Attacks on government data are on the rise worldwide. These attacks are very sophisticated, determined, and subtle—usually conducted by highly knowledgeable hackers. As a consequence, governments around the world (including the USA) are trying to impose more regulations.
Along with some long-standing security frameworks like FedRAMP and FISMA, the US Department of Defense shared the initial draft for the Cybersecurity Maturity Model Certification (CMMC) in early 2020. There are still many questions to be answered regarding this new framework but the final framework is expected to come in late 2021.
For organizations, especially those related to DoD must comply with the CMMC framework. So, let’s take a look at what your organization can do to get prepared.
Assess your CUI
As an organization, you should start with understanding your data & identifying which data are subject to CMMC. This model wants to cover controlled unclassified information (CUI) in non-federal IT systems. CUI covers mainly the following types of information:
- Intelligence information
- Intellectual properties like patents
- Tax information
- Legal actions & law enforcement related information
- And much more.
A crucial point to note here is the CMMC’s focus on CUI in non-federal systems. Even if your organization has FedRAMP and/or FISMA certifications to operate (ATO) it may still have CUI that is subject to CMMC.
That’s why a holistic analysis of your organization’s data & system is important.
Leverage other Federal Frameworks
The CMMC is intended to be in reciprocity with other regulatory frameworks. However, it is still not the perfect time to assume that compliance with existing frameworks will be accepted instead of CMMC.
CMMC is derived from other existing frameworks like NIST & its special publications, CSF, CERT Resilience Management Model (RMM), and more. Admittedly, CMMC has an interconnection with these frameworks. Moreover, due to the complex nature of CUI & IT systems, full compliance with the existing cybersecurity frameworks can give your organization a head-start. Hence, organizations should consider how best to leverage existing frameworks.
None of these existing certifications or frameworks can guarantee compliance with CMMC. It’s just that, in many cases, you can apply lessons learned from other frameworks to your CMMC certification process.
Read CMMC appendices & assessment guides
The DoD has always been consistent with its documentation that ultimately helps organizations to a great extent. As an organization, reviewing the CMMC framework and appendices should be your first step.
These documents are a great source for understanding:
- The intent of each control
- CMMC’s aim to establish a control category
- How controls are defined
The assessment guides will help you to understand the five levels of CMMC in a comprehensive manner. In a nutshell, reviewing these documents can help your organization to understand the current standing or what you need to do to achieve the desired level.
Complete NIST Special Publication 800-171
As we already know that the NIST SP 800-171 publications already addressed the use of CUI in non-federal IT systems. Adhering to this publication offers a head start for organizations seeking CMMC Level 3 compliance.
NIST SP 800-171 has 110 types of controls that organizations need to comply with. The good news is CMMC has the same 110 control mechanism out of 130 in total. That means as an organization, you only need to comply with only 20 more to be Level 3 Compliant.
In fact, the DoD may make this mandatory to comply fully with NIST SP 800-171 for organizations to make the transition easier.
Find a good partner
CMMC certification must be completed through a certified CMMC third-party assessment organization (C3PAO). Many ATOs and certifications your organization pursue will interact with CMMC in different ways. So, finding a good firm/vendor is paramount.
A good vendor can help you pursue an effective strategy to address your compliance needs and goals. Before the final rule hits in later 2021, try to find a good vendor that will guide you through & keep you updated on CMMC.
714-333-9620