This page describes how to find the CMMC requirements, how to interpret them, and how to start preparing for an outside audit.
It explains how to read the CMMC document and how your team or an auditor would check each requirement against your information systems.
Disclaimer: The goal is to help you understand how the CMMC is organized and numbered. I might have some things wrong and the CMMC will definitely change over time. Please comment below to give guidance that is missing here!
I recommend reading through this CMMC glossary of terms and definitions. It is a “who’s who” and “what’s what” for the entire CMMC and DoD cybersecurity infrastructure.
Link to Official CMMC Model page: https://www.acq.osd.mil/cmmc/draft.html
The CMMC Appendixes document has a description of each practice in section B.2 This is an excellent resource because it gives examples of how organizations secure their networks for each security requirement.
What is a cybersecurity control?
Quick definition: In the cybersecurity industry, the word “control” is used to refer to a single security requirement. The CMMC doesn’t mention the word “control”, but I’m sure it will continue to be an industry term for individual security requirements.
The CMMC calls these single security requirements “practices” (short for best practices).
How do I prepare for the CMMC?
1. Gather CMMC documents, templates, and tools
Download the latest version of the CMMC here (download the appendix!)
2. Identify the scope of your evaluation
So far, CMMC sounds like it will measure scope very similarly to how NIST SP 800-171 is performed, except for a wider range of sensitive information.
Every defense contractor with a contract will have Federal Contract Information (FCI) at least. This term is used in CMMC Level 1 and 2 and seems to define the information it is trying to protect. So any organizational system that processes or stores or is able to contact FCI would be in scope for a level 1 or 2 audit.
For example, if your email server has FCI in it because the government has sent you emails, then your scope includes…
- any other server that is on the same network as your email server
- admin workstations that manage the email server
- user workstations that get emails from the email server
- mobile phones that get emails from the email server
- the backup server
- and so forth
For levels 1 and 2, I would expect most small and medium defense contractors to audit their entire network because it is easier to do that then segment out everyday communications from the government.
Higher levels of CMMC would only apply to systems that contact specific types of data, such as Controlled Unclassified Information (CUI) at level 3+, or (I’m guessing) Unclassified Controlled Nuclear Information (UCNI) at level 5, etc.
As organizations need to certify to higher levels, they should try to reduce the number of systems that are in scope. In other words, don’t let your accounting department use the same network as your Missile R&D team. Then audit your general network at level 2 and audit the Missile R&D network at level 4.
* Caveat: No one knows if the above will be true at this early stage of CMMC, but it makes sense to me. 800-171 works like this, in that organizations can limit their scope to systems that have CUI, so I hope it will also work like this for CMMC.
Are you looking at a single system, a small isolated network, or all the computers that your business uses?
Worst case: it could be your entire business network including all workstations, servers, and cloud accounts. If the scope is calculated the same way as NIST SP 800-171 self-certification, it only applies to workstations and infrastructure that directly interact with Controlled Unclassified Information (CUI). As my allowable cost article mentions, it is possible that companies may be allowed to evaluate a temporary and highly secure network just for bidding on RFPs.
3. Review each CMMC capability against your environment
The low cost method is to print out the CMMC requirements and start on the first domain, first capability.
If you want to outsource this to an expert or get guidance on how to comply with specific items, there are plenty of cybersecurity consultants available.
You might use Excel or another spreadsheet program to record your thoughts and status on each capability. If you are willing to spend money, some vendors offer programs which will guide you through each question and output a nice report.
Industry standard practice is to create a System Security Plan for each organization’s network. A government-recommended template which includes most of the CMMC practices (but not all) can be found on NIST’s Special Publication 800-171 page.
Note: Not all practice IDs will be used. For each domain, the practice IDs increment through Level 1, then Level 2, Level 3, etc. If you are certifying to level 3, you won’t need the practice IDs for level 4 and 5.
Pick an appropriate level of security (see start here first if you don’t know). You need to meet all requirements up to your chosen level. If you choose level 3, you need to meet level 1 and 2 as well.
Depending on your style, you might run through all the capabilities without stopping, marking Implemented, Not Implemented, N/A, or Uncertain. Or you might stop and implement each best practice before moving on.
Starting from level 1 then going up each level, ask whether your network / company / organization is doing the best practice. If yes, make a note on your spreadsheet of some proof (such as a policy name and page number). You can use N/A if your network doesn’t have anything that the capability would apply to. For example, if you don’t allow any remote access, those best practices would be N/A.
CMMC Plan of Action & Milestones POAM
If unsure or your company isn’t doing a practice, make a plan (including timelines) for how you will meet the best practice. This is called a “Plan of Action & Milestones” (POA&M).
If it is impossible to meet a best practice, don’t beat yourself up (for now). Just write a POA&M for that item which includes a description of your current status, a list of steps you will take to resolve it, and estimated timeline for each step.
Gathering evidence for the CMMC
For each “implemented” capability, take a note of where to find evidence that it is working. For example, you might put a link to your policy document for a capability. Or take a screenshot of your current firewall rules. If you’ve marked a capability as “N/A”, write a brief description of why it doesn’t apply to your environment. This evidence will be very important during the 3rd-party audit process.
