A Domain-Focused CMMC Compliance Checklist for DoD Contractors
Since the Cybersecurity Maturity Model Certification (CMMC) rule change became DoD policy, many Department of Defense contractors and manufacturers have had questions as to what they should do and when they should have it done by to prepare for compliance.
The situation is made more complicated by the fact that there are few C3PAOs who can provide certification assessments to DoD contractors, and the DoD is asking for contractors to start working on compliance independently either on their own or with partners like Machado.
So, whether you’re working towards compliance in-house, or engaging a CMMC expert consultant, if you’re a DoD contractor and you’re looking to earn CMMC certification, where do you start? As a step towards helping our clients prepare for compliance, we’ve created a CMMC Compliance Checklist detailed below.
An Overview of CMMC Compliance
There are 5 levels of compliance and 17 domains (or capabilities) that you’ll need to comply with. For now, we’ll focus on the domain basics and address details of the levels in a future post.
The 17 domains you need to be aware of today include:
- Access Control
- Asset Management
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Recovery
- Risk Management
- Security Assessment
- Situational Awareness
- System and Communications Protection
- System and Information Integrity
It may seem like a lot to cover, but much of this isn’t new. Many of the capabilities you need to demonstrate come from existing Federal Information Processing Standards (FIPS) 200 and NIST SP 800-171.
To make this a bit easier to understand and prepare for, we’ve structured this CMMC compliance checklist into two parts— a definition of the domain, and what you can begin to do to comply to it.
Before You Start
Before you begin, it will be helpful for you to have a few basic documents in place.
System Security Plan (SSP)
Your documented SSP helps to define your CUI environment. It includes how your data flows through your systems, including how CUI is stored, processed, and transmitted.
Network Diagram
You will need a logical diagram of your network used for CUI and is broken into two parts, high-level and low-level:
- Your high-level diagram shows the “big-picture” concepts of your system
- The low-level is much more detailed (think ports and protocols)
Your network diagram will include ALL of your networking including cloud, remote access, and Third-party services.
System Inventory
You will want to have on hand a comprehensive inventory of all of your systems, services and apps, including:
- Servers
- Workstations
- Network devices
- Mobile devices
- Databases
- Third-party service providers
- Cloud instances
- Major applications (including what servers and databases they depend on)
It’s important to note that this CMMC compliance checklist is NOT a comprehensive roadmap to CMMC certification. Each company has unique systems and requirements, and each level (generally) has a different set of requirements to achieve certification. You should work with your internal team and/or a CMMC consultant with deep cyber security expertise to establish your specific compliance roadmap.
CMMC Compliance Checklist
1. Access Control
Definition: Access Control means setting up access to your systems based on roles, defining who has access privileges to internal systems, and how, when and where they have access.
To begin Access Control CMMC compliance:
- Define and identify who accesses your systems
- Leverage rules/lists to authorize data usage and access
- Control/manage access to connections outside of your systems
2. Asset Management
Definition: Assessment Management is your company’s ability to inventory, track, and classify all of your hardware, technology, software and services that deals with CUI (Controlled Unclassified Information). It also factors in the backup, protection, and destruction of this data when required.
To begin Asset Management CMMC compliance:
- Leverage tools to map your existing assets
- Maintain hardware and software inventories
- Establish and document your practices and procedures for handling of CUI data
3. Audit and Accountability
Definition: Audit and Accountability is the ability to track actions back to individual users so they can be held responsible for actions. You need to be able to provide an audit trail and records that contain the relevant tracking information for users/actions.
To begin Audit and Accountability CMMC compliance:
- Establish a process
- Confirm your ability to track user IDs, time stamps, and source/destination addresses,
- Confirm your ability to log access to assets/CUI previously noted
4. Awareness and Training
Definition: Awareness and Training means establishing cyber security awareness training for all members of your staff.
To begin Awareness and Training CMMC compliance:
- Ensure that all users of systems at every level are educated on cyber security risks, policies, procedures, and standards related to their work and CUI.
- Pro tip: Establish a regular cadence of training for staff and employees
5. Configuration Management
Definition: Configuration Management is defined first as establishing what devices are within your organization, and who “owns” them. Secondly, Configuration Management establishes your baseline configurations for building, deploying, maintaining, and reviewing changes for new system components. And yes, this does include any BYOD or WFH devices.
To begin Configuration Management CMMC compliance:
- Identify systems storing or communicating CUI
- Identify all endpoints and endpoint configurations and settings
6. Identification and Authentication
Definition: Identification and Authentication is simply making sure that those within your organization at different levels and roles have the appropriate access assigned to them. It is also being able to prove that this level of access and identification is in place for auditing and reporting.
