×

Diving into CMMC Requirements: Essential Steps for Compliance Readiness

The Cybersecurity Maturity Model Certification (CMMC) Program is designed to ensure that defense contractors and subcontractors meet stringent information protection requirements to Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) against threats.

Achieving CMMC compliance is a prerequisite for securing contracts (excluding Commercial-Off-The-Shelf procurements) that support the Department of Defense (DoD). To win or maintain a contract with the DoD, you must meet the specific CMMC level that applies to the type of work you will be providing and the data involved. For existing DoD partners, CMMC compliance is required to renew contracts and remain competitive in the marketplace.

So—how can you prepare your company for a CMMC assessment?

Understanding the Different Levels of CMMC Compliance

The CMMC framework consists of three tiers, each with increasing requirements to protect FCI and CUI data.

The CMMC 2.0 model outlines three maturity levels (ML) of cyber hygiene:

  • Level 1: Ensures basic cybersecurity practices are in place for DoD contractors managing FCI.
  • Level 2: Introduces additional security measures to protect against more sophisticated threats.
    • If your organization handles CUI, Level 2 includes data protection practices that secures CUI and protects against threats.
  • Level 3: Implements the highest level of cybersecurity standards for the most sensitive government information.
    • Level 3 is reserved for highly sensitive contracts concerning national security, intelligence, or critical defense.

As a DoD contractor or subcontractor, achieving the specified CMMC level is mandatory for contract awards. Prime contractors must ensure that all subcontractors in their supply chain meet or exceed the required CMMC certification level. The contract flow-down requirement ensures that every tier maintains robust cybersecurity safeguards.

It’s also worth noting that under the revised CMMC rule, the DoD contract solicitation will specify the minimum CMMC level and assessment type required. In short: You won’t have the option to choose your level. The solicitation will dictate the cybersecurity maturity level you must achieve and whether it requires a self-assessment or an assessment from a CMMC Third-Party Assessor Organization (C3PAO). While you can aim for a higher level if it aligns with your strategic goals, you must at least meet the specified level to be eligible for the contract award.

Let’s delve deeper into each of the CMMC levels.

CMMC Level 1

At Level 1, your focus is on the basic protection of FCI. This level is intended for companies that handle FCI but not CUI. To achieve Level 1 compliance, you must adhere to 17 basic cyber hygiene practices and meet the 15 security requirements outlined in FAR clause 52.204-21.

You are required to perform an annual self-assessment and submit it to the DoD’s Supplier Performance Risk System (SPRS) before you can be awarded any CMMC Level 1 contracts or subcontracts. A company officer must also sign an annual affirmation of compliance, verifying that the self-assessment is accurate and complete. Bear in mind that all security requirements at this level must be fully met, and that you cannot submit a Plan of Action and Milestones (POA&M) with the Level 1 self-assessment.

CMMC Level 2

Level 2 hinges on the protection of CUI. Depending on the type of information processed, transmitted, or stored, you will need to undergo either a self-assessment or a C3PAO assessment every 3 years, as specified in the solicitation. You must also provide an annual affirmation attesting to your compliance with the 110 security requirements in NIST SP 800-171 Revision 2.

Additionally, Level 2 requires the submission of your SPRS score on an annual basis, similar to Level 1. Depending on certain objectives, contractors and subcontractors may have an open POA&M item.

Currently, there are over 80,000 contractors classified under Level 2.

CMMC Level 3

Level 3 is designed for the highest level of protection against advanced persistent threats. Companies at this level require a government-led certification by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). While DIBCAC assessments are not always required immediately at contract award, contractors may receive conditional certification if certain controls are incomplete but have an approved POA&M.

This level applies to the most sensitive and high-risk DoD projects and includes an additional 24 requirements from NIST SP 800-172. Only about 1% of the Defense Industrial Base (DIB) is affected by Level 3 requirements. To maintain Level 3 status, you must achieve final Level 2 certification, undergo a DIBCAC assessment every 3 years, and provide an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172.

