In 2023, CMMC 2.0 will fully go into effect, requiring that any organization bidding on contracts with the Department of Defense (DoD) must be CMMC certified in order to do so.
As organizations begin to prepare for CMMC audits, it is important to understand the requirements and processes that will need to be in place in order to become CMMC-certified. Learn what you need to know to ensure that your CMMC audit is successful.
What Is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) system is an evolving framework of cybersecurity standards developed by the DoD. It’s designed to ensure that contractors, vendors, and suppliers who provide goods or services to the DoD have adequate security practices in place to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
The CMMC 2.0 Levels
The CMMC framework is broken down into three levels that build upon each other: Foundational, Advanced, and Expert. These CMMC levels require different processes and control objectives, so your CMMC audit requirements will depend on which level of CMMC you are certified for.
- Level 1 (Foundational): Based on the 17 controls found in FAR 52.204–21.
- Level 2 (Advanced): Based on the 14 levels and 110 security controls found in NIST SP 800–171.
- Level 3 (Expert): Based on the 110 controls from NIST SP 800–171 plus additional controls found in NIST SP 800–172.
What’s Involved in a CMMC Audit?
A CMMC audit by a certified, third-party auditor (known as C3PAO) is required for any organization that works with the DoD. CMMC auditors will assess the organization’s cybersecurity framework and determine which CMMC requirements are applicable. The CMMC audit is designed to help organizations ensure they are meeting CMMC requirements while minimizing risk exposure.
The CMMC auditor will review the following:
- Policies and Procedures: Review policy documents such as the CMMC compliance policy, incident response plan, access control policy, etc.
- Security Configuration: Evaluating system configurations to ensure CMMC requirements are met.
- Network Security: Evaluating the organization’s network security measures and conducting a vulnerability assessment.
- Physical Security: Ensuring that the organization has appropriate physical security controls in place to protect CMMC assets.
- Training and Awareness Programs: Ensuring that employees have received appropriate training and awareness in CMMC-related topics.
The CMMC audit process typically takes several weeks and is intended to assess an organization’s CMMC maturity. After the CMMC audit is complete, the CMMC auditor will provide a report with their findings and recommendations for improvement. Organizations that pass the CMMC audit are awarded CMMC certification, which they must renew every three years.
How to Prepare for a CMMC Audit
The CMMC audit process can be lengthy and complex, so it is important to take the time to prepare for it in order to ensure success. Here are some tips on how to effectively prepare for a CMMC audit:
1. Know Your CUI
CMMC requirements are based on the type of CUI your organization handles. Take the time to understand what types of CUI your organization is storing, processing, and transmitting in order to ensure you are meeting CMMC requirements.
2. Determine Which CMMC and NIST 800-171 Controls Are Applicable
Organizations don’t need to meet every CMMC requirement, but they should determine which CMMC and NIST 800-171 controls are applicable and relevant to their environment. The CMMC framework is meant to be flexible and tailored to the organization, so it’s important to identify which CMMC controls are needed.
3. Develop and Implement CMMC Policies and Procedures
Once you have determined which controls are applicable, develop and implement CMMC policies and procedures that meet the CMMC requirements. This includes establishing a CMMC compliance policy, incident response plan, access control policy, etc. Also include how CUI will be handled, stored, and protected.
4. Develop CMMC Training and Awareness Programs
Develop CMMC-specific training and awareness programs to ensure that employees are educated on CMMC’s best practices, requirements, and processes. Employees need to be aware of CMMC requirements and understand how to maintain CMMC compliance.
5. Perform a Risk and Maturity Assessment
Conduct a risk and maturity assessment to identify CMMC gaps. This will provide an understanding of the organization’s CMMC posture and help determine which areas need to be addressed in order to meet CMMC requirements.
6. Identify and Remediate CMMC Gaps
After identifying CMMC gaps, develop and implement a plan of action to address them. This includes making changes to existing processes and procedures, implementing additional security controls, etc.
Need Help Preparing for an Audit? We’ve Got You Covered
Don’t let the intimidating nature of CMMC requirements and audits stop you from doing business with the DoD. At AIS, we specialize in CMMC compliance and have CMMC 2.0-certified professionals who can assist you in meeting CMMC requirements and preparing for CMMC audits.
Our team of experienced security experts will work with you to assess and develop the necessary CMMC policies and procedures, provide a CMMC gap analysis to identify any areas of non-compliance, and help you create an action plan for becoming CMMC compliant.
Set up a meeting today to learn more about how we can make your business ready for a CMMC audit.