5 steps to Cybersecurity Maturity Model Certification

Are you ready for Cybersecurity Maturity Model Certification (CMMC)? Industry is expecting phase 2 – when most contractors will need CMMC – to start in late 2025. Most organizations report CMMC requires between 12 and 18 months to be ready for the assessment. Starting that journey early is essential to meeting the certification requirements. Here are five steps to help simplify that process.

1. Determine if CMMC is required for your contract

Review your Department of Defense (DOD) or government-related contracts and planned requests for proposals (RFP) for the DFARS clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” Next, determine what, if any, controlled unclassified information (CUI) you really need to meet the contract deliverables. Then, work with your customer to ensure you are receiving only the CUI needed. Address questions or concerns about CUI with the contracting officer. This step takes about one month to complete.

2. Determine the scope and use of CUI

Who needs and has access to CUI?

• What CUI do you need to meet your deliverables?
• Where is the CUI stored?
• Which processes require CUI?
• How is the CUI protected?

These questions help set the scope for your assessment and will help determine how your information systems will need to be upgraded. Plan for at least two months to conduct this review.

3. Design/build/update your information environment

Key decisions you will need to make early in this process:

• Will you store CUI on your current systems/infrastructure?
• Will you isolate the CUI data?
• Will you build a new CUI compliant environment?
• Are you storing your data: on-premises, cloud environment, or hybrid?
• Do you use an information or cybersecurity partner? The three most common types are:
  1. Managed service provided (MSP) – must have same CMMC level as your company
  2. Cloud service provider (CSP) – must be FedRAMP moderate ATO or equivalent security
  3. Managed/cybersecurity service provider (MSSP/CSSP) – must have same CMMC level as your company

Now contact your CMMC Third-Party Assessor Organization (C3PAO) and begin coordinating your assessment. C3PAO calendars are likely backlogged with demands for assessments, so schedule an assessment as soon as possible. Also, your C3PAO can provide guidance on preparing for the assessment. This phase can be between 6 and 12 months.

4. Conduct an internal assessment and management review

You must conduct an internal assessment and management review before conducting the third-party assessment. The leadership team must review the results and determine what mitigation or remediation steps are required and approve proceeding to the third-party assessment. It may be beneficial to partner with a C3PAO for your internal assessment rather than depending solely on your internal resources. However, a C3PAO who conducts your internal or initial assessment can NOT also conduct your final assessment. Plan for at least two to three months for this assessment and review.

5. Conduct the CMMC assessment

Your C3PAO needs to have your draft System Security Plan (SSP) and results of the internal assessment when they start the scoping and planning discussion. The duration and locations of an assessment with Smithers depends on several factors: number of full-time employee equivalents, number of sites, complexity of information system, outsourcing of information technology (IT) and cyber functions, and several more.

The average assessment takes between five days for small organizations and can be more than 30 days for large organizations. Smithers has 30 years of assessment experience, ensures transparency on the assessment duration, and takes all steps possible to expedite the process while maintaining the highest level of effectiveness and accuracy. Smithers is a C3PAO candidate and expects to be ready to conduct CMMC assessments by the end of 2024.

About the author: Robert McVay is a senior consultant for information security services in Smithers Quality Assessments Division.

Smithers: https://www.smithers.com