CMMC Readiness Best Practices

  • Develop a solid system security plan (SSP): Your SSP can make a strong first impression by demonstrating your understanding of the material, considering all requirements, and articulating how you satisfy them in your SSP.
  • Document policies and procedures—and execute them: Ensure your organization has policies and procedures for each control family. Review them regularly and document all third-party service providers used to process, store, or disseminate CUI. Don’t wait until your official assessment to compile the correct documentation.
  • Carry out an internal review or a third-party readiness assessment: You can utilize the DoD’s CMMC Assessment Guide to help conduct the internal review. However, often times organizations may think they fully understand the requirements but end up misinterpreting things, so having a trusted third-party do the audit helps avoid mistakes.
  • Engage a C3PAO: If your CMMC level involves third-party certification, building a relationship with a C3PAO is nonnegotiable. With 80,000 contractors and less than 60 C3PAOs, you may want to get your assessments scheduled sooner rather than later.

Conclusion

CMMC compliance is a prerequisite for winning and maintaining contracts with the DoD. Whether you are an existing DoD partner or new to DoD contracting, conducting a thorough self-assessment of your information systems is the best way to prepare. Review security requirements and implement relevant cybersecurity measures, as well as take corrective actions to meet any outstanding requirements.

Need help navigating CMMC compliance? Securitybricks is one of a select few firms holding both FedRAMP 3PAO and CMMC C3PAO accreditations. We offer a phased approach tailored to your security and compliance needs, ensuring you have the right information and tools for long-term success. Securitybricks is part of Aprio, a premier business advisory and CPA firm.

We help you navigate the complexities of CMMC compliance with confidence. Get in touch today.

Securitybricks Launches CMMC Accelerator on Azure Marketplace

Securitybricks launched its CMMC Accelerator, designed to automate CMMC compliance and streamline security for Azure-based DoD contractors.

BELLEVUE, WASHINGTON, UNITED STATES, July 22, 2024 — Securitybricks, Inc. is excited to announce the launch of its comprehensive CMMC accelerator on the Azure Marketplace. This offering is designed to assist organizations, including DoD contractors, MSPs, and MSSPs, in achieving and maintaining CMMC certification for their Azure workload.

Securitybricks’ CMMC accelerator: Securitybricks’ Azure solutions include several key components to streamline the CMMC certification process:

– CMMC Blueprint: Mapping tool to align security tools within Azure/M365 to meet CMMC requirements.

– CMMC Workbook: Azure Sentinel-based workbook to validate the implementation of CMMC controls in Azure workloads.

– CMMC Cloud Policy: Prescriptive guidelines for the implementation of CMMC controls.

By leveraging Microsoft commercial, GCC, and GCC High native services, Securitybricks ensures that all CMMC controls are implemented correctly and meet CMMC audit requirements. This solution extends the body of evidence and supports inherited and shared control artifacts for C3PAO assessments. Features of Securitybricks’ CMMC Compliance Accelerator:

– Validation of Configuration: Ensures that configurations meet CMMC requirements in commercial, GCC, and GCC High environments.

– Extending the Body of Evidence: Augments Microsoft’s current body of evidence with additional documentation and responsibility matrices.

– Inherited Controls and Shared Control Artifacts: Facilitates meeting C3PAO assessment requirements through comprehensive documentation.

– Audit-Ready Content: Provides audit-ready content for System Security Plans (SSP), Plans of Action and Milestones (POA&M), boundary definitions, and related external service providers for a C3PAO Level 2 assessment.

“Our compliance automation solution aims to simplify and accelerate the CMMC certification process, helping organizations navigate the complexities of compliance with confidence,” said Raj Raghavan, CEO at Securitybricks. “This is a first step towards our partnership with Microsoft and commitment to enabling the Defense Industrial Base ecosystem to adopt Azure as their CMMC foundation.”

This accelerator can be downloaded on the Azure Marketplace.

About Securitybricks, Inc.
Securitybricks, Inc. is a cybersecurity consulting firm focused on cloud security and compliance. Based in the U.S., its team members are all U.S. Citizens, including military veterans, with over 15+ years of experience in implementing cybersecurity and regulatory compliance controls. https://securitybricks.io/

Karina Vildman
Securitybricks, Inc.
info@securitybricks.io
Visit us on social media:
LinkedIn

 

Securitybricks Releases CMMC Accelerator on ServiceNow Platform

Securitybricks Inc., a prominent leader in the cybersecurity industry, is delighted to announce the release of its CMMC accelerator in the ServiceNow store.

