Elevate

The 7 Steps for CMMC Self-Assessment and Certification Process

For organizations aiming to secure Department of Defense (DoD) contracts, achieving Cybersecurity Maturity Model Certification (CMMC) compliance is a vital requirement. Whether handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), this certification demonstrates a commitment to security and compliance, protecting sensitive data while reinforcing competitive positioning. Below, we break down the seven steps to achieve CMMC Level 1 and Level 2 certification, highlighting key challenges.

The 7 Steps for CMMC Certification

Successfully navigating the CMMC certification process requires a structured approach. Here are the eight key steps every organization should follow:

  1. Determine CMMC Compliance Level requirement: Begin by determining which of the three levels of CMMC 2.0 applies to your organization. Levels correspond to the complexity and sensitivity of data handled, ranging from basic cyber hygiene (Level 1) to advanced protection against persistent threats (Levels 2 and 3). This information should be provided in contracts. For Level 2, there are two options for Self-Assessment (you don’t need to hire a C3PAO/ auditor to validate the controls, but you do need to attest you have validated the controls. The other option is Audited, that is, when you are required to hire an auditor called C3PAO.
    • Pro Tip: For Level 2 (the most popular option), the scoring for CMMC compliance ranges from -203 to 110. Where 110 is the maximum and perfect score for compliance.
  2. Scope Your Compliance Boundary:  The scope and data flow of systems involved in receiving, storing, and handling sensitive data are crucial to understanding what and where the controls apply. Most likely, you may need to procure additional technologies (end-to-end encryption on data in transit) or look for third-party solutions to ensure a secure enclave is in place. 
    • Pro Tip: Minimize the number of users and systems included in your enclave/scope boundary to streamline compliance efforts and reduce training and technology costs. 
  3. Conduct a Gap Analysis: Once the boundary is defined, the possible inclusion of additional technologies to provide controls is determined. Perform a gap analysis considering the future state of the controls to be implemented (or implemented) to determine additional gaps in the operating effectiveness of controls. This process identifies gaps in areas like access control, physical security, HR controls, data management policies, and incident response. A gap analysis provides a clear understanding of what needs improvement before moving forward.
    • Actionable Steps: Use evaluation tools (NIST 800-171 rev2 framework implementation guidelines) or work with experienced consultants to assess your scores under NIST 800-171.
  4. Develop a System Security Plan (SSP): An SSP outlines your organization’s approach to meeting the requirements for CMMC certification, and it is a required document. It includes security measures, roles, processes, and system settings. Think of it as the foundation of your compliance documentation. 
    • Best Practices: 
      • Clearly define system boundaries with detailed network diagrams, data flow diagrams, and detailed asset inventories (hardware, software, applications, etc.) 
      • Document the implementation and monitoring of all security controls. 
      • Continuously update the SSP to reflect improvements and changes. 
  5. Implement Necessary Controls: Address the findings from your gap analysis by introducing and enforcing the required security controls. These controls cover areas such as access control, configuration management, logging and monitoring, incident response, user authentication, physical security, media protection, and other sections.
    • Key Point: Focus on automating processes when possible, to ensure adherence to compliance standards with minimal manual intervention. Verify all controls are implemented and documented prior to the audit to ensure all evidence and information requested by auditors will be available.
  6. Train Your Employees: Employees are integral to cybersecurity efforts. Conduct comprehensive training on CMMC policies, identifying phishing attempts, managing CUI, and adhering to internal cybersecurity protocols. An acceptable CUI use policy and CUI handling training should be documented and provided to users who will handle CUI.  
    • Pro Tip: Offer recurring training sessions to ensure staff remain updated on any changes to compliance processes or requirements. 
  7. Maintain Compliance: Achieving certification is not the endpoint; maintaining compliance is a continuous process. Regularly monitor your systems, conduct internal and external reviews, and stay informed about updates to DoD regulations and CMMC standards.  Although you do not have to go through an audit every year, we recommend conducting one every 3 years to ensure you maintain annual controls in place to perform your annual SPRS compliance attestation.  

Top 5 Challenges in Achieving CMMC Compliance

While the steps above are straightforward, several common challenges often hinder progress. Here’s how to address them effectively: 

  • Resource Limitations: For many organizations, the cost and effort of achieving compliance are significant.  Use the CMMC scoping and implementation guidelines to perform your self-assessment.  Review the supplier responsibility matrices for CSO (cloud security offerings) to determine where you can fully or partially rely on their controls and ensure this is documented in your SSP.  
  • Understanding Complex Requirements: Navigating the technicalities of CMMC and NIST 800 standards can be daunting. Remember key requirements such as end-to-end encryption on ANY channel where CUI is transmitted and/or stored (e.g., email, websites/portals, messaging platforms, etc). Also, ensure you have logging and monitoring on all activities related to CUI transmission and handling. Moreover, information flow control is required, and controls such as monitoring data leakage are important. Also, addressing printers and physical access to CUI is of importance and cannot be underestimated for compliance.  
  •  Minimize Your Boundary: Poor boundary scoping often leads to inefficiencies and unnecessary expenditure. Start with a focused approach and a manageable compliance perimeter. Limit the number of end points, users, printers, and/or facilities that need to handle, store, and process CUI.  
  • Robust Documentation: Comprehensive documentation, particularly the SSP and Plan of Action and Milestones (POA&M), demands precision. Investing time to ensure thorough and accurate records can help avoid issues and minimize risks. 
  • Ongoing Compliance: Cybersecurity threats evolve constantly. Treating compliance as a one-off project rather than an ongoing program leaves organizations vulnerable. Focus on continuous improvement and adaptation. 

How Elevate Can Help

We are experts in Cyber Security, NIST, CMMC Compliance, and Technical Architecture. We will shorten your time for compliance with document accelerations and scoping boundary processes. We will remove the pain to ensure compliance.  Contact us today.