CMMC: From Documentation, To Implementation, To Assessment

Bottom Line Up Front (BLUF): Time is money when it comes to CMMC compliance efforts:

• If you have poorly-crafted documentation, it will cost you more time & money in implementation and assessment.
• If you do not follow a prioritized implementation plan for NIST 800-171 controls, you will likely have to redo work that will cost you both time and money.
• If you pick an assessor without the technical competence to evaluate your specific environment and/or who lacks a reasonable audit background, that could jeopardize your CMMC assessment and contract opportunities.

How To Do NIST 800-171 / CMMC

At ComplianceForge, we are routinely asked for the "easy button" approach to NIST 800-171 & Cybersecurity Maturity Model Certification (CMMC). The reality is that while there is no silver bullet to make NIST 800-171 & CMMC less demanding, there are proven approaches that are efficient and can save you time and money to implement NIST 800-171 controls and generate the evidence necessary to pass a CMMC assessment. ComplianceForge has worked with several third-parties that we trust to refer our clients to for NIST 800-171 & CMMC compliance needs.

From a high-level perspective, your journey to passing a CMMC assessment is a three-part process that builds off the previous part:

1. Documentation. You need quality documentation to provide evidence of due diligence that your NIST 800-171 & CMMC program exists and comprehensively addresses all requirements. This includes policies, standards, procedures, System Security Plan (SSP), Plan of Action & Milestones (POA&M), Supply Chain Risk Management (SCRM) plan, etc.
2. Implementation. While there are Organizations Seeking Assessment (OSA) that have highly-capable internal IT and cybersecurity personnel who can implement all NIST 800-171 controls without outside assistance, most of the Defense Industrial Base (DIB) relies on third-party expertise (e.g., consultants).
3. Assessment. Where the rubber meets the road on NIST 800-171 & CMMC compliance is with a CMMC Third-Party Assessor Organization (C3PAO). Selecting the right assessor requires significant due diligence on your part to ensure that C3PAO’s assessment team has appropriate audit experience and technical competencies to fairly assess your unique scenario.

It All Starts With Documentation For NIST 800-171 & CMMC Compliance

ComplianceForge has quite a few options for NIST 800-171 & CMMC and selecting the right option depends on the focus of your compliance efforts. This primarily comes down to determining if you just need to comply with NIST 800-171 & CMMC or if you have other compliance obligations that you need to address:

• Our most straightforward approach to just NIST 800-171 & CMMC Level 2 compliance is the NIST 800-171 Compliance Program (NCP). This is the most cost-effective and efficient solution we offer and the NCP contains all the policies, standards, procedures, SSP/POA&M, SCRM Plan and other templates that you will need to pass a CMMC assessment.
• If you need to “speak NIST 800-53” for other contracts (e.g., FedRAMP, RMF, FISMA, etc.) then CMMC bundle #2 is a great option to address the moderate baseline of NIST 800-53 R5. Since that is straight NIST 800-53 terminology/taxonomy, that might be overkill for organizations that just need to comply with NIST 800-171 & CMMC. Similar to CMMC bundle #2, we also offer a high baseline version of NIST 800-53 R5 with CMMC bundle #3.
• If you need “the whole enchilada” with robust compliance for complex compliance requirements that go far beyond just NIST 800-171 & CMMC, then CMMC bundle #4 is the best option. This is designed for an enterprise-class environment, especially one that is going to leverage a GRC platform to help manage documentation. The coverage and scalability is unmatched in the industry.

Documentation needs for NIST 800-171 & CMMC expand beyond just policies, standards and procedures. This is where documentation solutions from ComplianceForge can save your organization from hundreds to thousands of hours. You can contact ComplianceForge at 855-205-8437 or [email protected].

Implementing Policies & Standards, Along With Tailoring Procedures & SSP Templates

The Defense Industrial Base (DIB) faces a wide range of competencies from consultants, Managed Service Providers (MSPs) and Managed Security Service Providers (MSSP) who are vying for the OSA's consulting budgets. It is common for quality consultants, MSPs/MSSPs to have a backlog of work where they cannot start working with new clients for at least 3-4 months, so that is something to keep in mind for your timeline considerations.

We work with several quality CMMC practitioners, but we want to highlight How To GRC (HTGRC) due to their expertise with implementing ComplianceForge documentation, specifically the NIST 800-171 Compliance Program (NCP) and Digital Security Program (DSP). HTGRC is a cybersecurity firm focused on designing and implementing cost effective and scalable cybersecurity programs. HTGRC provides CMMC and NIST SP 800-171 readiness assessments, advisory and audit preparation along with continuous compliance management.

David Driggers is the Senior Partner at HTGRC and his team has considerable experience implementing and tailoring ComplianceForge products and the?Secure Controls Framework (SCF). HTGRC can help automate ComplianceForge policies, standards and procedures in a Governance, Risk & Compliance (GRC) solution, where they can provide expert-level implementation and support for both CMMC+ and SCF Connect that can make managing evidence artifacts more efficient. You can contact HTGRC at 907-299-7775 or [email protected].

HowToGRC offers the following NIST 800-171 & CMMC related services:

• CMMC Kill Chain implementation.
• Developing a tailored cybersecurity program for NIST 800-171 & CMMC
• Tailoring & implementation consulting services for ComplianceForge products (e.g., DSP, CDPP, CSOP, etc.).
• Governance, Risk & Compliance (GRC) platform integration.

Note: there are other great CMMC Practitioners that we work with. You can find many listed at: https://www.cmmc-coa.com/cmmc-practitioners.

You Need A Common-Sense C3PAO With Audit Experience & Technical Competence

If you’ve ever been through ISO 27001, SOC 2 or PCI DSS assessments, you know that not all assessors/auditors are the same. That is why it is incredibly important to do your homework to select a C3PAO that has both the technical competencies and auditor experience necessary to provide a fair CMMC assessment.

ComplianceForge has worked with Cybersec Investments on CMMC-related topics for several years and we are very comfortable with recommending clients to them for their C3PAO needs. Cybersec Investments has already performed several assessments through the Department of Defense (DoD)’s Joint Surveillance Voluntary Assessment Program (JSVA), so they are leading the field as a C3PAO.

Fernando Machado, CISSP, CISM, CCA, CCP is the Managing Principal & Chief Information Security Officer for Cybersec Investments. He is a Certified CMMC Assessor (CCA), Certified CMMC Professional (CCP) and was a member of the CMMC Accreditation Body’s Standards Management Industry Working Group (IWG). You can contact Cybersec Investments at 800-960-8802 or [email protected].?