CMMC Compliance Assessment
Let’s jump in and learn:
CMMC Compliance Assessment Checklist
The U.S. Department of Defense’s (DoD’s) Cybersecurity Maturity Model Certification (CMMC 2.0) and its compliance requirements are best managed via a CMMC compliance checklist. Using a CMMC compliance assessment checklist to prepare for CMMC compliance helps to bring order to the process and streamlines remediation efforts. You’ll find an example of Egnyte’s preparatory CMMC compliance checklist on the right panel of this information guide.
Organizations are advised to use a CMMC compliance assessment checklist prior to working with a formal CMMC 2.0 assessor. The CMMC assessment organization will perform a comprehensive review to confirm that everything is in order for CMMC certification.
In the section below, you’ll find several key elements of a CMMC compliance assessment checklist.
Understand What Is Involved in the CMMC Certification Process
A CMMC compliance assessment checklist should include descriptions of exactly what is required for compliance at each of the three CMMC compliance levels. This requires in-depth review as there are numerous practices to comply with at each level. For instance, at CMMC Level 2, there are 110 practices that are modeled on NIST SP 800-171 Rev. 2
Identify, Assign, and Engage Internal Stakeholders
The number of stakeholders involved in the process will vary based on the size of an organization and the level of maturity certification it will pursue. At a minimum, an organization needs to have an executive sponsor, an information technology (IT) contact, an information security representative, a representative from the facilities management team, and a human resources representative to run an effective CMMC compliance assessment. Internal teams are eventually augmented by a Certified Third-Party Assessor Organization (C3PAO), like those available in the Cyber-AB Marketplace.
Determine the Required Maturity Level
The required CMMC 2.0 compliance level is driven by the types of information that an organization stores and uses. Organizations that work with Federal Contract Information (FCI) can meet compliance requirements by achieving a Level 1 certification. The requirements for Level 1 include 15 practices that are aligned with the requirements in FAR 52.204-21.
Level 2 is for DoD contractors and subcontractors that handle Controlled Unclassified Information (CUI)—either currently or plan to do so in the future. To secure contracts that contain CUI , organizations must achieve a Level 2 certification, which is aligned with NIST SP 800-171 Rev. 2.
The most difficult compliance level to achieve is Level 3. This is primarily a requirement for large prime integrators. In addition to requiring compliance with all 110 of the CMMC Level 2 cybersecurity requirements, Level 3 certification includes 24 additional controls from NIST SP 800-172.
Document Where FCI and CUI Exist
To understand where FCI and CUI exist within the organization, it is necessary to completely document the people, technology, and facilities that store, process, and share sensitive data, as well as the systems that are used to protect it. Protection includes isolating systems with FCI and CUI with physical systems (e.g., gates, locks, guards, access badges) and logical separation (e.g., firewalls, VLANs). To accurately identify all instances of FCI and CUI, create a data flow diagram, a network diagram, a facility diagram, and an organizational chart. Maintain all of that sensitive information with strictest confidence.
Conduct Gap Analysis
A gap analysis should be used to assess areas of weakness. This can be conducted by an internal team or a third-party. The gap assessment should include a review of all documentation to discover deficiencies in policies, procedures, or reporting for people, processes, physical security, systems, and applications. Upon completion of the gap analysis, a report should summarize the findings and highlight areas that require remediation.
Measure Performance In Each Practice Area
Each practice area within the scope of the desired maturity level must be documented, with special care taken to evaluate areas with multiple assessment objectives. Because the assessment objective is what an assessor will review during the assessment, documentation of performance should be well-organized to make it easy to correlate performance documentation with assessment objectives.
Create a Plan Of Action and Milestones (POA&M) and a System Security Plan (SSP)
When deficiencies are identified through gap analysis or performance assessments, any practices not meeting the requirements should be addressed in a POA&M. This should be coupled with an SSP that describes the information system’s boundaries and documents how all applicable security requirements will be implemented.
In certain cases, Level 2 and 3 organizations can achieve conditional CMMC certification, even if they have a POA&M in place. Based on guidance received by the DoD as of October 2024, POA&Ms must be remediated within 180 days, in order for an organization to achieve final CMMC certification. Minimum Level 2 and 3 security scores are also required to qualify for the 180-day extension.
