What to expect from AT-NET’s CMMC Readiness process…

Summary

Since 2019, the Defense Department has been developing CMMC (Cybersecurity Maturity Model Certification) , a unified standard designed to help defense contractors meet minimum cybersecurity requirements for handling sensitive information like controlled unclassified information (CUI) and federal contract information.

The US government uses NIST 800-171(110 requirements) or NIST 800-53 (over 1000 requirements) as the security framework for CMMC certifications.

Many business leaders have questions about getting started.  Fortunately, AT-NET’s security compliance professionals are versed in CMMC and are available to answer any questions and guide businesses through the process.

The process of implementing NIST 800-171 will take a minimum of 6 months and as long as several years depending on the complexity of the business.

Our goal is to remove the burden and complexity of CMMC from our clients by providing experts to guide them on the journey through documentation, processes, procedures, software, and hardware.  The result of the engagement is CMMC 2.0 Certification and better overall corporate security posture.

Readiness Process

High Level CMMC Engagement:

1. Free Initial Consultation to discuss engagement and assess starting point.
2. Meeting to Map and Document CUI (Controlled Unclassified Information) flow within the organization.
3. AT-NET provides extensive review of systems and makes necessary hardware/software recommendations.
4. AT-NET drafts a series of 25+ organizational policies for review and ratification.
5. Following ratification, the documents are published and followed within the organization.
6. AT-NET implements the approved hardware/software to make your organization more resilient to cybercrime and improves your CMMC stance.
7. After all systems are operational you are ready for a C3PAO (Certified Third-Party Assessor Organization) Readiness Review. One may only need a C3PAO, if you are required.
8. Following C3PAO Readiness Review, a formal test will be scheduled for certification. AT-NET partners with other C3PAO organizations for testing.

Mapping CUI Flow

AT-NET’s approach to mapping CUI flow in the CMMC framework:

1. Identify CUI Data Types: Determine the types of CUI your organization handles. CUI can include various types of sensitive information, such as personal data, financial information, technical specifications, and more. Classify the different types of CUI that flow through your organization.
2. Identify Data Flows: Map out the flow of CUI within your organization’s systems and processes. Identify where CUI is created, transmitted, stored, processed, and shared. This could include systems, applications, databases, networks, and physical locations.
3. Document Processes: Document the processes and systems involved in handling how CUI is received, processed, stored, and transmitted. Additionally, the document will include the roles and responsibilities of individuals or teams involved in each step.
4. Identify Security Controls: Identify the security controls and practices required for protecting CUI at your appropriate level. These controls could include encryption, access controls, auditing, incident response, etc…
5. Map Security Controls to Data Flows: For each data flow and process involving CUI, map the relevant security controls. Determine which controls are already in place and which ones need to be implemented or enhanced.
6. Assess Compliance: Evaluate how well your organization’s current practices align with the required security controls for protecting CUI. Identify any gaps or deficiencies and prioritize them based on risk.
7. Implement Necessary Controls: Implement the security controls that are missing or need improvement. This could involve updating policies, configuring security settings, deploying security software, and training personnel.
8. Monitoring and Review: Establish continuous monitoring practices to ensure that CUI protection controls remain effective over time. Regularly review and update your data flow and control mappings as processes or technologies change.
9. Document Everything: Maintain comprehensive documentation of your CUI flows, security controls, and compliance efforts. This documentation will be essential for CMMC assessments and audits.
10. Prepare for Assessment: As part of your CMMC assessment, demonstrate how you’ve mapped CUI flow and implemented the necessary security controls to protect it. Be ready to provide evidence, such as process documentation, configurations, and logs.

Debriefing

Once your organization has been approved for a specific level of CMMC, it’s important to keep that certification current. For many, it’s not just a matter of compliance but rather of being prepared to compete for DoD contracts as they become available. Proposal teams will begin seeing CMMC language in requests for proposals and request for information and it’s important to have processes and policies in place that allow you to demonstrate CMMC certification with ease.

In addition to maintaining CMMC certification, it’s also important to create an internal team that is responsible for ensuring the ongoing implementation of best practices in all departments. It’s a good idea to also ensure that higher-level management has visibility into the domain activities through established reviews and a plan for addressing any issues that may be identified.

Ultimately, the CMMC process is designed to protect DoD information from cyber threats by demonstrating that contractors have cybersecurity processes in place. That’s why it’s important to understand CMMC and get your company certified early – not just because it will allow you to win DoD contracts, but because it shows that you take security seriously and are taking steps to protect your customers and partners. This is a valuable and necessary step to reducing the number of potential threats against DoD data.

Reporting

A CMMC assessment includes an in-depth examination of a company’s practices and the level of their institutionalization. The goal is to determine whether the company’s policies and practices are followed on a regular basis. It’s not enough to simply have practices in place, and companies must prove that they perform them on a routine basis, improving their effectiveness over time.

Quarterly Review

AT-NET will perform a CMMC quarterly assessment as part of the ongoing compliance process for organizations to maintain CMMC certification. The review includes the following components:

1. Review of Policies and Procedures: A review of the organization’s cybersecurity policies, procedures, and documentation. This includes evaluating whether the organization’s policies align with the requirements of the relevant CMMC level.
2. Security Controls Implementation: Assessors will review how well the organization has implemented the required security controls specified in the chosen CMMC level. They will check if the controls are in place, functional, and effective in mitigating cybersecurity risks.
3. Evidence Collection: The organization will need to provide evidence of their compliance with CMMC requirements. This could include documentation, records, logs, configuration settings, and other artifacts that demonstrate the implementation of security controls.
4. Testing and Validation: Assessors conduct various tests and validations to ensure that the security controls are functioning as intended. This could involve penetration testing, vulnerability scanning, and other assessments to identify potential vulnerabilities or weaknesses.
5. Incident Response and Reporting: Organizations are required to demonstrate their incident response capabilities and how they handle cybersecurity incidents. This might involve reviewing incident response plans, communication procedures, and post-incident analysis.
6. Continuous Monitoring: CMMC emphasizes continuous monitoring of cybersecurity practices. The quarterly assessment includes an evaluation of how the organization monitors and maintains their cybersecurity posture between assessments.
7. Personnel Training and Awareness: Assessors review the organization’s efforts to train and raise awareness among their employees about cybersecurity best practices, policies, and procedures.
8. Documentation Review: Assessors review the organization’s documentation to ensure it accurately reflects their cybersecurity practices and any updates or changes made since the previous assessment.
9. Remediation Tracking: As deficiencies or vulnerabilities are identified during the assessment, the organization will be required to provide evidence of their efforts to remediate these issues.

Conclusions

Remember that the specific details of a CMMC assessment, including the contents of a quarterly assessment, can vary based on the CMMC level the organization is targeting and the requirements set by the DoD. Organizations should refer to the official CMMC documentation and guidelines for the most accurate and current information regarding assessment procedures and requirements.

If you want to get the ball rolling on your CMMC assessment, we can help! We have a team of experts ready to assist you with achieving your CMMC certification. We’ll make sure that you understand the requirements, how they affect DFARS and NIST SP 800-171 compliance, and how to get your business CMMC compliant ASAP. Contact us today to learn more about our CMMC services.

Contact us today to learn more about how we can help you manage your IT systems and provide the support you need to keep your business running smoothly.

created by Jeff King (Linkedin – Jeff King)