Cybersecurity Maturity Model Certification Checklist
The Cybersecurity Maturity Model Certification (CMMC) is a new requirement for all Department of Defense contractors. The CMMC will combine and build upon many best practices established in well-known standards such as DFARS and NIST 800-171, but will require a third-party assessment to help verify reduced risk- which Mission Critical Systems can do for you!
- Conduct a readiness assessment: This will help your organization determine how prepared you are for your compliance audit, and which areas require your immediate attention. Once this is complete, you will be able to determine your current CMMC level of compliance and create a plan to achieve the desired, or required, CMMC level.
- Remediate and prepare: Create a plan that addresses the following: Areas requiring attention; prioritization of areas identified; timelines for completion; estimated costs; process for tracking goals and milestones to ensure completion
- Implement a detection and alerting system: Most companies are aiming for a Level 4 or Level 5 compliance, which means you must be able to report on how well your company can identify and respond to threats. If you don’t have a system like that in place, now is the time to do so.
- Develop a systems security plan (SSP): An SSP documents the security controls that are put in place for all the systems a contractor has that store or transmit controlled unclassified information (CUI), and is a requirement for CMMC compliance.
- Evaluate your internal resources: Do you have in house expertise to help you achieve compliance? If not, be sure to reach out as soon as possible to a third-party to help you put your systems in place.
- Talk to your suppliers and subcontractors: If you use subcontractors, be sure to engage with them throughout their own supply chain to make sure they are achieving the compliance level that they require. This will ensure you don’t miss
- Stay agile: Once your compliance is achieved, your work is not done. The ultimate goal of the CMMC is to make sure all DoD contractors are prepared to handle the always changing cybersecurity threats.
- Stay up to date: New information is constantly being released around CMMC compliance, it’s important to keep up with the new information as soon as it becomes available. This FAQ from the Office of the Under Secretary of Defense for Acquisition & Sustainment is an excellent way to stay on top of the situation.
Companies must be proactive in their approach to detect and respond to new threats as they emerge if they want to remain prime contractors for the DoD well into the future.