To streamline the assessment process, Egnyte recommends that you complete all requirements before you undergo a formal assessment.
How Do You Perform a CMMC Compliance Assessment?
For each practice, there are three potential assessment methods. To prepare for a CMMC compliance assessment, all three methods should be followed. The CMMC compliance assessment will evaluate your compliance with the requirements, using similar assessment methods.
1. Examine the assessment objects to determine if the required information is available, then review it for errors, omissions, or inconsistencies. The assessment objects include:
- Document-based artifacts
- Mechanisms, such as hardware, software, or firmware protection
- Activities, such as protection-related actions that involve people
2. Interview individuals to help the assessor understand the environment, answer questions, and/or gather evidence
3. Test assessment objects under specific conditions to confirm that actual behavior aligns with expected behavior
A CMMC compliance assessment is an effective way to accurately assess the current state of an organization to help identify the steps that need to be taken to become compliant.
Following is an outline of an approach for a CMMC compliance assessment:
1. Kickoff stage, where your organization should:
- Identify points of contact across departments, including IT, security, human resources, facilities, and operations
- Share an overview of the CMMC framework with key stakeholders and the extended team that will support the CMMC compliance assessment
- Provide the assessment team with guidance for formulating questions they should be asking about how data is managed and protected by your company
- Determine what information will need to be shared as part of the CMMC compliance assessment, such as password enforcement policies or security training materials
- Define the process for making that information available to appropriate stakeholders
- Develop a schedule for assessments and interviews
2. Interviews with key personnel who can attest that specific controls have been met, which should include notes about relevant CMMC artifacts that validate the contacts’ attestation
3. Interview analysis to enable initial scoring and verification of artifacts, to confirm that CMMC compliance requirements are met
4. A report on the outcomes of the CMMC compliance assessment should be released to the leadership team and other key stakeholders, with a request for them to review and provide feedback prior to submission of the final report, which should include:
- Executive summary with an overall compliance breakdown by compliance level
- An interim score, which will ultimately be uploaded as a “final” score to the Supplier Performance Risk System (SPRS) for Level 1 CMMC assessments, and to the Enterprise Mission Assurance Support Service (eMass) for Level 2 and 3 assessments.
- Key observations and recommendations for remediating compliance gaps
- Detailed analysis of the organization’s performance against each practice
5. Presentation and discussion of the CMMC compliance assessment results, key compliance findings, and next steps
A recommended timeline for a CMMC compliance assessment is:
- Week one:
- Conduct a kickoff meeting
- Confirm scope and objectives
- Identify stakeholders and points of contact across the organization
- Start collecting and reviewing artifacts
- Weeks two and three:
- Review the security framework
- Conduct interviews and follow-ups
- Analyze the data you’re collected
- Gather outstanding artifacts
- Weeks four and five:
- Write and distribute a draft report
- Engage leadership and stakeholders in a review of the findings and solicit their feedback
- Incorporate feedback into the next draft of the report
- Week six:
- Issue the final draft report
- Conduct a review of high-level findings with the leadership team and key stakeholders
- Obtain sign-off from leadership team
- Begin work to remediate compliance gaps
Note that the timelines presented above are aligned with small organizations that have deep experience in managing DoD data. For larger organizations and companies without formalized processes for managing organizational CUI, the process is likely to take longer.
How Much Does a CMMC Compliance Assessment Cost?
The cost of a CMMC compliance assessment depends upon the size of an organization and the desired level of certification. The costs of a CMMC compliance assessment include the following:
Soft costs
This includes the time required for CMMC compliance assessment preparation, including planning, budgeting, training, and documentation.
It also includes the time that personnel require to perform these tasks, which can be completed by internal staff or third-party consultants.
Remediation
The process of identifying and closing gaps in CMMC compliance is necessary for obtaining certification. These remediation expenses can include the cost of upgrading infrastructure, facilities, and related technologies.
Remediation costs include upgrades for hardware like servers and individual computers, as well as upgrades for IT security software like firewalls and email applications.
