Understanding your data and which parts of it are subject to CMMC is a crucial step in achieving cmmc security. Controlled unclassified information (CUI) refers to a wide range of data, including tax-related information, sensitive intelligence data, patents, and intellectual property. Businesses must understand what CUI they collect, how it’s processed, and where it’s stored to establish the degree of CMMC compliance they need to achieve. CUI can be discovered, monitored, and classified using solutions such as Data Loss Prevention (DLP) tools.
- Determine your level of CMMC maturity.
For CMMC, there are five levels of certification. Each level builds on the previous one, so Level 2 criteria, for example, include all Level 1 requirements. In the DoD Requests for Information, the level of CMMC compliance required to participate in a bid will be indicated (RFIs). Because maturity levels vary per contract, businesses must achieve the greatest degree of CMMC accreditation available.
To continue working with DoD, it appears that most firms in the DIB supply chain will need either a CMMC Level 1 or a CMMC Level 3 accreditation. For Levels 1 through 3, the Department of Defense has supplied several appendices and assessment guides that companies can use to decide what level they will require or should aim for to participate in future bids.
After deciding on the CMMC level it wants to achieve and determining the controls it currently has in place as a result of other frameworks, an organization must fill in the gaps between existing measures and remaining CMMC controls. This may necessitate the creation of new organizational policies, processes, and standards. To accommodate this, an organization’s IT infrastructure may need to be updated. New software and IT security solutions may be required to fix security gaps and achieve CMMC security criteria.
- Obtain a certification from the CMMC.
DoD contractors could self-certify under NIST 800-171 and continue supplying products and services without attaining compliance with all NIST 800-171 security controls as long as any security holes were identified and stated in the Plan of Actions and Milestones. Both of these flaws have been closed by CMMC. The CMMC certification process will now be managed by the CMMC Accreditation Body (CMMC-AB), which will work closely with the Department of Defense. They’ve collaborated to create methods for accrediting third-party CMMC assessment firms that will analyze and certify CMMC levels.
