5 Ways Consulting with a Registered Practitioner Can Help You Become CMMC Compliant
If you’re in the Department of Defense supply chain, you know that there are new cyber security requirements coming down the pipe.
Full Cybersecurity Maturity Model Certification (CMMC) compliance is rolling out to the top 15 DoD prime contractors and their subcontractors in 2021. By 2025 this will spread out to the whole network of suppliers. If you’re not in the top 15, you still have things to do right now.
You may have already received notice that your organization needs to provide self-assessment. This is just the first step in the journey to align with cyber security standards, but it’s already causing problems for companies because they don’t know exactly what they’re supposed to do.
Look to a CMMC Registered Practitioner (RP) to get the consulting you need to untangle all the jargon, figure out what you need to do, and save on future CMMC assessment costs at the same time.
Here’s how a Registered Practitioner can help you to become CMMC compliant:
1. Interpret CMMC Requirements
If you’re at Level 1, compliance doesn’t look so hard because you don’t have to document your adherence to any of the standards, but most companies are going to ultimately need to certify at Level 3. At that Level you must have the security controls in place, and documentation that includes tangible evidence along with it.
The official CMMC documentation for Level 3 is hundreds of pages long and includes 130 separate practices and processes that need attention. That’s a lot! Additionally, about half are technical and the other half are concerned with data access policies.
Unless they have experience with security compliance, it’s unrealistic to expect your IT and HR managers to be able to create a compliance plan on their own. A Registered Practitioner (RP) is trained to translate CMMC standards into security controls. An RP saves your team time, frustration, and work by providing guidance and recommendations.
2. Scoping the Extent of Compliance
The first thing you need to do to comply with CMMC is to determine exactly what data you need to protect and where it’s stored on your network.
Your entire network may not need to follow CMMC standards, only that piece that stores and transmits Controlled Unclassified Data (CUI), Federal Contract Information (FCI) and technical data. -- Your contract should tell you what you have.
A Registered Practitioner can help you figure out how this data flows through your organization and give you recommendations for how you can segment your network, and modify processes so that the DoD data doesn’t touch anything else.
Narrowing down the scope of CMMC standards to exclusively apply to the controlled data will also help you to save on assessment costs when it’s time for your audit.
3. Perform a Gap Analysis
After you’ve figured out what data you’re protecting and where it’s stored, you need to see what security practices are already in place that can be applied to compliance, and where you fall short. A Registered Practitioner can do a Gap Analysis to reveal that information.
An RP will go through the CMMC controls one by one to get a yes or a no. If the answer is “yes”, the RP will then look to see if you have evidence for the control. Any “no” answers will go to a list for remediation. Some of the work for the Gap Analysis can be done remotely, but the RP will also need to visit your physical site.
It’s very important that you get a Gap Analysis done as soon as you know that you need to comply with CMMC because it will give you a clear picture of your readiness for an audit. Depending on your situation, you may need to invest in hardware or software, as well as get ongoing management tasks in place. You’ll need time to train your people to follow your non-technical policies.
You also must show that compliance has been in place for a period of time.
4. Create a Remediation Plan
When you’re done with your Gap Analysis, you’re going to end up with a list of controls that you need to implement. These aren’t always clear cut. If you need additional technical measures, a Registered Practitioner (RP) can help you identify the technologies that will be compatible with your IT environment.
When it comes to security policies, an RP can save you a lot of time by guiding you to templates that you can customize, and provide recommendations for training and enforcement.
Compliance isn’t just a matter of passing and audit, but in setting up processes and practices that provide ongoing security, so the list of recommendations that an RP gives you will be made with long-term management in mind.
5. Prepare Evidences for Security Control Implementation
Getting ready for a CMMC audit means that you not only have to have the controls in place, you have to verify them. Level 2 requires documentation for your security controls. Level 3 requires documentation, plus two evidences for each one.
For example, if you are restricting access to a place on your network you could have a screenshot of the policy in place on the server, and an interview with someone who is responsible for enforcing that policy.
A Registered Practitioner can help you to identify appropriate evidences and organize them so that when you have your audit, they’re easily accessible.
CMMC Consulting in Southern California
Accent Computer Solutions is a Southern California-based Registered Practitioner Organization (RPO), and provides CMMC consulting through the services of on-staff Registered Practitioners. We can help you create a path to CMMC compliance so that you can continue to be a valued DoD supplier.
About Corey Kaufman
Corey is Director of Client Development for Accent Computer Solutions, Inc. He earned his B.S. in Business Management and Political Science from San Diego State University in 2007. In his role as Director of Client Development, Corey leads the Technology Consulting and Client Success teams, and works closely with all other departments to ensure clients can achieve their business goals without technology getting in the way. Corey is also a Registered Practitioner (RP) for CMMC consulting.