CMMC Compliance Checklist

The Cybersecurity Maturity Model Certification (CMMC) is a framework that applies to US Department of Defense (DoD) contractors and subcontractors. First published in 2020, and subsequently updated, CMMC 2.0 will gradually be implemented over the next few years. Compliance with CMMC will be an integral part of the acquisition process for DoD contracts. Contractors and subcontractors from across the Defense Industrial Base (DIB) will need to comply with the required CMMC level stated in DoD contracts.

CMMC compliance levels will appear in more and more DoD Requests for Proposals (RFPs) over the next few years. CMMC could also be adopted by other US federal agencies in the future as a best-practice cybersecurity standard for contractors. Organizations should start planning for compliance today. This checklist helps contractors prepare for CMMC compliance and includes a point-by-point rundown of the 14 CMMC domains.

1. Understand and Identify FCI

The first step is to understand the different types of government data that your organization may deal with. The type of data being processed will affect the level of CMMC compliance that's required. This directly impacts the variety of security controls that your organization and systems will need to meet. Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) will generally be the main types of government data that contractors deal with.

FCI is data provided by the government as part of a contractor’s service or product delivery but is not intended for general or public release. FCI will require compliance with the first of there CMMC levels. CUI is government data that is sensitive, but not classified. Government agencies provide lists of defined CUI, but examples may include technical data or patent information. CUI will require level 2 CMMC compliance. Highly sensitive data, classified information, or critical services are considered by level 3 CMMC compliance.

2. Perform Network Scoping

Once you’ve identified the CUI and FCI data within the organization, the next step is to determine the parts of the network that process this data. Identify which elements of the system store or process these government data. Create a diagram of networks and systems, with clear documentation of the areas that process CUI or FCI data. This may also include any subcontractor networks, if your organization is the prime contractor.

Scoping the relevant system sections or point of entry to the data helps outline the boundaries of CMMC compliance. By identifying the system environments that process CUI, organizations can limit the scope of compliance assessment. This focuses compliance assessment on relevant parts of the network instead of the entire system.

This approach can help minimize the resources required to reach compliance with CMMC, keeping CUI separate and secure within your systems. Controlled access and system partitions can help further minimize the parts of the network in scope for assessment.

3. Identify the required CMMC level

CMMC has different levels of compliance, relative to the degree of risk and sensitivity of the government data being processed, stored, created or managed by a DIB organization. CMMC acts as a way of categorizing these risk levels. The required CMMC level will be outlined in DoD Requests for Proposals (RFPs). Organizations that store or process Federal Contract Information will need to meet CMMC Level 1 compliance. Organizations that store or process Controlled Unclassified Information (CUI) will need to meet CMMC Level 2. This level includes all the requirements outlined by NIST Special Publication 800-171, which was created as a set of standards to safeguard CUI on non-federal systems.

Organizations that process or store extremely sensitive or classified information or data will need to meet CMMC Level 3 requirements. This is the highest level of CMMC and means compliance with all 121 requirements outlined in every level of CMMC, based on the NIST 800-171 and NIST 800-172 requirements. In 2021, the National Institute of Standards and Technology (NIST) published NIST 800-172, a supplement to NIST 800-171. It outlined enhanced security requirements for protecting the confidentiality of CUI in non-federal systems. NIST 800-172 is useful to understand the high-level requirements and security controls needed by CMMC Level 3 certification.

4. Perform compliance gap analysis

It’s important to gauge your current compliance level ahead of a CMMC assessment to properly prepare in good time. Testing gaps in compliance will help prioritize the steps needed to achieve CMMC certification. Vulnerability scans of networks and systems are an effective way of highlighting gaps in compliance against CMMC security requirements.

A gap analysis will help organizations create a Plan of Action with Milestones (POAM), a key part of project planning. Clear milestones help to streamline the process and realign resources. The plan will need to be formulated and completed before assessments can take place.

Level 1 compliance requires a formal self-assessment and requires reporting in the DoD Supplier Performance Risk System (SPRS).
For level 2, there are two ways of certifying compliance – either by self-assessment or by third party assessments carried out by a Certified Third-Party Assessment Organization (C3PAO).
For Level 3 assessments, organizations will leverage CMMC Level 2 certiﬁcations and the the Defense Contract Management Agency (DCMA) assesses compliance with the additional NIST SP 800-172 requirements.

DIB organizations need to be fully compliant with the requirements for the required CMMC Level to receive certification and execute the DoD contract.

CMMC Requirements

Each CMMC level brings new security requirements, outlining cybersecurity policies and processes needed for compliance. Organizations can use these controls as the basis of their gap analysis. To reach a certain level of CMMC compliance, organizations must meet the requirements in the previous levels too.