You need to evaluate each CMMC capability across your entire scope
Let’s use Audit and Accountability “Review and manage audit logs” (C010) as an example.
This capability states “Review and manage audit logs “. For level 2, it states “Review audit logs.”
To implement this, most companies would
- Enable logging
- Write a procedure and/or train admin staff how to access the audit logs
- Using policy, schedule regular audit log reviews.
That sounds simple right? Except you need to repeat this for each device and system in your scope:
- Windows Domain Controller 1
- Windows Domain Controller 2
- File Server
- Each desktop and laptop
- Office 365 Email
- Office 365 Sharepoint
- Windows Database Server
- The Quickbooks application installed on the database server
- Windows Utility server
- The antivirus program installed on the utility server
- The backup program installed on the utility server
- and on and on…
Enabling logging across all your workstations, servers, network devices, and cloud accounts is going to take some work. Then you need to review those logs. Even a small network will generate thousands of pages of audit logs per day. At this point, most companies realize they need to implement an Intrusion Protection System (IPS) and Log Aggregation server to automatically filter logs and provide reports.
Moral of the story: The complexity of your environment greatly affects the level of effort involved. It can be tempting to use one system as a proxy for all the systems. But if you are doing this correctly, you will assess your control against your entire environment.
4. Put together your CMMC assessment package
This is the package you’d send to an auditor. Here are some items it will include:
- Contact information for your Information Security Officer and company.
- Diagrams of your in-scope environment. These diagrams should accurately represent the types of systems in your network, where the borders are, and communication flows in / out / and through your environment.
- Copies of any policies and procedures referenced in your assessment.
- A risk analysis and results from your latest vulnerability scan and penetration testing.
- A summary of the CMMC capabilities and whether your environment meets each security level or not.
- Detailed report of each CMMC capability. Includes text response and evidence (screenshots, location of artifact, etc).
- POA&M for deficient capabilities.
How to read the CMMC Model…
Requirements for the CMMC are divided into 17 domains
- Examples of domains are: Awareness & Training (AT), Configuration Management (CM), Incident Response (IR), and Physical Protection (PP)
Each CMMC domain contains several cybersecurity best practices which are called “capabilities”.
- For example, the Awareness & Training (AT) domain, has two capabilities.
- Capability: “Conduct security awareness activities”
- Capability: “Conduct training”
- These capabilities are given a unique identifier based on their order in the document. The naming scheme is C001 – C999.
Each CMMC capability has “practices”, which relate to the level-specific expectation for that capability.
For this exercise, we are looking at C011 “Conduct security awareness activities” in the Awareness and Training domain.
C011 + Level 1
There is no practice for C011 and Level 1 (this cell is blank) . In other words, Level 1 businesses do not need to perform security awareness activities in their organization.
C011 + Level 1
C011 + Level 2 (slightly secure network) has a best practice. The practice ID is AT.2.056.
It requires that organizations “Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems”
In other words, Level 2 businesses warn their staff that bad guys exist and where to find policies and procedures for protecting the computer systems.
C011 + Level 3
C011 + Level 3 (secure network with CUI) has a best practice. The practice ID is AT.3.058.
It requires that organizations “Provide security awareness training on recognizing and reporting potential indicators of insider threat.”
In other words, Level 3 businesses warn their employees that internal staff could be security risks too, and how to report concerning behavior.
C011 + Level 4
C011 + Level 5 (secure network with more sensitive CUI) has two best practices. The practice IDs are AT.4.059 and AT.4.060
AT.4.059 requires that organizations “Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.”
AT.4.060 requires that organizations “Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.”
A contractor with level 4 data might put their employees through a multiple awareness courses each year and give individual feedback to employees in order to prepare them for these advanced threats.
C011 + Level 5
C011 + Level 5 (secure network with extremely sensitive CUI) has no best practice (the cell is blank).
Higher levels inherit all the lower level practices. So a level 3 business needs to both advise their employees about general security risks and give specific training to identify insider threats (level 2 + level 3 requirement). If you are certifying to level 5 and level 5 is blank, you still need to account for level 1, 2, 3, and 4.
CMMC practices reference other standards
Most (or all) practices will reference another control. Examples are “NIST SP 800-171 3.2.1” or “CERT RMM v1.2 OTA:SG1.SP1”. You can see this in AT.2.056.
You don’t have to look up every other control listed in the CMMC. They are supplemental information.
If a company has already complied with a different compliance framework (such as Cyber Security Framework), the references can be used to skip practices that are already good.
It is common for IT staff to read a capability and practice and still not understand it. It can help to check other versions of the best practice for clarification.
Steps to find “NIST SP 800-171 3.2.1” as an example
You can see NIST SP 800-171 in the menu above. If you navigate to that menu item, you will find a link to the current NIST Special Publication 800-171 document. Download the document and search for “3.2.1” inside it. You will find the NIST version of the AT1-Level 2 best practice. When you compare the two, you will see that they have a similar goal.
If you find a good resource, leave a comment. Over time, this website will be a central place we can discuss the CMMC capabilities and share what works.
Please link to this page or share with your colleagues!