The CMMC 2.0 framework is expected to be released in 2023, and it will likely take some time for the framework to be fully implemented and for contracts to start requiring compliance. However, some sneaky agencies are starting to slip the requirements into their bids.
To help get a head start on compliance with the CMMC rule, companies are advised to start their security and compliance journey in Q1 of 2023, regardless of the rule's published status. Although there’s some speculation that CMMC 2.0 rollout will be delayed, it’s best for companies to start preparing for compliance soon. And since it can take an average of 12 to 18 months to implement the steps for CMMC 2.0 compliance, it’s high time you get into action.
Start with NIST SP 800-171 implementation
The first thing to consider is how much time you will need to implement NIST SP 800-171.
Organizations are required to comply with the NIST SP 800-171 requirements under DFARS 7012 and other existing DFARS regulations. In the summer of 2022, NIST announced their plans to revise NIST SP 800-171 over the next 18 months, with an initial draft of the revised SP 800-171, Revision 3 expected to be released in late spring 2023.
This is significant for those who have yet to implement NIST 800-171, as they will likely need to comply with additional controls associated with the updated version. However, early adopters of CMMC who are already prepared for assessments are unlikely to be affected by the NIST updates under an interim final rule scenario.
Understand the two rulemaking scenarios for CMMC 2.0
The DoD might publish the CMMC program rule in the next few months. There are two possible scenarios for the CMMC program rule:
Scenario One: Proposed Rule "NPRM"
Under this scenario, the CMMC program rule would go into effect after the DoD adjudicates and responds to public comments through the publication of a final rule in the Federal Register. Proposed rules follow the standard, normal, and slow approach to "notice and comment" on rulemaking.
Scenario Two: Interim Final Rule "IFR"
The DoD has consistently pursued an interim final rule, where the CMMC program rule would become effective before the DoD adjudicates and responds to public comments via a final rule, meaning it would be effective immediately.
Have a realistic idea about the implementation timeline
Typically, it takes 50-100 person companies an average of 12-18 months to implement NIST SP 800-171 (CMMC Level 2). However, most companies are over a year behind, given the potential interim final rule scenario.
To be ready for the publication of the CMMC rule in the next few months, contractors needed to begin their implementation in Q4 of 2021, which is when CMMC 2.0 was originally announced. Additionally, to be prepared for an IFR scenario, companies should have started their implementation in Q1 2022.
Don't be dismayed, it's not too late to start prioritizing your CMMC 2.0 compliance.
Steps for meeting CMMC 2.0 deadline
Once you have figured out how much time it will take you to achieve compliance, you can begin by following the below steps.
1. Determine the CMMC level applicable to your organization
The evolution of CMMC from 1.0 to 2.0 modified the number of levels from 5 to 3. The initial step towards embarking on your CMMC compliance journey involves determining the appropriate CMMC level that your organization must comply with. CMMC 2.0 consists of three levels - Foundational (Level 1), Advanced (Level 2), and Expert (Level 3).
Your organization's CMMC level depends on the type of data it manages, such as Federal Contract Information (FCI), Controlled Unclassified Information (CUI) / Covered Defense Information (CDI) / Controlled Technical Information (CTI), and ITAR or export-controlled data, among others.
2. Determine the assets for CMMC 2.0
Adherence to the DoD's current compliance regulations for the supply chain requires the process of identifying which assets and data in your existing IT environment can pose a challenge due to the possible areas through which contract information (FCI) and sensitive data (CUI) may flow.
Several factors must be taken into account when identifying assets for CMMC, including:
- The movement of data in and out of your existing environment.
- The identification of the locations where FCI and CUI are stored.
- The retention of control over the systems that hold contract information and sensitive data.
3. Conduct a gap analysis
Perform a detailed analysis of your current cybersecurity posture against the CMMC 2.0 requirements to identify gaps and areas that need improvement.
Engage a Registered Provider Organization (RPO) authorized by the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) to conduct a Gap Assessment. Doing so guarantees that all relevant security requirements are adequately addressed at each applicable level.
4. Develop a System Security Plan (SSP)
Create a formal document that outlines your cybersecurity policies, procedures, and controls. This should also include a detailed assessment of the risks associated with CUI and a plan to mitigate those risks.
5. Implement cybersecurity controls
Implement the cybersecurity controls outlined in your SSP to meet the CMMC 2.0 requirements. This may include measures such as multi-factor authentication, encryption, network segmentation, and employee training.
6. Perform CMMC assessment
Conduct an internal audit to ensure that your organization is compliant with the appropriate CMMC level. This step involves reviewing policies, procedures, and controls, and performing tests to ensure that they are effective.
To determine if your team is prepared for a full assessment, the CMMC Third-Party Assessment Organization (C3PAO) will likely provide a readiness checklist of items to review. This checklist will include the following items:
- Completion of a pre-assessment or a formal CMMC Level 2 assessment
- Definition of the assessment scope
- Selection of the assessment initiation date
- Provision of contractual requirements
- Sharing of contact information and defining specific roles
7. Obtain certification and maintain compliance
After the CMMC Third-Party Assessment Organization (C3PAO) submits the assessment, the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) reviews it and makes the final certification decision for your organization.
Upon approval of the submitted assessment, the CMMC-AB notifies both your organization and the C3PAO. If everything goes well, your organization is awarded a three-year CMMC certification.
CMMC 2.0 compliance is an ongoing process, and you must continue to monitor, assess, and update your cybersecurity posture to remain compliant with your designated CMMC level.
It is important to note that achieving CMMC 2.0 compliance can be a complex and resource-intensive process. Whether it is mapping the compliance requirements against other standards and frameworks or helping with the documentation process, the 6clicks platform has everything you would need to simplify the complex process of CMMC 2.0 certification.
The 6clicks AI engine, Hailey, has already done much of the work for you by reviewing hundreds of standards and frameworks and has identified requirement overlaps. This helps you identify the requirements and more importantly the gaps you'll need to prioritize. In addition, the content library, a single-view dashboard, and a reporting & analytics suite make it easy to achieve and maintain compliance.
Take a tour of the 6clicks platform to know how powerful automation can help you achieve CMMC 2.0 certification faster, meet the CMMC 2.0 deadline, and improve the overall Information Security Management System (ISMS).