CMMC Level 1 contains 15 security requirements
CMMC Level 2 requires implementation of all 97 NIST 800-171 requirements
CMMC Level 3 in addition to meeting CMMC Level 2, contractors must implement the 24 speciﬁc requirements from NIST SP 800-172.

5. Build a project POAM

A project POAM should bring together the documentation and findings of the previous steps. It will provide a clear outline of how to achieve compliance with the required CMMC level. A project plan of action with milestones will make the journey to compliance more straightforward.

The project plan should include:

Scope of the assessment and system boundaries
The team in charge of measuring and implementing changes
The level of CMMC compliance required
Findings of the compliance gap audit
Estimated timeline and resource cost
Clear milestones that need to be met for project completion

6. Create a System Security Plan (SSP)

A System Security Plan (SSP) is a requirement for the higher levels of CMMC compliance. It’s a document that outlines cybersecurity controls for systems that process or store CUI or other government data. An SSP is needed for CMMC Level 2 and above because this is the point that documentation of cybersecurity processes becomes a requirement.

The creation or refinement of an SSP should be an early step for any organization exploring CMMC compliance. It should be seen as a live document that is regularly reviewed and kept up to date.

7. Assign the right resources

Any project to review and update cybersecurity resilience will take resources to properly complete. Requirements are wide-ranging and will affect different areas of the organization. Improvements will go beyond just the configuration of devices and hardware, dealing with elements like cybersecurity training provision, and the setting of organization-wide policy.

CMMC is mandatory for DoD contracts where FCI and CUI are involved, so compliance is vital for many DoD contractors. This means the right level of resource should be made available for the compliance project. It should be seen as an ongoing task but will be most resource-intensive at the start of the process. Reviewing and renewing controls and system security takes time, effort, and resources. Assign a team with a budget to cover elements like vulnerability scans, outsourced security advice, or changes in policy and procedure. The capabilities of internal resources and expertise should be assessed, as external resources and support may be required to efficiently reach compliance.

Access Control (AC)

Create rules for user access to internal networks and systems.
Keep up-to-date lists of authorized users and account privileges.

Awareness and Training (AT)

Embed cybersecurity training at all levels of the organization.
Align training with how each employee interacts with CUI systems in their role.

Audit and Accountability (AU)

Establish logs for tracking user actions and information including timestamps.
Record and log any user access to CUI and assets.

Configuration Management (CM)

Embed baseline device configurations for improved cybersecurity resilience.
Identify and map devices and systems which process CUI.

Identification and Authentication (IA)

Embed systems for the unique identification of users, devices, and processes.
Strengthen user identification processes, including setting a minimum complexity of passwords.

Incident Response (IR)

Create an incident response plan to detect and contain threats to CUI.
Ensure employees are trained and ready to respond to serious incidents.

Maintenance (MA)

Create a schedule for ongoing maintenance of systems, hardware, and devices.
Track and log updates and repairs to software, hardware, and firmware.

Media protection (MP)

Create a policy for safe management and destruction of media containing sensitive data.
Track and log updates and repairs to software, hardware, and firmware.

Personnel Security (PS)

Screen all personnel with access to CUI.
Add appropriate background checks to the hiring process.

Physical Protection (PE)

Maintain a list of employees with access to the building and server environment.
Restrict access to sensitive areas of the organization that may include servers or hardware.

Risk Assessment (RA)

Embed processes for highlighting new threats and risks to the system.
Proactively scan networks and systems for vulnerabilities and risks.

Security Assessment (CA)

Audit security measures regularly to identify new vulnerabilities.
Amend security measures to combat emerging threats.

System and Communications Protection (SC)

Clearly define network boundaries, including cloud-based systems.
Monitor end-point security.

System and Information Integrity (SI)

Keep network components and software up-to-date and patched.
Schedule regular updates for user software and devices.

Arrange for certification

For CMMC Level 1, organizations are required to self-certify and report this in the DoD Supplier Performance Risk System (SPRS), and annually aﬃrm continuing compliance in the SPRS.

For Level 2, there are two ways of certifying compliance at this Level: self-assessments and third-party assessments conducted by CMMC Third-Party Assessment Organizations (C3PAOs).

Third party assessment organizations evaluate compliance with the given CMMC level. Certification is then issued by the CMMC Accreditation Body and is valid for three years. Contractors will need to report this in the DoD Supplier Performance Risk System (SPRS), and annually aﬃrm continuing compliance in the SPRS.

Assess CMMC compliance with Titania Nipper

With evidence-based reporting capabilities with pass/fail reporting for CMMC 2.0, Titania Nipper is a firewall and network auditing tool that can streamline compliance with CMMC 2.0 requirements. Its accurate reports will give you at-a-glance compliance posture with an assessor-ready report, providing evidence for both passed and failed checks and are packed with powerful insights to help embed the risk focus, evidence and best practice required to deliver security from compliance, streamlining your compliance reporting so you can focus on improving network security posture.

Resources