CMMC is here. Here’s how you get started.

Written By Jeff Stutzman

Now we know for sure CMMC is not going away. It’s been published in the Federal Register and will become law on December 16th. The time for retrospection and public comment is over. We must all think hard. Do we want to be in the defense industrial space? If not, the choice is easy. If you do, let us offer some constructive thoughts based on our experience helping our customers through the process. 

Start by picking a work tracking dashboard. We have used spreadsheets to track NIST 800-171 compliance, but in the end, you will have links to too many things. Spreadsheeting makes things hard to track, and data, as it changes, will be everywhere. There are options.  

  1. One, we loved the product but did not like working with Garfield (the sales guy).  

  2. Another just hit us too late.  

  3. Ultimately, we chose and partnered with Cynomi and couldn’t be happier.  

Do your baseline assessment: This seems like common sense, but it is often not handled well. IT guys often think they do everything, but when it comes to understanding the letter of the law, they can be biased. Use a third party or at least choose someone not associated with internal IT to walk through the interview questions.  

Trusted Internet offers a series of no-cost baseline assessment workshops that can help. Sign up here to be notified of upcoming events.  

Author a CUI data flow. This will help you in many ways – policy and procedure creation, financials, and grabbing logs from the CUI data flow (as required under NIST). 

Write your policies: If you use a good dashboard, like Cynomi, your policy baselines are written for you as you go through the process. Go back and make sure they are what you want and modify them to suit your organization and risk model. These will become your corporate law. 

Decide what and how you would like to protect: Your new baseline assessment should give you a prioritized list of activities that you need to do to become both safe and compliant. Start with the most important. I like to start based on risk. What are the fastest wins that cover the highest risks with the best payoff? These include: 

  • Firewall installations and management (if they’re not complex) 

  • Email protection can be added in only a couple of hours.  

  • Adding Multi-Factor Authentication 

  • All other low-cost, high payoff, and easy wins.  

Now work on the list. If you need to be level one, work those controls first. There are 17 required controls for CMMC Level 1. You can find the scoping document here. You will find that scoping document on the same page if you need level two.  Level 1 is not hard, and it is where most of your cyber security will be installed. Moving to level two has resulted in a significant increase in consulting time. Our recommendation? Start with Level 1, then move to Level 2.

For fast Level 1, Trusted Internet is standing by with a full architecture stack that can take you from zero to Level 1 quickly. Outsourcing your cyber security sounds like a massive leap of faith, but it is VERY efficient and significantly more cost effective than trying to build this yourself.   

Start documenting procedures: You are working through the list. How does your team operate in this new cyber-safer world? Start documenting, teaching new procedures, and gathering evidence. Be sure to be accurate and not embellish; this can come back to bite you later. Even if the processes are not mature, you will want a good baseline for gap analysis moving forward. We do this in our Cynomi environment. It keeps everything local. You do not need to search (and neither will the auditors if/when asked).  

Keep moving forward. It is easy to stall. Do not stop. Level 2 is a large uphill effort, but once you are there, you are there. If you do not make it, you will not be able to bid on Level 2 contracts (and my bet is that most will be Level 2 since most contracting officers do not know any better, and primes will flow their requirements down to you). 

My recommendation:  

When you have a hammer in your hand, every problem looks like a nail. Our opinions are biased.  

Hire an outsourced service to help. You may have an MSP (generalist) today, but you will want a specialist to get here. Hire an MSSP (specialist) or cyber security consultant with NIST 800-171 experience. Check them on the CMMC Marketplace. Trusted Internet is one of many Registered Provider Organizations (RPO) that can help. 

Starting at Step 1. Trusted Internet has already helped dozens of organizations get started. 

Trusted Internet is a Cyber AB registered provider organization, and we offer a one-day workshop to help get you through your baseline assessment. It goes like this: 

  • You will be issued a 30-day fully functioning demo license on our Cynomi platform. 

  • You will walk through a four-hour working session during which you will complete an initial baseline assessment. (Virtual CISOs will be with you the whole time to help!) 

  • At the end of the session, you will leave with your policy baselines written, a PDF scorecard, and a spreadsheet showing control-by-control where you are at.  

  • And you will have 29 more days on your license to keep going. 

  • After the session, you will be invited to Trusted Internet’s CMMC Support Group, which includes four online sessions and a private Chatham House Rules online forum for those who need it.  

For more information, contact one of our Virtual CISOs for a 30-minute initial consultation: https://www.trustedinternet.io/contact.

Jeff Stutzman
Next

2024 Ransomware Landscape: Our Findings and How We're Protecting You