Achieving CMMC compliance is crucial for organizations dealing with the Department of Defense (DoD).

During a recent Fortify Experts CISO roundtable, security leaders shared their strategies and insights on streamlining the CMMC compliance process. 

Brian Rhodes, a certified CMMC assessor with iFortriss provided an overview presentation of CMMC which can be found here: CMMC Overview and Compliance Process 

The conversation was supported by two other CMMC assessors including:  

This summary captures their recommendations, experiences, and possible shortcuts to expedite compliance without compromising security.

CMMC compliance is daunting due to its stringent requirements and comprehensive standards.

Although the CMMC framework is complex, it is designed to protect critical information.

Brian Rhodes

Key Challenges:

  1. Understanding CMMC Level Requirements: Many organizations struggle with comprehending the full scope of CMMC requirements.
  2. Resource Allocation: Smaller organizations often lack the resources needed for full compliance and can be a significant barrier to achieving CMMC compliance.
  3. Maintaining Continuous Compliance: CMMC is not a one-time effort; it requires continuous monitoring and updating. Ensuring ongoing compliance is as challenging as the initial certification.

Historical Context and Evolution

Rhodes provided a historical overview to emphasize the longevity and evolution of the CMMC requirements. The requirements have been around for 6.5 years. The CMMC framework evolved over the last several years, but specifically in December of 2017, these rules gained more substance.

Predicted Future Trends

Looking ahead, Rhodes speculated about future developments:

  • 2024:  Should set the final standard for the CMMC on all new DoD contracts.
  • 2025:  Will see a smoother certification process based on pilot programs and refinements. 
  • 2026:  Expected for CMMC to expand beyond defense contracts. 

Practical Strategies to Streamline CMMC Compliance 

  1. Determine Your Required CMMC Compliance Level – The primary goal of CMMC is to standardize how Federal agencies define two types of Federal Data:
  • Federal Contract Information (FCI)  – Information not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government
    • Requires CMMC Level 1  
      • 17 Controls
      • 59 Assessment Objectives
      • Annual Self-Assessment
      • Senior Official Affirmation
  • Controlled Unclassified Information (CUI) – Information that needs to be protected or shared according to applicable laws, regulations, and government-wide policies, but is not classified
    • Requires CMMC Level 2
      • 110 Controls
      • 320 Assessment Objectives
      • Triennial CMMC Third Party Assessment Organization (C3PAO) Assessment
      • Year 2 and 3 Annual Self-Assessment with Senior Official Affirmation
  1. Begin Early:
    • Don’t wait before it’s too late. 
    • Plan for 12-18 Months to achieve CMMC compliance 
    • There are limited C3PAO Assessors <500 and 1,000’s of firms that need to be assessed. 
    • Expect Limited C3PAO Resources by end of 2024.

You’ve got a limited amount of runway ahead of you, whether that’s 6 months, 12 months, 24 months use that. Spend a little money each month. Don’t wait till the end and try to stuff 10 pounds into a 5 pound bag.

Dr. Chris Golden

3.  Assess Current Maturity

  • Level 1:  Establish a Maturity Baseline with a CIS Self-Assessment.
  • Level 2: Engage NIST CSF Assessor (i.e. FortifyExperts.com) – to affordably identify gaps and raise cyber maturity. 
  • Level 3: Engage C3PAO Assessor (i.e. iFortriss.com) for a mock CMMC assessment to achieve a Supplier Performance Risk System (SPRS) Score to evaluate CMMC readiness and prepare for the CMMC Audit.

4.  Outsource IT to CMMC Certified Providers – Outsourcing IT can Accelerate CMMC Compliance by Offloading Scope

Managed Service Providers (MSP)Outsourcing the ongoing support and management of technology infrastructure to a CMMC Certified MSP can reduce the compliance scope. They may also bundle hardware, software, or cloud technology as part of their offerings.
Managed Security Service Providers (MSSP)Leveraging MSSPs that offer CMMC Compliant network security services can also help organizations elevate security to a CMMC level by protecting their devices, systems, and applications from cyber threats.
Cloud Service Providers (CSP)Identifying on-demand cloud computing resources that are already CMMC / FedRAMP compliant can simplify areas such as storage, computing power, or application security compliance.

They’re going to ask, is your service Provider CMMC Certified? “They’re working on it.” – is not a great answer.

Matt Palguta 

You can outsource responsibility, but you cannot outsource accountability. 

