The Cybersecurity Maturity Model Certification program (CMMC) is ramping up this summer—even though approved CMMC Third-Party Assessment Organizations (C3PAOs) are in short supply and timelines are ever evolving. These hiccups might have you thinking you have all the time in the world to start your CMMC certification. Unfortunately, that assumption just isn’t correct.
CMMC isn’t going away. Though the organizations waiting to receive their C3PAO status are stacking up, so are the thousands of DoD contractors who are waiting to achieve CMMC certification. Having the right controls in place isn’t just something you can wing, or pencil whip your way around. Now is the time to save your place in line so you don’t miss out on opportunities for government contracts. Here are five steps you can take now to get you closer to CMMC compliance.
Get to Know Your Data
Not every piece of data that resides in a contractor’s IT systems is classified—and it doesn’t have to be. In fact, CMMC largely focuses on protecting controlled unclassified information, or CUI. CUI data covers a wide range of information, including software executable code, source code, technical reports, studies, analysis, intellectual property, engineering drawings, tax-related information, and much, much more.
Test Your Backups
Are you prepared to recover from an event that might compromise the integrity or availability of your data? Backing up all content—not just CUI—is a CMMC requirement. A loss of data can significantly impact your operations, and, depending on CMMC level, impact national security. Now is the time to test your backup systems and determine their functionality.
System recovery is a key focus of CMMC, specifically the ability to recover from any event that compromises the integrity and availability of data. The requirement is to backup all content, not just controlled unclassified information (CUI) and other critical content.
Create an Incident Response Plan
Speaking of recovering from an event, contractors with level 2 or higher CMMC requirements must have an incident response plan in place that proves your ability to detect, respond, analyze, report, and test incidents.
Practice Daily Cybersecurity Hygiene-That Means Everybody
CMMC success starts with every single person in your organization practicing cyber hygiene at all times. From the front desk to the C-Suite, ensuring cybersecurity in your government contracting business is everyone’s responsibility. This goes beyond checking off the usual boxes of password updates and identifying phishing emails. Your firm needs to be right 100% of the time for cybersecurity. Attackers only need to be right one time—that one time they are able to detect a weakness and move in for the kill.
There are 5 levels of CMMC cybersecurity hygiene, and each has its own requirements. Level 1 is basic cyber hygiene and includes 17 practices from NIST standards that companies should already be practicing when working for the DoD. They go up from there to Level 5, which includes 171 practices. These organizations have an advanced, progressive cybersecurity system in place and can assess and prevent advanced threats.
Even if CMMC wasn’t a requirement for DoD contractors—you should be practicing cybersecurity hygiene anyway! With high-profile ransomware and leakware attacks making the headlines in increasing fashion, it’s not a matter of if, but when a compromise will take place.
Communicate with your Subcontractors
In addition to your own internal team, getting your subcontractors on the same page is also crucial to CMMC success—and it’s a requirement. Weaknesses in the DoD supply chain are most prevalent several levels down from the prime contractor. If you are a prime, know this: you are obligated to educate your subcontractors on the proper CMMC requirements and where CUI lives on your systems so they can begin their CMMC journey as well.
With thousands of DoD contractors already waiting to achieve CMMC certification, you don’t want to find yourself at the back of the line. No matter where you are in the process, SME can help you navigate the process. We’re experts in CMMC certification requirements and implementation. Give us a call at 703-378-4110 or email info@smeinc.net.