If your organization is keeping track of CMMC developments, you may be aware of two major milestones:
- June 2020 - Requests for Information (RFIs) will begin to list CMMC requirements
- September 2020 - Requests for Proposal (RFPs) will being to list CMMC requirements
This means that in order to continue to win business with the Department of Defense, your organization must start preparing for CMMC assessments. Unless a higher CMMC Level is specified in the contract, all contractors and subcontractors will be required to meet CMMC Level 1. Level 1 is equivalent to all the safeguarding requirements from FAR Clause 52.204-21. The Far Clause covers what can be referred to as “Basic Cyber Hygiene” practices that are being performed at least in an ad-hoc manner.
Here are 5 simple steps your organization can take to prepare for a CMMC Level 1 assessment.
Review Available CMMC Documentation and Resources
Just because you need to contract with a third party doesn’t mean you should rely entirely on their knowledge. Arming yourself with a firm understanding of the framework and its expectations will be your greatest asset in becoming certified. Take some time to become acquainted with the official CMMC website and the information it provides. At a minimum, review of the FAQs, the CMMC Model and the Appendices. Check this site frequently.
If you are an auditory or visual learner, the GovCon Chamber of Commerce hosted a webinar, CMMC Made Easy, with Katie Arrington, CISO for DoD Acquisition Office. The webinar consisted of a mix of potential resources who will either be affected by the new CMMC requirements, such as small business owners, or supporting the accreditation process, such as the Defense Logistics Agency Procurement Technical Assistance Program (DAL PTAC).
Solidify Scope
CMMC Level 1 will be applicable for organizations that process Federal Contract Information (FCI). Per the CMMC, FCI Is defined as Information provided by or generated for the Government under contract not intended for public release. Much like other frameworks, we define the scope as including all systems and networks that process, transmit or store FCI.
Depending on the size of your organization, its available technical resources and diversity of the customer base, it is entirely possible that your entire network will be considered the scope. If you can accurately identify all data flows for all business processes related to the processing, transmission or storage of FCI, segmentation should be a consideration. During the scoping process, the organization should consider creating the following artifacts:
- Inventory of business processes related to FCI
- Data Inventory
- System Inventory
- In-scope Personnel Inventory
- Third Party Service Provider Inventory
- Those with which FCI is shared
- Those who have external connections into the in-scope environment
- Network Diagrams
- Data Flow Diagrams
Review Access Control
Both logical and physical access control should be evaluated prior to a CMMC audit. Consider asking yourself the following when evaluating how your organization manages access:
Logical Access
- Have all individuals been screened prior to authorizing access to systems containing FCI?
- Are users required to authenticate prior to accessing FCI?
- Can all activities be traced back to a single individual with a unique ID?
- Is access granted based on least privilege?
- Can non-FCI systems or processes interact with FCI systems?
Physical
- Have all individuals been screened prior to authorizing access to sensitive areas that have systems that process, transmit or store FCI?
- In what physical areas is FCI processed, transmitted or stored?
- Do we have any business processes that result in FCI being stored on removable media or printed on paper?
- How are visitors to these sensitive areas monitored?
- Are visitor activities logged and retained for audit? If so, how long are records retained?
Review Data Handling Practices
When organizations become hyper focused on operations, i.e. make it work and make it efficient, sensitive data handling best practices can end up taking a back seat. Your organization must be sure it appropriately protects FCI at all stages of the business process. Is data encrypted at rest? Is data encrypted in transit? Does company policy prohibit sharing CFI via internal chat systems or email? At the end of the data lifecycle, how is the information securely destroyed, for both digital and physical mediums? Are your employees aware of what information is appropriate to share with the public?
For example, say your organization wins a contract with a well-known entity, would publicizing this relationship in conversation or online be a breach of basic safeguards of the FCI? These are just a few of the questions to ask when evaluating your organizations data handling practices.
Review Incident Reporting Practices
While we hope we never have to use it, a well-polished Incident Response Plan can greatly mitigate risks of mishandling an incident. Your organization must ensure it can identify, respond to, and notify all appropriate parties as required by contracts, state or federal regulations. When stress sets in, you want your mind to be able to focus on what is most important things, not having to ponder thoughts such as “what is the phone number of my local FBI field office!?”
In addition to the plan itself, the organization should evaluate supporting processes that an increase the organizations response time to malicious events or even prevent incidents from occurring in the first place. Security solutions such as anti-virus should be deployed to systems and configured to send events to a central logging solution.
Once the organization has calculated a baseline for network behavior, the logging solution can be configured to generate alerts that notify network resources in real time when they need to follow up on critical and potentially malicious events. Performing vulnerability scans on systems is another practice that can help identify vulnerabilities and allow your resources to perform remediation activities before they can be exploited.
Next Steps for CMMC Level 1 Compliance
While this list is certainly not exhaustive, it should provide your organization a solid foundation in understanding what CMMC is, how it impacts your business and what is expected of you, should you wish to continue working with the DoD.
When researching companies to help prepare your organization for the process, be cautious of marketing. The CMMC Accreditation Body (CMMC-AB) has not yet received training materials for assessors and therefore, there are no official Certified Third-Party Assessment Organizations (C3PAOs). Additionally, be very wary of anyone who calls themselves a CMMC “expert”. Version 1.0 of the standard was published on January 31, 2020 and the DoD is still in the process of providing updates and clarifying content.
NCC Group is a 3PAO for FedRAMP and as a result, we have our ear to the ground for all things Federal. We are closely monitoring the CMMC updates and our assessors are awaiting the CMMC-AB for training updates to become an accredited C3PAO. If you wish to work with NCC Group for CMMC related activities or have an interest in our other Federal service offerings, please visit www.nccgroup.com. You can also call us at +1-800-813-3523 to learn how our Federal services team can provide expert assessment or advisory services essential to meet your unique needs.
Still curious about meeting CMMC Level 1?
Read more about NCC Group's CMMC services, or reach out to a dedicated CMMC expert.