5.  Create a Secure Enclave

Enclaves play a crucial role in achieving CMMC compliance. By segmenting DoD operations into enclaves, organizations can better isolate and secure their data, thereby, shortening the path to CMMC compliance.

Enclaves are a way you can put things in scope, out of scope, and really isolate the necessary network functions.

Brian Rhodes
  • Physical Enclave: Creating a secure workspace free from all other interactions (i.e. Card key access, highly secure work room with no cell phone allowed and no public internet).
  • Application Enclave:  Configure applications to STIG Standards: stigviewer.com which are specific configurations of applications to achieve DoD level security so they can be used on unsecured public internet.
  • Workspace Enclave:  Deploy all applications within a DoD approved secure isolation workspace to dramatically reduce the threat landscape. Check out this Workspace Enclave: Fortified Desk.

Other CMMC Best Practices:

  1. Regular Training and Drills: Frequent training sessions and compliance drills keep organizations prepared.  Regular CMMC drills ensure that all employees are aware of the requirements and their roles.
  2. Strategic Planning: Developing a detailed compliance plan that includes risk assessment and mitigation strategies is vital.  A well-structured plan can significantly reduce the time required for compliance.
  3. Utilizing External Experts: Engaging consultants who specialize in CMMC can provide valuable guidance and reduce the learning curve. External experts can offer insights and shortcuts that are not immediately obvious.
  4. Leveraging Zero Trust for CMMC Compliance: Adopting Zero Trust Principles is an effective security model that can aid in achieving CMMC compliance by ensuring continuous verification of users and devices.

Existing tools can often be configured to support Zero Trust, reducing the need for new investments

Matt Palguta
  1. Measuring Success in CMMC Compliance: Effective CMMC Metrics are vital for demonstrating progress and effectiveness in achieving CMMC compliance. They help in making informed decisions and showing value to stakeholders.

Key Metrics to Track

  • Compliance Scorecards: Use scorecards to track progress against CMMC requirements.  Scorecards provide a clear view of where we stand and what needs improvement.
  • Risk Indicators: Track key risk indicators to identify potential compliance issues. Risk indicators highlight areas of concern that need immediate attention.
  • Operational Metrics: Monitor operational metrics to ensure that compliance processes are effective and efficient. Operational metrics help in assessing the effectiveness of the compliance efforts.

Efficiency Tips and Tools

  1. Automation Tools: Leveraging automation for routine tasks can save time and reduce human error.  Automation tools are essential for managing repetitive compliance tasks efficiently.
  2. Real-Time Monitoring: Implementing real-time monitoring systems helps maintain continuous compliance. Real-time monitoring ensures that any deviations from compliance standards are immediately detected and corrected.
  3. Using GRC Tools: Using a GRC tool to manage documentation and provide evidence of compliance is critical and can streamline the process.  Contact Brian Rhodes or Tim Howard for GRC Tool recommendations.

Particularly for small medium organizations. Find that trusted advisor for your your internal staff, somebody that they can reach out to, and you could sleep better at night when your IT folks said, Yeah, we got this.

Matt Palguta

Conclusion

Achieving CMMC compliance is challenging but essential for organizations working with the DoD. By leveraging strategic planning, utilizing external expertise, adopting Zero Trust principles, and effectively using metrics, organizations can streamline the compliance process. 

Continuous education, rigorous planning, and robust metric tracking are crucial for enhancing cybersecurity posture and resilience against evolving threats.

By focusing on these strategies, organizations can significantly improve their security posture and be better prepared to handle future cybersecurity challenges while achieving and maintaining CMMC compliance.

About Tim Howard

Tim Howard is the founder of 5 technology firms including Fortify Experts which helps companies create higher-performing teams through People (Executive Search and vCISO/Advisory consulting), Process (NIST-based 3rd party security assessments and Leadership Coaching), and Technology (security simplifying solutions).

How I can help you:

  1. Join over 30,000 People Getting Free Security Leadership Improvement Advice Follow me on LinkedIn. www.linkedin.com/in/timhoward
  2. If you want to raise the expertise or performance level of your security team, Contact me.
  3. If you don’t have a Clear Picture of Your Cybersecurity Maturity Level or Need a Strategic Improvement Roadmap Contact me.
  4. Join our interactive Monthly CISO Forums.
  5. If you are looking to simplify cybersecurity, check out Fortified Desk. The secure, instantly deployable workspace.

Leave a comment