By now, DoD contractors already mired in the complexities of Cybersecurity Maturity Model Certification (CMMC) know one thing for certain: the process takes time—anywhere from six to 12 months, depending on the maturity of your company’s security level, policies, and procedures. If you want to continue to win government contracts, and you haven’t started the CMMC process yet, it’s crunch time, and a last-minute cram session won’t cut it in this case.
There is a LOT that goes into the CMMC certification process. While not all DoD contractor’s compliance journeys will be the same, those who are ahead of the game have some valuable insights that every organization can apply. To help ensure you start your CMMC efforts off on the right foot, here are some lessons learned by Certified Third-Party Assessor Organizations (C3PAOs).
Don’t Skimp on Standard Operating Procedures (SOP)
At CMMC Level 2, organizations are required to document a system security plan, practices, and policies that allow staff to perform processes that are repeatable and consistent. Best practices show that having robust, detailed, step-by-step procedures, including a well-defined purpose, scope and roles and responsibilities for each activity, is important for a successful CMMC.
Make an Incident Response Plan a Priority
Also high on the list of lessons learned is establishing a formal and proactive Incident Response (IR) plan and regularly test the plan to increase your organization’s ability to respond to security incidents.
Know Your Network Inside and Out
Get to know your network—and the people who use it—intimately! Start by performing an audit to accurately assess your network devices and approve all of the devices connected to your network, the applications and software they are running, including your email system, and create a list. And, know your data stored on your network. CMMC focuses mainly on protected controlled unclassified information (CUI) which can include software executable code, source code, technical reports, studies, analysis, intellectual property, engineering drawings, tax-related information, to name a few.
Get a Grip on Daily Cybersecurity Hygiene
Checking in on your organization’s cybersecurity measures everyday isn’t just a suggestion, but a must. And it’s much more than protecting passwords and telling employees not to click on phishing links. There are 5 levels of CMMC cybersecurity hygiene, each with their own requirements. One way to get a handle on daily cybersecurity hygiene—and show your due diligence—is through a dashboard-driven tool like SME’s state-of-the-art Compliance Management Platform, that gives you the visibility you need to know the real-time status of all your programs.
Need CMMC Assistance?
If you bid on DoD contracts, don’t wait any longer to start your CMMC certification process. SME will work with you to prepare and navigate CMMC and help you maintain your maturity levels. Give us a call at 703-378-4110 or email firstname.lastname@example.org.