This page describes how to find the CMMC requirements, how to interpret them, and how to start preparing for an outside audit.
It explains how to read the CMMC draft and how your team or an auditor would check each requirement against your information systems.
Disclaimer: The goal is to help you understand how the CMMC is organized and numbered. I might have some things wrong and the CMMC will definitely change over time. Please comment below to give guidance that is missing here!
Link to Official CMMC draft v0.4 page: https://www.acq.osd.mil/cmmc/draft.html
You can follow along by opening the CMMC draft v0.4 document and navigating to page 13 of 58 (using the page #’s inside the document).
What is a cybersecurity control?
Quick definition: In the industry, the word “control” is used to refer to a single security requirement. The CMMC doesn’t mention the word “control”, but I’m sure we will still use it to refer to individual requirements.
How do I prepare for the CMMC?
1. Gather CMMC documents, templates, and tools
2. Identify the scope of your evaluation
Are you looking at a single system, a small isolated network, or all the computers that your business uses?
At this time, I don’t know what the scope should be for CMMC. Worst case: it could be your entire business network including all workstations, servers, and cloud accounts. If the scope is calculated the same way as NIST SP 800-171 self-certification, it only applies to workstations and infrastructure that directly interact with Controlled Unclassified Information (CUI). As my allowable cost article mentions, it is possible that companies may be allowed to evaluate a temporary and highly secure network just for bidding on RFPs.
If you have multiple very different environments, such as a cloud server environment and an on-premises environment, you may choose to split them out. This means you’d need to do two full assessments, and pay for two audits, but your lower your risk of failing everything because of one environment.
3. Review each CMMC capability against your environment
The low cost method is to print out the CMMC requirements (in this case, draft v0.4) and start on the first domain, first capability.
If you want to outsource this to an expert or get guidance on how to comply with specific items, there are plenty of cybersecurity consultants available.
You will use Excel or another spreadsheet program to record your thoughts and status on each capability. Label each row with domain + capability. Example: “AC1”. If you are willing to spend money, some vendors offer programs which will guide you through each question and output a nice report.
Pick an appropriate level of security (see start here first if you don’t know). You need to meet all requirements up to your chosen level. If you choose level 3, you need to meet level 1 and 2 as well.
Depending on your style, you might run through all the capabilities without stopping, marking Implemented, Not Implemented, N/A, or Uncertain. Or you might stop and implement each best practice before moving on.
Starting from level 1 then going up each level, ask whether your network / company / organization is doing the best practice. If yes, make a note on your spreadsheet of some proof (such as a policy name and page number). You can use N/A if your network doesn’t have anything that the capability would apply to. For example, if you don’t allow any remote access, those best practices would be N/A.
CMMC Plan of Action & Milestones POAM
If unsure or your company isn’t doing it, make a note and start planning how you will meet the best practice. This is called a “Plan of Action & Milestones” (POA&M).
If it is impossible to meet a best practice, don’t beat yourself up (for now). Just write a POA&M for that item which includes a description of your current status, a list of steps you will take to resolve it, and estimated timeline for each step.
Gathering evidence for the CMMC
For each “implemented” capability, take a note of where to find evidence that it is working. For example, you might put a link to your policy document for a capability. Or take a screenshot of your current firewall rules. If you’ve marked a capability as “N/A”, write a brief description of why it doesn’t apply to your environment. This evidence will be very important during the 3rd-party audit process.
You need to evaluate each CMMC capability across your entire scope
Let’s use Audit and Accountability #7 (AA7) as an example.
This capability states “Audit logs are reviewed”. For level 2, it states “Audit logs are reviewed according to an established process.”
To implement this, most companies would
- Enable logging
- Write a procedure and/or train admin staff how to access the audit logs
- Using policy, schedule regular audit log reviews.
