If you are a DMG MORI Federal Services supplier who has put off thinking about Cybersecurity Maturity Model Certification (CMMC) 2.0 requirements, consider this newsletter your call to action. The new Department of Defense (DoD) cybersecurity standards are now in place, which means suppliers must become CMMC certified if they want to continue doing business with the DoD and DMG MORI Federal Services.
There is no time to lose — and no shortcuts. The DoD is set to include CMMC requirements in contracts by the middle 2025, though implementation will roll out over a longer period. Recently, we provided an overview of CMMC. Here, we offer specific guidance from Jerry Leishman, CEO of CMMC Advisors, on how to move forward using a 90-day plan.
How difficult is this process?
CMMC is based on the NIST standard. Suppliers who have been investing in cybersecurity and currently hold a Supplier Performance Risk Score (SPRS) of 100 should be in good shape. They can either self-attest through an authorized executive or undergo a third-party assessment by a Certified Third-Party Assessment Organization (CPAO) to verify compliance and achieve certification. However, most small and medium organizations have been slow to modernize and fulfill NIST technical obligations.
What if my company hasn’t gotten started with CMMC?
Time is now a critical factor. This is not an overnight process. DMG MORI Federal Services spent more than a year getting everything in place, but all companies are in different situations. Some may need to make significant investments in processes and cybersecurity.
Where do I go for help?
The DoD and other organizations have resources, but consider hiring a third-party assessor or consultant. “You can read the government regulations, but they just tell you what to do, not how to do it,” said Leishman. “You need somebody who can translate it, educate, and then as an organization they can make informed decisions.”
CMMC Roadmap:
- Educate Leadership
- Security and compliance are the fabric of future business
- Find a Qualified Guide
- Attend CMMC webinars and connect with leaders
- Participate in LinkedIn and industry groups
- Minimize your CUI Boundary (Controlled Unclassified Information)
- Identify your CUI Asset Inventory across organizational workflows
- Minimize CUI risk and attack service
- Identify Your Gaps
- Complete CMMC Level 1 or 2 self assessment
- Verify your posture with third-party assurance services
- Prioritize Gap Mitigation Based on Risk and Impact – Higher SPRS score
- Start with fundamentals (documentation, MFA, endpoint protection, backup, incident response, phishing training)
- Mitigate Gaps
- Leverage free government resources
- Credible Defense Supply Chain Suppliers (Advisor, MSP, MSSP, ISV)
- Integrated Solution – CMMC Industry Standard Council (CISC)/CMMC Consortium
- Funding
- Federal and state grants (IW)
- Budgeting – plan ahead
- CMMC C3PAO Assessments
- Partner early with C3PAO – pre-assessment/audit
- Establish Compliance Program
Leverage GRC tools and standard workflows
Quick Assessment – 90 Day Plan:
Build an implementation plan to mitigate all POAMs and achieve “audit ready” status.
Gather Information – Collect existing documentation such as SSP, policies, procedures, training manuals, system architecture, etc.
Map the information to NIST 800-171 controls and control objectives. Collect a worksheet to manage and report information.
Interview relevant stakeholders to verify (remember, many may try to hide things) documentation, processes, and tools used to manage CUI. From sales, design, engineering, quality, to shipping including third-party external vendors.
Document the FCI and CUI workflows to determine scope of CMMC boundary. This includes systems, people, and tools.
Complete the Supplier Performance Risk System worksheet and calculate your score. Note: be honest because fraudulent scores are subject to the False Claims Act.
Identify your control deficiencies and gaps and create plan of action and milestones (POAM)
Work with your business, IT stakeholders and executive stakeholders to define a roadmap forward.
Assign high-level funding and resources for the planning and implementation phase.