A CMMC Compliance Checklist
The Cybersecurity Maturity Model Certification (CMMC) is a well-known framework for assessing the maturity of an organization’s cybersecurity. It’s designed to help organizations improve their cybersecurity by raising awareness about best practices and implementing a roadmap.
On November 4, 2021, the Department of Defense announced the strategic direction of the Cybersecurity Maturity Model Certification (CMMC) program, marking the completion of an internal evaluation of the program led by senior Department of Defense leaders ( DoD). The CMMC 2.0 program maintains the program’s original goal of protecting sensitive information while simplifying the CMMC standard and providing clarity on the requirements.
What is Cybersecurity Maturity Model Certification (CMMC)?
CMMC (Cybersecurity Maturity Model Certification) is a system of compliance levels that helps the government, specifically the Department of Defense, determine whether an organization has the security necessary to work with controlled or otherwise vulnerable data.
CMMC Compliance Checklist
- Identify what type of unclassified information your organization will handle.
- Determine the CMMC certification level you need.
- Implement a SIEM solution to help you meet CMMC requirements.
- Hire a C3PAO to Perform a CMMC Assessment or Self-Certify.
- CMMC Assessment Process.
Identify what type of unclassified information your organization will handle.
On December 3, 2021, the DoD released CMMC 2.0 Model Overview. This new model includes the essential protection requirements for FCI specified in the Federal Acquisition Regulation (FAR) 52.204-21 and the security requirements for CUI in NIST SP 800-171r2 according to clause 252.204-7012 of the Addendum to the Federal Regulation on Defense Acquisitions (DFARS).
- If you deal with Controlled Unclassified Information (CUI), you will need to meet Level 2 or Level 3 of CMMC.
- If you only protect Federal Contract Information (FCI), your requirement will only be for Level 1 of CMMC.
Determine the CMMC certification level you need
The level of CMMC you need to meet depends on the contract under which you are working (CUI/FCI).
Although there were 5 levels in CMMC 1.0 version, the current CMMC model contains 3 maturity levels with the announcement of CMMC 2.0.
The 3 levels in CMMC 2.0 are:
- Level 1 (foundational) for companies with FCI only. The information requires protection but is not critical to national security; it requires 17 basic protection practices; CMMC Level 1 Analysis Guide. Also, all Level 1 companies can self-certify.
- Level 2 (advanced) for companies with CUI. It will require the 110 practices of NIST SP 800-171r2; may require external or own evaluations, depending on the type of information; CMMC Level 2 Analysis Guide.
- Level 3 (expert) for the highest priority CUI programs. It will use a subset of NIST SP 800-172. The Level 3 companies will require a government-led assessment.
Implement a SIEM solution to help you meet CMMC requirements
UTMStack can help you to meet with the 14 domains from the CMMC model:
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
Each domain has associated its practices for each level. The distribution of practices within each domain varies across the compliance levels.
A SIEM tool is a Security Information and Event Management system that collects security information from different sources, analyzes, and correlates log data to identify patterns that may indicate a threat or breach. It’s used to monitor the network activities of an organization, helping IT experts to incident respond in real-time. Also, when organizations implement a SIEM, it’s easy for them to detect vulnerabilities that cybercriminals can exploit. The advanced SIEMs make extensive use of machine learning and artificial intelligence to aggregate and analyze data at a scale that is practically impossible to accomplish by people alone.
UTMStack is a SIEM solution designed for hybrid environments and can be easily deployed across on-premises and cloud providers for any modern cybersecurity strategy. With UTMStack, companies can reduce the cost issue of CMMC compliance. Especially small and mid-sized businesses that sometimes don’t have enough finances to pay for the upgrades in cybersecurity required for CMMC compliance.
UTMStack bundles several cybersecurity products under a single platform, including:
- Threat detection and response
- Compliance management
- Log management (SIEM)
- Vulnerability management
- Network/host IDS/IPS
- Asset Discovery
- Endpoint Protection
- Identity Management
- Incident Response
- File Classification
- Dark Web Monitoring and threat Intelligence.
Having all the data in a single place increases the effectiveness of correlation engines and machine learning algorithms. The platform also includes a powerful dashboard and report builder that organizations can use to personalize their monitoring experience or advanced compliance auditing and reporting.
As you can see, UTMStack is an excellent solution to meet security practices required in each domain of the CMMC model. The good practices will let you be ready for any CMMC assessment.
Hire a C3PAO to Perform a CMMC Assessment or Self-Certify
The CMMC Accreditation Body (CMMC-AB) is in charge of developing procedures to certify Third-Party Assessment Organizations (CP3AOs) and assessors that will be in charge of evaluating compliance levels. The CMMC will also set up a CMMC Marketplace where companies can find an accredited C3PAO and schedule an assessment.
As the Organization Seeking Compliance (OSC), your company should hire the C3PAO to perform your CMMC assessment.
The cost for a CMMC assessment will depend upon several factors, including the level the certification is needed and the complexity of your IT infrastructure.
- Level 1 CMMC
Level 1 companies can self-certify to CMMC compliance annually.
- Level 2 CMMC
Some Level 2 companies will be able to self-certify to CMMC compliance, and others will require an outside third-party assessment.
Level 2 contractors who do not handle critical information to national security can perform annual self-assessments to comply with CMMC.
Level 2 contractors managing information critical to national security must undergo third-party assessments every three years.
- Level 3 CMMC
All Level 3 companies require a government-led assessment every three years.
CMMC Assessment Process
The process for a CMMC assessment is:
- Once you’ve hired a C3PAO company, you will schedule the assessment with the C3PAO.
- The C3PAO assesses your company and creates an assessment report.
- If you meet with all the security practices according to your level, the C3PAO issues a CMMC certificate.
- The C3PAO submits a copy of the assessment report and CMMC certificate to the DoD. The CMMC certificate is valid for three years.
- Once the C3PAO submits the CMMC certificate to the DoD, your requirement for CMMC compliance has now been met.