That sounds simple right? Except you need to repeat this for each device and system in your scope:
- Windows Domain Controller 1
- Windows Domain Controller 2
- File Server
- Each desktop and laptop
- Office 365 Email
- Office 365 Sharepoint
- Windows Database Server
- The Quickbooks application installed on the database server
- Windows Utility server
- The antivirus program installed on the utility server
- The backup program installed on the utility server
- and on and on…
Enabling logging across all your workstations, servers, network devices, and cloud accounts is going to take some work. Then you need to review those logs. Even a small network will generate thousands of pages of audit logs per day. At this point, most companies realize they need to implement an Intrusion Protection System (IPS) and Log Aggregation server to automatically filter logs and provide reports.
Moral of the story: The complexity of your environment greatly affects the level of effort involved. It can be tempting to use one system as a proxy for all the systems. But if you are doing this correctly, you will assess your control against your entire environment.
4. Put together your CMMC assessment package
This is the package you’d send to an auditor. Here are some items it will include:
- Contact information for your Information Security Officer and company.
- Diagrams of your in-scope environment. These diagrams should accurately represent the types of systems in your network, where the borders are, and communication flows in / out / and through your environment.
- Copies of any policies and procedures referenced in your assessment.
- A summary of the CMMC capabilities and whether your environment meets each security level or not.
- Detailed report of each CMMC capability. Includes text response and evidence (screenshots, location of artifact, etc).
- POA&M for deficient capabilities.
How to read the CMMC Draft v0.4 released August 30, 2019…
Requirements for the CMMC will be divided into 18 domains
- Examples of domains are: Awareness & Training (AT), Configuration Management (CM), Incident Response (IR), Physical Protection (PP)…
Each CMMC domain contains several cybersecurity best practices which are called “capabilities”.
- For example, the Awareness & Training (AT) domain, has four capabilities.
- Capability 1: “The security awareness needs of the organization are identified”
- Capability 2: “Security awareness activities are conducted for the organization”
- and so forth…
- These capabilities are given an identifier that combines the domain and the capability number. While I don’t see any official guidance on how they will be identified, I think it will be similar to Domain + Capability#. In this example, AT1, AT2, AT3, etc.
Each CMMC capability has “practices”, which relate to the level-specific expectation for that capability.
- AT1 + Level 1 (lowest security network) has no expectation. In other words, Level 1 businesses do not need to identify the security awareness needs of their organization.
- AT1 + Level 2 (slightly secure network) requires that “Awareness training requirements are established for managers, system administrators, and users to address the security risks associated with their activities…” In other words, Level 2 businesses provide cybersecurity awareness training to their staff. Perhaps on a yearly basis.
- AT1 + Level 3 (secure network with sensitive data) requires that “Awareness training requirements are updated for managers, systems administrators, and users as appropriate to address the security risks associated with their activities…” In other words, Level 3 businesses offer updated awareness training which addresses the latest cyber risks. Some businesses would do this by providing yearly awareness training and sending monthly security newsletters to staff.
- and so forth…
I’m not entirely sure about this, but it looks like higher levels inherit all the lower level practices. So a level 3 business needs to both establish awareness training and update it (level 2 + level 3 requirement). So if level 5 is blank, you still need to account for level 1, 2, 3, and 4.
CMMC practices reference other standards
Most (or all) practices will reference another control. Examples are “NIST SP 800-171 3.2.1” or “RMM OTA:SG1.SP1”. You can see this in AT1 + Level 2.
You don’t have to look up every other control listed in the CMMC. They are supplemental information.
If a company has already complied with a different compliance framework (such as Cyber Security Framework), the references can be used to skip controls that are already good.
It is common for IT staff to read a capability and practice and still not understand it. It can help to check other versions of the best practice for clarification.
Steps to find “NIST SP 800-171 3.2.1” as an example
You can see NIST SP 800-171 in the menu above. If you navigate to that menu item, you will find a link to the current NIST Special Publication 800-171 document. Download the document and search for “3.2.1” inside it. You will find the NIST version of the AT1-Level 2 best practice. When you compare the two, you will see that they have a similar goal.
If you find a good resource, leave a comment. Over time, this website will be a central place we can discuss the CMMC capabilities and share what works.
Please link to this page or share with your colleagues!