A CMMC certification for your organization may seem like it is far in the future but the need to implement these requirements are closer than you realize. All organizations in the Defense Industrial Base (DIB) must be CMMC certified. Many organizations believe it only takes a short time to become CMMC certified, but in fact you must start prepping now to show actual cyber maturity. There are many steps you can take now to prepare for CMMC requirements to ensure your organization is CMMC ready. The first step in this process is to implement specific cybersecurity initiatives and technology to reach your CMMC certification level.
For a more detailed look at these cybersecurity initiatives please read our recent blog “5 Cybersecurity Initiatives to Meet CMMC Certification & Buy American Company Security Standards”.
These security measures can be seen as “low-hanging fruit” that are easily doable, and many organizations may already have in place. After implementing these cybersecurity processes, it is important to start to prepare with more CMMC-specific tasks. Below we will discuss the steps you should take to prepare your organization for CMMC requirements.
1. NIST SP 800-171 Self-Assessment
The first step after implementing the cybersecurity initiatives is completing a NIST SP 800-171 Self-Assessment. This is a great starting point when you prepare for CMMC requirements, and it is something you should be doing if you have not completed it already. This is a self-assessment meaning your organization can complete it with or without the help of a third party and it will show you what controls you have met and unmet. Many of the controls listed in NIST SP 800-171 directly correlate to the CMMC requirements for Maturity Levels 2 and 3. This assessment will highlight all the processes and procedures that you need to begin to put in place in order to begin your process to be CMMC qualified. You can access that self-assessment here to get started.
2. Readiness Assessment
The next step you should take is a CMMC readiness assessment against all 130 controls of CMMC (Maturity Levels 1-3). The goal of a CMMC readiness assessment is to collect and catalog all objective evidence needed to demonstrate that your company has the all the necessary practices and processes in place. CMMC readiness takes the approach of looking at your company based on the maturity level (ML) they need to meet (1-5). The assessment will then review each practice in the maturity level to determine if they are met or unmet. It will also be begin collecting evidence to prove that the practices are in place. Your organization can get a readiness assessment by completing a self-assessment or can get one from a certified RPO.
RPOs can be seen as the most beneficial option as they not only can they perform a readiness assessment, but they are also able to provide consulting services to further assist you in achieving cyber maturity. This type of CMMC provider can make it easy for any organization to understand exactly what they need to do to meet all CMMC requirements and get a CMMC certification for your organization. RPOs are better qualified as they have gone through training and have a much deeper understanding of the CMMC requirements. CompuData recently received an RPO certification with many registered practitioners on staff. For more information click here.
3. Plan of Action and Milestones (POAM)
The final step to take when your organization is starting to prepare for CMMC requirements is creating a plan of action and milestones (POAM) based on your results from both assessments. This is important because in order to meet the unmet controls you need to have a plan of action in place to start:
– Remediating any missing policies or procedures.
– Adding in any new solutions.
– Creating documents.
– Building ownership of these documents.
These steps will ensure your organization gains cyber maturity in order to pass the official CMMC assessment.
The most important thing when preparing for CMMC requirements is to be proactive and not wait. Waiting can create the risk of your organization not being ready and potentially not passing the official CMMC assessment which can halt business. It is critical to be prepared to pass the official CMMC assessment now in order to not harm your business and get a CMMC certification for your organization.
For more information about the steps to take to prepare for CMMC requirements or if you are interested in getting a readiness assessment from CompuData, a certified RPO, please email us!