So, the CMMC rule is here. What now?

You’ve probably heard about the updates to the Cybersecurity Maturity Model Certification (CMMC) requirements. Your first reaction might be, “What does this mean for me?” Before getting overwhelmed, take a breath and step back. Here’s how you can make CMMC work for your business.

No Apologies Necessary

First things first: no need to apologize for the challenges you’re facing. Running a business in the Defense Industrial Base (DIB) is tough, especially in recent years. If your business has been around for five years or more, you’ve survived…

• A global pandemic
• Remote work disruptions
• Supply chain bottlenecks
• The Great Resignation
• Inflation surges
• Government shutdowns

You’re still standing, which shows you have what it takes to thrive! The DIB is the backbone of our country’s defense capabilities, and your team of experts is vital to maintaining that strength. Don’t apologize for prioritizing your limited resources to keep your business afloat in turbulent times.

Evaluate What You’ve Already Done

Before diving into new tasks, take stock of what’s already in place. You’re likely closer to compliance than you think. Document everything, including:

1. Continuity of Operations Plan (COOP) or Business Disaster Recovery Plan (DRP): These plans overlap with CMMC requirements and help ensure your business can keep running during disruptions.
2. Policies & Procedures: You’ve likely developed solid security habits. Make sure you have your policies & procedures written, signed by the responsible party in your company, and take a little time to map them to the CMMC controls if you haven’t already.
3. Employee Roles List (ERL): Make sure responsibilities are clear, and don’t have any gaps in the ownership of your key business systems and processes.
4. Existing IT Infrastructure: Many businesses already have robust IT systems in place, such as Virtual Private Networks (VPNs), firewalls, and encryption tools. These systems can be adapted to meet CMMC controls. You may be farther along than you expect if you already use a cloud system – especially if your chosen cloud is already FedRAMP authorized or your vendor has a FedRAMP authorized cloud to which you can migrate.
5. Access Control Systems: If your company uses role-based access control (RBAC), you’re already on the path toward securing CUI by controlling who accesses sensitive data.
6. Incident Response Plan: If you’ve developed an Incident Response Plan (IRP) or a Business Continuity Plan (BCP), you’re halfway there. These plans can be refined to meet specific CMMC requirements.
7. Security Awareness Training: If you’ve been providing your employees with cybersecurity training, you can expand this training to include CMMC-specific content, such as insider threat detection and handling Controlled Unclassified Information (CUI).
8. Antivirus/Anti-malware Solutions: Already using antivirus tools? Great! These tools meet one of the basic CMMC requirements for threat detection.
9. User Authentication Solutions: Existing solutions like Multi-Factor Authentication (MFA) or login monitoring can be expanded to cover all systems, satisfying a key CMMC requirement.
10. Backup and Disaster Recovery Solutions: If you’re conducting regular data backups, this can be documented as part of your compliance strategy to ensure data resilience. (Make certain your data backup solution is in your DRP.)
11. Physical Security Measures: Badge access to offices, locked server rooms, and CCTV monitoring may already meet CMMC physical security requirements for sensitive areas. (Note, pay special attention to the vendor of your CCTV/IP cameras per NDAA Section 889.)
12. Vendor and Subcontractor Management Programs: If you’re already vetting third-party vendors, build on this fact to meet CMMC’s requirements for external service providers that handle CUI.
13. IT Service Management (ITSM) Tools: If you use a ticketing system anywhere in your business to log and track incidents, you have the basic tool you need for CMMC’s incident response. If you have more advanced tools like those for remote monitoring and management (RMM) or endpoint management, then you may only need a configuration change management and testing process to meet CMMC’s configuration management requirements.
14. Audit Logs: Existing logging systems that track user activity, access events, or changes can be used to meet CMMC’s requirements for auditing and accountability.
15. Existing Security Certifications: If you have certifications like ISO 27001 or have gone through a NIST SP 800-171r2 or NIST CSF self-assessment, much of the groundwork for CMMC compliance is already in place.
16. Insider Threat Programs: A program monitoring insider threats for NISPOM or similar regulations can be expanded to meet CMMC insider threat requirements.
17. Data Labeling Schemes: If your organization has a basic system for labeling sensitive data, this can be adjusted to meet CMMC’s guidelines for CUI and FCI protection.

