify potential risks and to address many aspects of the required CMMC control documentation. There are also critical governance controls, self-assessment tools, and professional services to help navigate the process.
We believe this approach, which combines technology and consulting, makes CMMC compliance attainable for every organization, regardless of size. To learn more about Egnyte’s CMMC offerings, please check out our CMMC 2.0 website or take an interactive product tour, and good luck as you begin your journey toward CMMC compliance.