Below are 8 best practices for CMMC compliance that our experts believe can give your organization a competitive advantage over other vendors in the defense industrial base and get you closer to reaching full CMMC compliance.
1. Identify CUI specific to the contract
In addition to identifying CUI, you also need to determine its storage location, how it’s processed and where it’s transmitted. You also need to identify the processes, services, and systems within the scope of DFARS 252.204-7012/NIST SP 800-171. This information describes your CUI environment, which auditors will closely scrutinize during the audit.
The contracting official for the DoD will define CUI in the contract for the prime contractor, who is then required to provide that definition in its contracts to subcontractors. Your contracting official or prime contractor should be able to provide further guidance on whether a particular data set qualifies as CUI.
2. Identify the NIST 800-171 controls that apply to your CUI environment
Once you’ve defined your CUI environment, you can identify the processes, systems, and services in that environment that are within the scope of NIST SP 800-171. This identification process will be based on CUI’s storage, processing, and transmittal. NIST SP 800-171 defines 110 CUI controls across 14 domains.
You must then identify the controls that apply to your environment. In the case of simple, flat networks, all these controls will probably apply to your entire organization. For a segmented CUI environment, most controls should apply only to specific sub-networks rather than every system in your organization’s IT infrastructure.
3. Develop policies, procedures, & standards to address CMMC compliance requirements
This process involves identifying all the laws and regulations that apply to your organization’s contract. Applicable laws can include domestic and international cybersecurity and data privacy laws, industry-specific regulations, and contract requirements from both partners and clients. This practice requires significant due diligence to find the requirements for your company’s specific situation.
4. Document controls, policies, procedures, & standards
Your system for documenting these requirements should build on supporting components, resulting in a hierarchical structure that provides strong governance. This system should also manage requirements with an approach that integrates documentation into implementing these tasks.
This strategy will help provide an understanding of the documentation that helps an organization make well-informed decisions regarding security risks, including management involvement, staffing resources, and technology purchases. Contractors often view data governance as an obstacle rather than an asset, failing to properly scope documentation. However, such documentation must be concise and written, while showing a CMMC compliance requirement is adequately met.
Praetorian Secure has an in-depth document repository that can support all organizations through this process. (make this a link to a sample document they can receive by filling our customer information). Avoid writing a single policy document that attempts to meet all documentation requirements, including high-level security concepts, configuration, and work assignments. This approach will only serve to create confusion across all operations.
5. Implement the appropriate NIST 800-171 & CMMC controls
Implementing these standards involves operationalizing your organization’s cybersecurity and data privacy programs by combining people, processes and technology correctly. Addressing the applicable NIST 800-171 and CMMC requirements by implementing the necessary actions allows an organization to bring its policies and procedures to life.
This step also includes identifying the parties responsible for each CUI control, along with the roles and responsibilities of each team member, while ensuring that requirements don’t fall through the cracks or are implemented improperly due to a misunderstanding on the part of the individuals responsible for those controls.
6. Document the CUI environment, including its controls & known deficiencies
This step populates the Plan of Action and Milestones (POA&M) and System Security Plan (SSP) with details specific to your organization. The POA&M is essentially a list of NIST SP 800-171 control deficiencies that currently exist for the organization. The SSP documents the people, processes, and technologies comprising the CUI environment and the location for this information. These are living documents central to documenting a NIST SP 800-171 compliance program, so they must be regularly updated to reflect changes in the CUI environment.
They’re also key documents for the CMMC audit, so an auditor will ask for them early in this process. Failure to provide these documents is considered non-compliant with CMMC, resulting in negative consequences such as a False Claims Act (FCA) violation.
7. Use the controls to assess the maturity & risk of business & technology processes.
Many methodologies currently exist for helping an organization manage risk, including ISO 31010, OCTAVE, and NIST 800-37. These methodologies share common traits such as the requirement to assess the implemented controls’ effectiveness and the extent to which those controls reduce risk and demonstrate maturity level.
No system for assessing business and technology processes can ever be perfect, so it’s important to select the one that best matches how an organization functions. As a result, the CMMC auditors may accept a separate risk methodology for making operational, strategic, and tactical decisions, since each methodology has its pros and cons for a particular application. The end goal of defining and achieving the desired level of risk-taking is the most important thing to remember with this practice.
All phases of the Secure Development Lifecycle (SDLC) must manage risk, whether the solution you’re developing is an application, service, or system. The scope of this process must include the SDLC’s direct assets in addition to those of its supporting components. In some cases, this can include the assets of third-party providers that relate to the availability, confidentiality, integrity, and safety aspects of data protection.
8. Use metrics to identify areas of improvement for the controls
Gathering metrics is a key task in monitoring CMMC controls. Metrics provide a snapshot of a control’s performance for a particular instant in time, but they also provide broader benefits such as analyzing long-term trends. Your organization can use this trend analysis to identify ways of improving its security posture.
This process requires you to define the Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) – (link this to Mange Defense Tool) with critical importance to your organization, which can provide valuable insight into its security controls. The KPIs and KRIs of each organization primarily depend on the priority of each control, which is affected by factors such as contractual and regulatory obligations.
It’s important to note that these CMMC best practices are not exhaustive, and organizations should consult the CMMC framework and guidance from the DoD to ensure that they are meeting all necessary requirements for CMMC compliance. Also, our list of CMMC best practices is based on our knowledge and is not legal advice. Furthermore, companies must realize that 100% adherence is going to be required to bid on any DoD contracts going forward, as early as July 2023. So accomplishing CMMC compliance soon than later will be beneficial.