The Cybersecurity Maturity Model Certification (CMMC) CMMC is a ‘gold standard’ for developing the maturity of your cybersecurity. And because CMMC requirements serve as that gold standard, CMMC can also guide your compliance efforts across other frameworks, ensuring maximum compliance with minimal duplication of effort.
Elsewhere, we’ve looked at how CMMC measures up to other frameworks like NIST 800-171a, ISO 27002, CIS Top20 Controls, amongst others. This blog post offers five steps you can take to leverage CMMC to guide both your CMMC compliance and compliance across other frameworks.
1) Assess your current state of Cybersecurity
Any assessment of your current Cybersecurity preparedness has to begin with honesty. Where are your gaps, and how many do you have? Only once you understand this can you begin the task of shoring up your defenses. Next, ask yourself the hard questions: what is the worst-case scenario when dealing with each of the controls in various environments? What could go wrong, and how catastrophic could it be? Grade yourself as harshly as you can at this stage. It’s better to be zealous early rather than sorry later.
For example, is your software supply chain secure? It might be an easy area to overlook since Cybersecurity may not spring immediately to mind when you think about the supply chain. But every integration to have with a partner is a potential attack vector if things aren’t secure on their end. The network of partner companies that make up a supply chain has become an increasingly popular means for attackers to gain internal or remote access to data from enterprise-scale companies with poor security practices. How would you grade your business here?
2) Map your existing tools to CMMC
Having assessed your current cybersecurity preparedness, inventory the cybersecurity tools and services you currently use. Compare these against CMMC requirements to see how they stack up and where you might have work still to do. For example, what CMMC requirements do your antivirus or firewalls meet? Do you need an upgrade?
Don’t overlook the role of budgeting in this process. Investing in cybersecurity training or an email security tool all count towards meeting controls. Include them in your assessment and record your estimated total spend so you can compare the cost of achieving groups of controls in-house, or with a partner.
3) Work chronologically, from easiest to implement to hardest
Becoming CMMC compliant takes time and work, so don’t feel you have to do it all at once. Better to see tangible, incremental gains than trying to leapfrog stages and miss things. Remember: with CMMC, there are no points for partial implementation. Making sure the simple things are fully covered is better than not completing more complex elements.
CMMC establishes five tiered, stacking certification levels: start with Level 1, which is “Basic cyber hygiene,” such as using antivirus software and requiring regular password changes by employees. With full implementation of those requirements, you can build from a solid foundation through the more advanced tiers. To learn more about which level is right for you, check out my webinar on that very topic.
4) Document your efforts with a simple report
Simple documentation isn’t just easy to read but a valuable tool in logging forward progress toward CMMC compliance. This isn’t documentation for documentation’s sake - you will need to produce evidence of how you meet controls to auditors, self-directed or otherwise.
A simple one-page report allows someone to see at a glance what you have accomplished so far against individual controls by category. Such a report links your evidence and tracks your efforts in chronological order. Just be sure it isn’t mixed in with other spreadsheets or systems but easily accessible on its own.
5) Determine how to fill the gaps
Once you’ve worked through these four steps, it’s time to figure out how to close the different gaps you’ve identified. That may mean asking for help to do so. You’ll also need to produce a business case that articulates how mapping to CMMC can help keep the organization on track towards demonstrating a security posture that meets the framework’s requirements. Take into consideration how many potential customers you would need to miss out on (opportunity cost), before this initiative pays for itself - not to mention the cost of a breach if your security lacks the maturity to prevent one.
Part of the appeal of CMMC is that it offers varying levels of maturity for your organization to shoot for, depending on what your customers require of you. Your goal isn’t to avoid fines but rather to achieve eligibility for contracts across the defense industrial base and the organizations that service them. That’s 300,000+ businesses, organizations, and universities that research, design, supply, and operate military systems.
The most important thing to remember is that there are proactive measures you can take to better address CMMC controls. By addressing such controls, you can improve your security and comply with other frameworks.
Resources to Help You Comply
ActZero has a wealth of resources to help as you look to map your organization’s cybersecurity to CMMC controls. If you’re looking for executive sponsorship or to convince GCR stakeholders that this is right for your organization, check out our Executive Playbook, Why You Need a Modern Regulatory Framework for Today’s Compliance Needs and Beyond.
For tactical help in identifying frameworks CMMC controls generalize to, a project plan to execute, or a self-assessment, check out our CMMC Readiness Package. You can also use it to see how CMMC controls map across different frameworks.
Or, if you aren’t sure about your own security maturity, check out our Maturity Model Assessment and let us help you determine for yourself where you stand.
Finally, our MDR customers can leverage our optional Virtual CISO Service for consultative advice and implementation of a project to comply with frameworks like CMMC, or assess which level they should strive for.