Conducting a Cybersecurity Maturity Model Certification (CMMC) assessment is a significant step towards obtaining CMMC certification as tangible evidence of compliance.
CMMC audits validate whether your business aligns with the cybersecurity protocols outlined in the program’s latest iteration, CMMC 2.0. And while these evaluations are optional for general contractors, they’re mandatory for Department of Defense (DoD) suppliers.
Skimping on CMMC assessments can throw you off the merit list of potential DoD vendors. Depending on the severity of the infraction, your business could suffer additional financial and legal consequences.
To help kick-start your journey towards CMMC certification, we’ve compiled a comprehensive guide to conducting robust CMMC audits in your organization. The procedure will focus on preliminary preparations ahead of C3PAO-supervised assessments.
1. Determine Your Organization’s CMMC Maturity Level
The current Cybersecurity Maturity Model Certification, unveiled in October 2024, came with a raft of modifications. One such reform was the scaling down maturity levels from five to three.
The first step in conducting proper CMMC assessments is understanding the maturity level under which your business falls. It enables you to determine whether you must work with a CMMC C3PAO in the first place.
Level 1
Also known as the Foundational Level, CMMC Level 1 focuses on basic cybersecurity practices like access control.
It aligns with the requirements outlined in the National Institute of Standards and Technology (NIST) 800-171, and targets defense contractors handling Federal Contract Information (FCI).
Defense Industrial Base (DIB) companies under CMMC Level 1 can self-assess and self-affirm their compliance status annually.
Level 2
CMMC Level 2, the Advanced Level, regulates how DIBs handle FCI and Controlled Unclassified Information (CUI). It’s based on the 110 cybersecurity controls in NIST SP 800-171 Rev. 2.
All CMMC Level 2 compliance assessments must be spearheaded by C3PAOs. Short for third-party assessor organizations, C3PAOs are agencies authorized to conduct CMMC audits on the DoD’s behalf. All C3PAOs are approved by the CMMC Accreditation Body (CMMC AB or Cyber AB).
Level 2 assessments must be conducted triennially.
Level 3
Known as the Expert Level, Level 3 targets businesses that handle the most sensitive defense information. It’s designed to ward off Advanced Persistent Threats (ATPs) along the defense supply chain.
CMMC Level 3 is based on all Level 2 controls plus 24 additional NIST SP 800-172 requirements. Personnel appointed directly by the DoD conduct all audits under this maturity level.
However, since defense vendors must obtain CMMC Level 2 certification before pursuing Level 3 compliance, CMMC C3PAOs have a critical role to play here as well.
2. Conduct a Gap Analysis
Now that you understand the CMMC maturity level that applies to your organization, conduct a gap analysis.
A gap analysis aims to uncover threats and vulnerabilities in your current cybersecurity posture. It specifically scopes out for weaknesses that cyber criminals may exploit to compromise FCI or CUI.
Start by identifying the assets in your organization that store or handle sensitive information. These could be digital data storage networks like cloud storage, hardware devices like flash disks, and even human personnel.
Next, compare your current information management practices against CMMC’s controls, based on your maturity level.
3. Implement the Required Controls
It’s important to remediate the cybersecurity weaknesses uncovered during the gap assessment before scheduling a proper C3PAO assessment.
Again, you’ll need to implement the necessary controls outlined in the CMMC framework applicable to your company’s maturity level.
The DoD offers some flexibility for organizations seeking CMMC Level 2 compliance by providing temporary certification to businesses that fulfill at least 80% of the 110 controls. Such contractors have up to 180 days to remediate the identified gaps.
However, since you’re still prepping for a proper CMMC C3PAO audit, it’s best to aim for the maximum score with each preliminary assessment.
4. Revise Your Policy Documents
Each cybersecurity audit (whether it’s a self-assessment or a C3PAO-led evaluation) should culminate in revising your current policy documents.
One critical document to target here is a System Security Plan (SSP). An SSP details the security measures your organization has put in place to thwart cyberattacks.
During actual C3PAO assessments, the lead assessor will begin by reviewing your SSP. Reading the document will enable the agency to instantly pinpoint CMMC compliance gaps even before conducting a proper audit.
Therefore, it’s best to ensure your SSP is not only factual but also up to date.
5. Engage an Accredited C3PAO
The final step in conducting a C3PAO-led assessment is to engage a certified C3PAO.
First, head to the Cyber AB marketplace to locate authorized agents. Choose a C3PAO that has been completely vetted and certified.
It’s also best to choose an experienced C3PAO. To validate the agency’s experience, inquire about the duration they’ve been active.
Ask for a list of previous CMMC clients and contact these individuals to learn about their experience working with the C3PAO. Better yet, sample online reviews for insights into the agency’s experience and reputation.
Maintaining CMMC Compliance With Regular Assessments
Obtaining CMMC certification isn’t the end of CMMC assessments.
According to the Department of Defense, CMMC Level 1 businesses must conduct self-assessments annually, while Level 2 and 3 organizations must schedule third-party audits triennially. The DoD further imposes mandatory annual self-affirmation of compliance for all CMMC Levels.
Therefore, it’s prudent to conduct CMMC evaluations frequently. It enables you to better understand your cybersecurity posture and determine your organization’s compliance with relevant CMMC protocols.
