Preparing for a CMMC audit

If you’ve been through any audit before, you are well aware of how tedious and time-consuming it can be for your team and yourself. If you haven’t, think spreadsheets. Spreadsheets everywhere!

The People

After you’ve made the decision to pursue a CMMC attestation, here’s something to keep in mind when drafting your audit preparation strategy. You may want to create a taskforce of employees from the IT or security team, with support from team members familiar enough with your technical systems. Having an executive or manager own this process with the team will also be hugely beneficial.

The CMMC process requires commitment, and team members may need to take time away from their other tasks to focus on preparing for an audit. You should account for a loss in productivity, and ensure you are staffed accordingly.

The Process

The process can be broken down into three major components:

Step1: Understanding the CMMC Level Requirements

It is important for you to know what each level requires and plan accordingly.  The requirements for CMMC certification will depend upon the level of certification needed. Each level contributes to the requirements starting with the levels below it. Therefore, a Level 2 certification consists of every Level 1 requirement and so forth.

Level 1 is achievable for smaller companies and includes a subset of universally accepted common security practices. There are 17 controls that must be met to achieve CMMC level 1, all of which are mapped directly to the Federal Acquisition Regulation (FAR) 52.204.21. Here is how the 17 controls are broken down:

Access Control (AC)

• 001 – Limit information system access to authorized users, process acting on behalf of authorized users, or devices (including other information systems)
• 002 – Limit information system access to the types of transactions and functions that authorized uses are permitted to execute
• 003 – Verify and control/limit connections to and use of external information systems
• 004 – Control information posted or processed on publicly accessible information systems

Identification and Authentication (IA)

• 076 – Identify information system users, processes acting on behalf of users, or devices
• 077 – Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems

Media Protection (MP)

• 118 – Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse

Physical Protection (PP)

• 131 – Limit physical access to organization information systems, equipment, and the respective operating environments to authorized individuals
• 132 – Escort visitors and monitor visitor activity
• 133 – Maintain audit logs of physical access devices
• 134 – Control and manage physical access devices

System and Communications Protection (SC)

• 175 – Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems
• 176 – Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

System and Information Integrity (SI)

• 210 – Identify, report, and correct information and information system flaws in a timely manner
• 211 – Provide protection from malicious code at appropriate locations within organizational information systems
• 212 – Update malicious code protection mechanisms when new releases are available
• 213 – Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed

Level 1 does not require 3rd party certification, any company at level 1 can self-attest once a year.

Level 2 is an incremental yet important milestone for defense contractors to address.

Level 2 aligns with the 14 levels and 110 security controls developed by the National Institute of Technology and Standards (NIST) SP 800-171. For CMMC level 2, you can expect to need a third-party assessment every three years.

Level 3 is considered an advanced or progressive cyber security posture, companies seeking Level 3 need to meet the security requirements specified in NIST SP 800-171 plus a subset of requirements specified in NIST SP 800-172. The DoD is still in the process of determining how organizations seeking level 3 compliance will be assessed.

Step 2: Prepare Materials

In this next phase, you will create a list of controls and policies to adopt, gather required evidence artifacts, document all necessary procedures, and provide adequate training to your team. If you’re a TrustOps user, we’ve got your back. TrustOps helps you automate much of this process, and automatically maps your controls to your CMMC Level (Level 1 and Level 2) to make it easy for you to assess your systems, policies, and procedures. If you’re not a TrustOps user yet, call us… we’d love to have your back, too.

Step 3: Complete Internal Review

Whether or not you choose to do an independent assessment, you must first conduct a thorough internal review to ensure that you are meeting all requirements. The internal audit review you get when you work with us analyzes your gaps against your level of CMMC (as well as other compliance standards such as HIPAA), and could be used as your self-assessment.

The Audit

CMMC certifications are valid for three years, and are conducted via third-party assessments, which are led by authorized and accredited assessors, known as C3PAOs. The C3PAO then issues a CMMC certificate based on the results of the assessment.