Assemble the Right Team

You can’t do everything alone, and that’s okay. The key to successful CMMC compliance is having the right people in place. Consider the following team structure:

CMMC Lead (by Size)

This person is usually a senior leader or project manager responsible for the entire CMMC project. The CMMC Lead ensures milestones are met, coordinates efforts across departments, and communicates with executives.

Responsibilities:

• Own the CMMC certification process.
• Track project metrics and communicate with the executive team.
• Act as the central point of contact for CMMC auditors.

IT & Security Subject Matter Experts (SMEs)

These professionals, whether internal or external, review your systems and processes to ensure they meet CMMC technical controls.

Responsibilities:

• Assess your IT infrastructure for CMMC compliance.
• Identify and fix gaps in technical controls like NIST 800-171.
• Collaborate with the CMMC Lead to implement solutions.

External CMMC Consultants

These experts specialize in CMMC frameworks and can guide you through the assessment process.

Responsibilities:

• Offer advice on CMMC strategies and create necessary documentation like System Security Plans (SSP).
• Conduct mock assessments and readiness reviews.
• Guide remediation efforts.

Legal Advisors

Legal professionals who understand both regulatory and contractual obligations and ensure your compliance efforts align with regulations like CMCM, ITAR, EAR, and DFARS.

Responsibilities:

• Translate regulatory language into actionable practices.
• Ensure contracts reflect CMMC compliance.
• Provide risk management and liability mitigation advice.

Managed IT & Security Services

These third-party providers handle ongoing IT infrastructure, security monitoring, and incident response.

Responsibilities:

• Provide continuous monitoring and compliance assessments.
• Implement security technologies such as SIEM and firewalls.
• Support incident detection and response efforts.

Ignore the Noise, Focus on the Basics

With the new CMMC rule in place, it’s easy to get caught up in the flood of information and panic-driven posts. However, you don’t need to read every regulation or standard. Focus on the essentials that matter to your business. Following these core steps will help you not only work towards CMMC compliance but also improve your overall operations:

1. Evaluate what you’ve already done. We mentioned it before, but we’ll say it, again… you’ve kept a DIB business running in difficult times. Review the information above, and document what you already do to keep your business running.
2. Assemble the right Team. See the recommended team roles and responsibilities above. Make sure you have some team members who have experience with your company’s goals, contracts, business systems, processes, and procedures, and you have some team members who have experience working in and for companies that have addressed CMMC challenges like yours.
3. Assess your gaps and start a plan. Work with your Team to map what you already do to CMMC requirements. Make a list of what’s missing or needs more investigation. This list is the start of your plan. You don’t have to have every solution mapped out right away. Your plan is a living document. At first, the number of unfinished tasks in your plan will grow, but you have a Team to work on this task and move you towards CMMC compliance. You’re not alone.
4. Address quick wins. Some actions will provide big returns quickly. Consider implementing the following “quick wins” if you haven’t already done so:
   • Move business systems that need to handle CUI to the correct FedRAMP authorized cloud. (The “correct” cloud is both FedRAMP authorized and meets the minimum requirements to handle CUI. Also consider the implications of other data your business handles that requires special data integrity and security – e.g., International Traffic in Arms Regulations or ITAR.)
   • Secure access to your business systems with Multi-Factor Authentication (MFA).
   • Implement a Security Information and Event Management (SIEM) solution to monitor systems and respond to potential threats in real-time.
   • Conduct background checks for your team and subcontractors to meet CMMC requirements related to personnel security and preventing insider threats.
   • Conduct regular cybersecurity and insider threat training for employees—and keep the records.

These steps aren’t just compliance checkboxes; they are business-enhancing capabilities that keep you competitive, reduce risk, and ensure regulatory adherence.

Conclusion

CMMC compliance isn’t just a mandate – it’s an opportunity to strengthen your business. Stick to the basics; focus on progress and leverage the expertise around you. No apologies – just action.