This page serves as a Do-It-Yourself guide to help organizations looking to prepare for their CMMC 2.0 Level 1 certification WITHOUT the need to hire a consultant.
Why is a cybersecurity compliance organization instructing you on how to achieve CMMC 2.0 Level 1 compliance on your own? We know how difficult it is to be a government contractor since we are DoD contractors ourselves. “Sharing is Caring” is one of our core values. We make every effort to be transparent on how to successfully get any security compliance required to meet contract commitments and CMMC is no exception. The truth is, even with this knowledge provided, not everyone will be able to pull this off and will want assistance from a firm like ours at some point.
Disclaimer: These are general suggestions and will require some work to modify for specific use cases. Please follow at your own risk.
If you have implementation questions or need help understanding any part of this DIY, please send us your questions here: I HAVE A QUESTION
The following is required before you begin:
Having a basic level of IT knowledge is critical to implement the controls successfully.
The following assets need to be created: Network Map, Data Flow Diagram, & Tech/Software Asset Inventory. This will help identify how sensitive data will be handled through the organizations network. Ideally you want to to show the who, the device(s), the location, and where will it be at rest.
Identify your current security gaps and place all open issues into a Plan of Action & Milestone (POA&M) document. POA&M templates can be found here
Do you have current or upcoming contracts that require CMMC compliance? If so, identify how data will flow between your organization and the customer.
Define what FCI & CUI is for your specific business case. Need help with this? Check out this article here
Create a System Security Plan (SSP) that is bespoke to the organization. Templates are available for free here
Develop an Org Chart that clearly identifies roles & responsibilities, determine the who, what, why, and where in terms of information access, and determine who in your organization would be able to assist with meeting each control.
CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB).
The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level.
CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.
The CMMC-AB establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) Program.
Additional Resources:
CMMC Level 1 is the entry point to the 3 level ecosystem. Level 1 is considered to be Basic Cyber Hygiene practices that enable safeguards for Federal Contract Information (FCI) and is made up of 17 controls. The good news for Level 1 is that it has a short list of controls (compared to the other Levels), making it easier to implement for organizations who don’t currently have a security program in place.
The following are the Level 1 Categories:
Access control is a fundamental component of data security that dictates who’s allowed to access and use company information and resources.
These controls are primarily focused on the security of media storage including who can access the stored content, how transportation is controlled, and the safe use of storage devices.
These controls are for managing risks from vulnerablesystem configurations, denial of service, data communication, and information transfer both internally and externally.
Identification is the ability to identify uniquely a user of a system or an application that is running in the system. Authentication is the ability to prove that a user or application is genuinely who that person or what that application claims to be.
Security measures that are designed to deny unauthorized access to facilities, equipment, and resources and to protect personnel and property.
These control help provide assurance that the information being accessed has not been tampered with or damaged by an error in the information system.
The total timeline from preparation to compliance for CMMC 2.0 Lever 1 is estimated to be 1 – 6 months. Many factors contribute to this estimate including the time it takes for the organization to remediate any vulnerabilities found and implement the solutions offered in this DIY guide.
The following is the high-level process:
This is the starting point to determine the correct CMMC level your organization should build a program for. The process provides insight into: Current Security Gaps, Current Risk Gaps, Understand the Current Culture, Sales Pipeline, Corporate Structure, and Business Vision.
How To: Create an spreadsheet that includes of the controls listed in this guide. Evaluate each control and list out the solutions that are in place to meet the control. If you don’t have a solution in place or have a partial solution, then mark the control as a GAP. Each GAP should have an ETA and planned solution written down to insure the GAP will be remediated.
Once the assessment is completed, it’s time to get to work on all of the items listed here in this guide. Once the security controls have been fulfilled, your organization will be ready to put the new security program into practice.
All gaps have been addressed, solutions are operational, and the organization is in compliance capturing evidence proving full compliance.
After 6 months of continued practice period, you can perform a new assessment to ensure the organization is in full compliance of CMMC 2.0 Level 1. Self-assessments are sufficient for CMMC 2.0 Level 1 requirements.
Now what? This is when your security program can begin operating knowing that all of the controls have been met. When a security program is operational, activity will be captured via logs to prove that a real program exists (Just like an accounting ledge).
As you go through your security program operation, make sure to be mindful of the following items:
Capture Updates To Documents – SSP and/or POA&M
Change Control & Maintenance Documentation Notes
Update Network Diagram
Update Data Flow Diagram
Create a Controls Responsibility Matrix Document/Spreadsheet
Review Current Flow Down Contract Requirements
Monitor, Log Capture, Report, and Maintain Program
Reach us Monday through Friday
8am – 6pm