BELLEVUE, WA, UNITED STATES, February 6, 2024. The proposed rule recently released for public comment for CMMC by the DoD ensures defense contractors comply with their contractual obligation to protect controlled unclassified information or CUI. CMMC has three compliance levels aligned with the NIST 800-171 framework. In addition to being self-compliant to CMMC, the defense contractor is also obligated to ensure their supply chain of subcontractors is compliant to CMMC.

As a Build and Implementation partner of ServiceNow, and an accredited CMMC C3PAO, Securitybricks built the CMMC accelerator on the ServiceNow platform to automate the entire CMMC process for Level 1, Level 2 and Level 3 assessments. The CMMC accelerator includes:

  • Complete 800-171 content built into Policy and Compliance module
  • Complete set of questionnaires to automate entire assessment lifecycle
  • SPRS scoring
  • Dashboards to track assessment status
  • Control data for system security plan (SSP)

The CMMC Vendor Assessment Accelerator built on the ServiceNow Vendor Risk Module (VRM) includes:

  • Complete set of questionnaires for subcontractors and service providers
  • Automated assessment workflow
  • Dashboards to track assessment status and compliance status of the supply chain
  • SPRS scoring

Our partnership with ServiceNow is to automate cloud security and compliance with “out of the box” accelerators. “Our accelerators enable contractors to reuse the data within the ServiceNow platform, including vendor risk for CMMC, reducing cost and time. As an accredited C3PAO, we have designed the assessments within the accelerator to meet auditor artifact requirements,” stated Raj Raghavan, CEO of Securitybricks. “As a commitment to help defense contractors meet CMMC requirements, these accelerators are free to download.”

This marks a significant step in bringing the power of the ServiceNow GRC platform to automate the CMMC assessment, thus securing our defense industrial base.

These accelerators can be downloaded at store.servicenow.com

About Securitybricks, Inc.
Securitybricks, Inc. is a cybersecurity consulting firm focused on cloud security and compliance. Based in the U.S., its team members are all U.S. Citizens, including military veterans, with over 15+ years of experience in implementing cybersecurity and regulatory compliance controls. https://securitybricks.io/

Karina Vildman
Securitybricks, Inc.
info@securitybricks.io
Visit us on social media:
LinkedIn

CMMC 800-171 Solution on ServiceNow GRC Platform

Is your organization struggling to keep up with the complex requirements of Vendor Risk Management and the NIST 800-171 standards? You need Securitybricks’ innovative ServiceNow GRC Vendor Risk CMMC application.

I’m Donna, a passionate Risk, Compliance, and ServiceNow GRC expert, and I’m thrilled to introduce our latest project: a simple easy to use Vendor Risk Management application that streamlines compliance assessments of downstream vendors and suppliers in accordance with your organization’s CMMC Level.

Built upon the powerful ServiceNow Vendor Risk Management Module, our CMMC app is designed to make compliance easier for you. If you’re an existing GRC Vendor Risk Management customer, you’ll be able to integrate our app seamlessly into your current process. We built the app on ServiceNow to specifically address CMMC requirements for subcontractors. With a user-friendly Questionnaire and Assessment, it’s never been easier to launch your CMMC vendor compliance assessments. We offer two levels (Level 1 and Level 2) to suit your organization’s specific needs.  Installation is as simple as downloading from the ServiceNow Store, installing in your GRC Vendor Risk Instance and then, as the Vendor Risk Manager creating a CMMC Assessment leveraging the prebuilt CMMC assessment templates and assign to the vendor to complete.

We’re proud to offer this application to you for FREE, exclusively in the ServiceNow store. It will be available for download at the end of Q1 2023, and our Version 1 solution is designed to work with the latest ServiceNow Tokyo release and Utah. Our app uses out-of-the-box Roles for Vendor Risk Managers to create the assessments and Vendors to respond to them, making it simple and straightforward to use.