How to Get Started with Implementing the Cybersecurity Maturity Model Certification (CMMC)

Written by

Since you’re reading this, the odds are good you’ve already decided to work toward CMMC compliance. Good call. But for those still unconvinced, let’s start with an overview of the regulatory framework and why it’s worth undertaking for virtually all companies – not just ones that serve the US Department of Defense (DoD).

Designed to secure the US industrial base and defense programs, CMMC is a unified cybersecurity standard released by the DoD in January 2020 as a requirement for all private-sector businesses that serve the defense industry. The framework draws on requirements and best practices from multiple previous standards and establishes five-tiered certification levels that identify the maturity and reliability of a company’s cybersecurity infrastructure.

Why Should You Follow a Regulatory Framework in the First Place?

Using a security framework as a checklist helps you remain objective and focused. Following a framework helps IT teams understand their vulnerabilities and prioritize accordingly. Remember that headlines are not strategic advice, and reacting frantically to a sensational breach is not proactive. On the other hand, over-indexing on the news about marquee hacks can lead companies to allocate resources toward threats that in actuality pose them little danger – and ignoring more pressing risks. (Read “Why You Need a Modern Regulatory Framework” for more on this.)

Why Choose CMMC and Not Another Framework, like SOC2 or PCI DSS?

It’s not that other audits don’t give you protection – they all serve a particular purpose. But simply put, there’s a higher standard to the design of CMMC; meeting its modern requirements will leave you better protected for a more extended period and well-prepared to comply with other security frameworks.

Other frameworks also dictate a pile of controls that leave more room for subjectivity, whereas CMMC provides visibility and concrete objectives. In addition, it’s more evidence-based and scientific in its design and allows you to use simple terminology to communicate to others what you’re doing next – and why.

Don’t let its DoD pedigree fool you: this isn’t just for companies working in American manufacturing or defense. Any organization looking to toughen its cybersecurity practices can and should strive to meet CMMC.

If you weren’t already convinced that CMMC is the future of IT compliance, I hope you are now. Here’s how to get started.

Evaluate the Present State of Your Cybersecurity

Begin with an assessment of your current security maturity, and be brutally honest here. You’re not being audited yet, so now’s the time to recognize and address any shortcomings. You can get started by using this free questionnaire.

Determine What Certification Level You Intend to Reach

A significant strength of CMMC is its tiered approach to security requirements – it’s not a binary pass/fail audit. There’s no question that a company reaching the upper levels is better defended against advanced cyber-threats and qualified for a broader range of contracts. Set and achieve reasonable milestones, rather than trying (and likely failing) to do all your security modernizations at once.

Reaching Level 1 is a solid target to shoot for initially. It means you’re practicing “basic cyber-hygiene” by limiting information system access to authorized users, verifying their identities, mandating password updates, etc. Once you’ve fully met those requirements, you’ll have a solid foundation for achieving the more advanced tiers if desired. Check out my webinar on how to achieve different levels.

Decide if You Need a Cybersecurity Consultant or Partner

If you’re expecting a sales pitch here, perhaps I can surprise you by saying there is a great deal you can handle yourself. Here’s an easy-to-follow CMMC project tracker & framework mapping spreadsheet that lays out all the controls needed to meet each tier. Go through the 17 domains for reaching Level 1 with your IT team — there’s a chance your team can implement these measures in-house. Much of this stage is ensuring things are correctly configured, and that sound practices are in place.

That being said, at some point, an organization’s IT staff will likely reach an inflection point where they need specialized help, especially at the higher tiers of CMMC that require steps like endpoint management and 24/7 threat response capabilities. All companies have their core competencies – this is why managed service providers exist.

Choosing the Right Security Technologies and Vendors

This is tricky to answer because it depends on the current state of your cybersecurity, the gaps and of course, your individual needs. It’s important to do your due diligence before committing to a new product or provider.  

When any vendor tells you they have the solution, proceed with a healthy skepticism — and yes, this includes my company, too! To ensure you’ll receive adequate protection and value for money, you need to put these prospective vendors through an objective framework of evaluation.

Things to remember: there’s no silver bullet or “one-size-fits-all” solution in cybersecurity. If there were, we’d all be using it, and breaches would already be a thing of the past. And security is not a project you can “finish” –  it’s an ongoing process, continually tested and refined.

Whether you’re shopping for a managed detection and response (MDR) provider or just seeking some guidance on the journey to CMMC certification, we’re happy to talk. Book a free consultation, and don’t be shy about asking us tough questions.

Brought to you by

What’s hot on Infosecurity Magazine?