Time commitment
A CMMC compliance assessment requires a significant amount of time on the part of company executives, managers, IT support staff, business partners, and others.
Assessment
For organizations that need to attain Level 2 and Level 3 for CMMC compliance, Level 2 organizations require a formal assessment from a C3PAO and Level 3 organizations require a formal assessment from the DCMA DIBCAC, which are likely to represent sizable investments.
Maintenance
CMMC also requires time and money to maintain technology and perform ongoing cybersecurity preparedness activities, after a contractor or subcontractor obtains its certification.
What Does the CMMC Compliance Assessment Process Consist Of?
As noted, any organization that wants to bid on and service contracts for the Department of Defense must obtain CMMC certification at the appropriate level. To verify qualification, the organization must undergo a CMMC compliance assessment that includes the following steps.
Step 1: Business Scope Determination
In this first step of a CMMC compliance assessment, it is necessary to identify the entity that’s applying for certification. To streamline the CMMC compliance assessment process, business scope can be defined around a specific line of business or business unit that works on federal projects and maintains the requisite technical qualifications.
Step 2: Technical Scope Determination
Referred to as Authorization Boundary in other certifications (e.g., FedRAMP), technical scope can include everything from laptops, desktops, and printers to a subset of the organization’s network and data backups. During the technical determination phase, the scope of those technical elements is established by creating an inventory that includes an explanation of each component’s connections to FCI and CUI.
Step 3: Assess cybersecurity programs
This part of the CMMC compliance assessment requires an explanation of what cybersecurity systems and processes are in place to protect sensitive data. It can also include companion regulations, such as the International Traffic in Arms Regulations (ITAR) and more stringent ones, such as the Risk Management Framework or RMF variants that include classified facilities with program-specific Joint Special Access Program Implementation Guide or JSIG requirements.
Step 4: Review of cybersecurity controls
An in-depth review of controls should leverage approved test cases from the Cyber AB and the NIST SP 800-171 Assessment Guide. This review of cybersecurity controls should focus on technical scope, as that is where FCI and CUI are stored, managed, and shared.
Step 5: Verify cybersecurity controls
Following a review of cybersecurity controls that are in place, it is necessary to verify that they perform as expected. This requires an in-depth evaluation of each of the cybersecurity controls to confirm that they are implemented and deployed correctly.
Step 6: Review of POA&Ms
This step involves reviewing existing POA&Ms and, possibly, generating additional ones. This allows the organization to plan for remediation of non-critical deficiencies.
Step 7: Issuance of the certification
After POA&Ms are closed, the final step in the CMMC compliance assessment is the report and certification.
Other items to consider with the CMMC compliance assessment process are:
Cyber resilience checks to identify weaknesses across the IT ecosystem, including:
- Hardware and software inventories
- Staff awareness levels
- Industry threat landscape, and how it’s evolving
- Data mapping
- Physical security
- Data checks
- Domain and capabilities assessments
- Process Integration evaluation
- Staff cybersecurity awareness assessments
Five Tips to Prepare for a CMMC Compliance Assessment
1. Assess maturity and risk across business and technology processes, to assess how well cybersecurity systems are performing.
2. Develop policies and procedures to meet compliance requirements.
3. Maintain CUI environment documentation that includes information regarding various processes, technology, and people in a CUI environment.
4. Operationalize the security policies into step-by-step procedures.
5. Use control implementation and execution metrics to identify areas that need improvement.
Benefits of a CMMC Compliance Assessment
As with any initiative that forces an organization to assess its cybersecurity posture, a CMMC compliance assessment does have significant upside. The controls set forth in CMMC reflect cybersecurity best practices that help an organization protect its data and systems from today’s steady stream of cyberthreats and risk.
As with any initiative that forces an organization to assess its cybersecurity posture, a CMMC compliance assessment does have significant upside. The controls set forth in CMMC reflect cybersecurity best practices that help an organization protect its data and systems from today’s steady stream of cyberthreats and risk.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 22,000+ customers with millions of users worldwide.
Last Updated: 5th November, 2024
