Maintaining a CMMC Program – Best Practices

maintaining a CMMC program
maintaining a CMMC program

Maintaining a CMMC program requires that organizations engage management system principles in their daily cybersecurity programs.  These activities will be essential for Department of Defense (DoD) contractors to remain compliant.

Current CMMC Requirements

Currently CMMC 2.0 requirements are divided into three levels of compliance:

  • CMMC Level 1 – Foundational is comprised of the 17 practices described in FAR 52.204-21 and requires an annual self-assessment.
  • CMMC Level 2 – Advanced is comprised of 110 practices which are aligned with the NIST SP 800-171 Revision 2 This is a set of security practices and security standards for non-governmental organizations that handle Controlled Unclassified Information (CUI).  It requires that a third-party assessment by conducted every three years for information deemed critical for national security.  It also requires an annual internal assessment
  • CMMC Level 3 – Expert includes over 110 practices based on the NIST SP 800-17 cybersecurity standard and includes further controls.  There is also a requirement for triennial assessments conducted by government representatives. 

Upon further investigation, one will find that NIST SP 800-171 involves references to over half a dozen other documents which are comprised of thousands of pages.  While these documents describe the implementation of controls and development of a risk management framework, they often fail to provide solutions easily integrated into business practices.

The Dynamics of Cybersecurity

Maintaining an Information Security Management System (ISMS) requires that the organization conduct regular risk assessments.  These assessments should include internal and external factors that are regularly in flux.  These would include external threat dynamics and changes in the systems and locations of CUI within the organization.

The organization should also consider third parties involved with the organization.  These would include contractors and vendors who may impact the confidentiality, integrity, or availability of information.  Regular review of these external providers is advisable.

Beyond Technology

The weakest link in a cybersecurity program can often not reside within the digital realm.  People and places provide very real risks that can be easily overlooked.  Reviews should regularly be given to screening of persons who will have access to CUI. 

Those who have been screened should receive sufficient education and training on information security policies and practices.  Physical controls should be regularly reviewed to ensure that areas are secure, that clear desk and clear screen practices are being employed. 

The Importance of an Internal Audit

Internal audits are utilized in businesses to access the organization’s ability to maintain compliance.  These audits should be conducted regularly and their criteria and scope should be adequately defined. They should include an examination of procedures and security plans to evaluate their effectiveness and whether they are being implemented in actual operations as envisioned.  The findings from these audits should be presented in a way that is relevant to management as these audits serve as a major input for management review.

The Role of Management Review

It is essential that management be involved with a cybersecurity program to ensure that requirements are integrated into organizational processes.  Management must maintain responsibility in seeing that all objectives are met and that the program has sufficient resources.  To make these decisions it is necessary that all functions of the program are monitored and measured.

Management review should consider actions of previous reviews to ascertain their effectiveness.  They should also changes both within and external to the organization that may effect information risks.  Considerations should also be given to incidents and events that may have occurred so that improvements to the program can be instituted.

CMMC in Action

Much emphasis has been placed on implementing CMMC and for good reason.  It is of great national security that important information be kept out of the hands of hostile nation states.  However, maintaining a CMMC program, once put in place, will require continual due diligence.  This will require a coordinated effort by all parties and functions within an organization.

CVG Strategy Information Security Management System Consultants

To assist businesses meet the challenges in maintaining a CMMC program, CVG Strategy has developed an approach that combines the requirements of Cybersecurity Maturity Model Certification compliance with the ISO 27001 information security management system.  This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

We can help you meet your information security management system goals.  CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors.  We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more.