Implementing any security framework starts with knowing your organization and knowing the framework, and implementing CMMC is not an exception. Summit 7 Systems, a firm that specializes in assisting DIB (Defense Industrial Base) organizations in achieving compliance with CMMC and other frameworks, advises its customers to expect 7 main steps to prepare for a CMMC audit (Systems, 2023). Their main focus as a company is on Microsoft systems and MSP services, so that’s what they recommend. However, their steps serve as a solid guide to get an idea of what needs to be done to achieve certification and I have reordered and added to their steps to be applicable to a wider audience.

1. Identify Necessary Level of CMMC Compliance

   As discussed in my previous post on CMMC, CMMC is broken into 3 levels or tiers and not all organizations in the DIB will need to achieve level 3. Organizations should consider what kind of information they are likely to encounter throughout their work with the DoD. FCI requires level 1, CUI and CTI require level 2, and CUI associated with critical programs requires level 3.

2. Identify In-Scope Assets

   That is, identify assets that CMMC will cover. The entire organization may not need to be CMMC compliant depending on the scale of the organization. Only areas of the organization that will handle FCI or CUI need to be compliant with CMMC, so establishing a scope is an important step. This includes identifying endpoints, networks, network hardware, facilities, people, and policies that CMMC will apply to.

3. Identify Areas That Need To Change

   Decide if the organization needs large-scale technical change to achieve certification. If so, choose a technical paradigm and design for CMMC implementation. Again, depending on some of the information collected in the scoping step, the scale of an organization’s CMMC implementation can vary greatly, and depending on the organization’s needs, different technical solutions will offer different advantages.

   Specifically, cloud providers may offer low-cost and ready-made solutions for organizations with small-scale CMMC needs. In contrast, organizations with large-scale CMMC needs may want to invest in on-premise infrastructure instead. This step also includes examining current security policies, logging policies, education policies, access policies, and all other in-scope items.

4. Implement necessary changes identified in step 3

   Now it’s time to implement the technical designs, policy changes, or any other identified items. This will entail choosing specific cloud service providers, services, and/or designing and implementing the on-premise IT solution that was determined in step 3. All in-scope services, endpoints, and network systems in accordance with the requirements of NIST SP 800-171. This step also includes updating or writing new policies and implementing them throughout the CMMP scope.

5. Ensure Changes are implemented Well Before Assessment

   All previous steps should be completed well in advance of 3rd-party assessment. Assessors will not be happy, for example, if a new physical access control policy was implemented the day before the assessment, so organizations should make sure all in-scope changes are ingrained in company culture before assessment. Organizations should self-assess and, depending on scale of the CMMC implementation, it may be a good idea to have a 3rd-party perform a CMMC readiness assessment to serve as a “dry run” for the live CMMC assessment (AuditorSense, 2021).

6. Maintain Changes

   Make and implement plans for maintenance and upkeep of in-scope services, policies, and practices. This can involve employing an MSP or MSSP if the organization doesn’t have a dedicated IT or security department or making sure the IT department has the resources in place to manage and maintain the new infrastructure for CMMC. It also involves regular education, policy review, and self-assessment of CMMC compliance.

7. Schedule CMMC Assessment

   Finally, the assessment can be scheduled and completed.If all goes well, the organization is now CMMC certified in their desired CMMC level.

What Is Necessary for CMMC compliance?

Speaking broadly, CMMC was created to ensure compliance with NIST SP 800-171. As such, the domains of NIST SP 800-171 go hand-in-hand with the 7 steps listed above and should be considered at each step of the preparation and implementation process. CMMC heavily references SP 800-171 and in many cases implementing a control in 800-171 is equivalent to implementing a required control for CMMC, especially now that CMMC 2.0 is live. NIST SP 800-171 is meant to provide controls for how contractors and subcontractors handle and secure CUI (Harrington, 2022). At a high level, it is broken into 14 domains, which provide a birds’ eye view of what CMMC implementation will entail.

The list below is referenced from NIST SP 800-171, and the descriptions are brief summaries of the controls described in each section of the document (Ross et al., 2024):

1. Access Controls

   Control who has access to data and manage their access needs.

2. Awareness and Training

   Security training, ensuring employees have proper training for their positions, etc.

3. Audit and accountability

   Create audit logs, ensure accountability for actions can be traced, organize and analyze audit logs and data.

4. Configuration management

   Inventory and maintain baseline and security configurations for all systems, track and log changes to configurations, and consider the security implications of any configuration changes.

5. Identification and authentication

   Identify and authenticate all system users, processes, and devices, use MFA, and implement other relevant controls to prevent authentication bypass.

6. Incident response

   Create incident response plans, track and report incidents, and test response capability.

7. Maintenance

   Provide resources and perform maintenance on all organizational systems. Perform maintenance responsibly and in accordance with other security requirements.

8. Media Protection

   Ensure secure environment for physical media that contains sensitive information, identify such media and control its use, access to it, and maintain access accountability. Sanitize before disposal.

9. Personnel security

   Screen and vet personnel, tightly control sensitive systems during and after terminations or other high-risk personnel transitions.

10. Physical protection

    Limit physical access to systems, equipment, and facility, escort visitors, maintain access logs, and control physical access devices (i.e. keys, badges, etc.).

11. Risk assessment

    Perform periodic formal risk assessments, scan systems for vulnerabilities, and remediate any that are found.

12. Security assessment

    Perform period assessments of security controls, monitor and assess the effectiveness of controls, and maintain an understanding of system boundaries and scope.

13. System and communications protection

    Monitor and ensure security of communication methods in and out of the organization, separate and segment networks according to functionality, and implement appropriate network security solutions.

14. System and information integrity

    Identify and report system flaws, implement and update antivirus and/or IPS/IDS/EDR solutions, monitor and respond to security alerts, and unauthorized access.