To begin Identification and Authentication CMMC compliance:
- Have systems in place to uniquely identify users, processes they are running, and devices on the system
- Establish and enforce minimum password complexity, and make sure that password reuse is prohibited
- Make sure that all passwords are cryptographically protected when stored and when sent electronically
7. Incident Response
Definition: Incident Response is establishing the operational capacity for your company to handle an incident that could impact CUI. This generally includes:
- Preparation
- User response
- Detection
- Analysis
- Containment
- Recovery
To begin Incident Response CMMC compliance:
- Make sure that you have the capabilities in place to handle an incident as it unfolds.
- For some companies, this includes employing a certified cyber security expert on staff. As this can be costly for some DoD contractors, many small- to mid-size firms elect to partner with a firm that provides scalable coverage.
- Once capabilities are in place, you will need to prove that you have established business processes and an incident response plan in place.
- Establish an incident response training program with appropriate level of detail for each user role
8. Maintenance
Definition: Maintenance is exactly as it sounds— performing regular maintenance on the systems within your system. This includes hardware, software or apps, and firmware.
To begin Maintenance CMMC compliance:
- Establish and track a regular maintenance schedule for preventative maintenance
- Establish and track unexpected maintenance like repairs, updates, and improvements
9. Media Protection
Definition: Media Protection means having policies, systems and documentation in place to manage, sanitize and destroy (if necessary) media containing FCI (Federal Contract Information) before discarding or reusing. This includes all media, digital and physical, like:
- Physical documents
- Disks
- Tapes
- USB drives
- CDs and DVDs
- Anything with a hard-drive
To begin Media Protection CMMC compliance:
- Identify, mark, and track all media that might contain relevant sensitive information
- Continue to do this with any further media your company uses
10. Personnel Security
Definition: Personnel Security is ensuring that any employee who has access to CUI is properly screened for their appropriate organizational role and level of information access before they have access to the data. This can include credit checks and background screening during the hiring process.
To begin Personnel Security CMMC compliance:
- Ensure all current employees have had the proper screenings
- Establish standard hiring and onboarding checklists to follow when hiring
11. Physical Protection
Definition: Physical Protection means only allowing required and authorized individuals physical access to your systems, hardware, equipment, technical and non-technical assets, and buildings/environments.
To begin Physical Protection CMMC compliance:
- Ensure that you keep an updated list of employees and contractors who have access and/or have credentials
- Determine if all relevant areas of your business are designated “sensitive,” are restricted, and have security protections (locks, cameras, card readers, etc)
12. Recovery
Definition: Recovery is simply defined as establishing, performing, storing, logging, and testing backups.
To begin Recovery CMMC compliance:
- Test that backups are functioning and appropriately secure on a regular basis
- It’s recommended to set up an automated system on a schedule that is appropriate for your organization and your CMMC level requirements.
13. Risk Management
Definition: Risk Management means having organizational systems and processes in place to assess risk to operations, assets, or individuals that deal with CUI. Risk is defined as anything that can negatively impact your business’ success, mission, brand or reputation, staff and employees, other organizations, or the nation.
To begin CMMC Risk Management compliance:
- Implement a regularly scheduled simple vulnerability scan— this can often inform the depth and breadth of your risk management plan.
14. Security Assessment
Definition: Security Assessment is determining if the security controls, safeguards, and countermeasures you have in place work as expected. Cyber security tools like vulnerability scanning and system monitoring can help make conducting a security assessment easier.
To begin Security Assessment CMMC compliance:
- Regularly admit your security measures and ensure they’re working properly
- You should understand that you can’t just set up your security controls and let them run— new attacks occur every day, backups fail, and employees exit.
- Establish a practice of frequently assessing your current security controls and adding any necessary extended protection
15. Situational Awareness
Definition: Situational Awareness means knowing that new cyber threats pop up daily, monitoring your systems for threats, and communicating and acting on cyber threat intelligence reports quickly.
To begin Situational Awareness CMMC compliance:
- Set up a SIEM (Security Information and Event Management) tool to monitor your system for cyber threats
16. System and Communications Protection
Definition: Systems and Communications Protection is defined as monitoring, controlling and protecting your company’s communications (any information sent or received in your systems). Both key internal and all external boundaries of your systems must be included.
To begin Systems and Communications Protection CMMC compliance:
- Ensure that internal and external boundaries are defined, and that communications are monitored, controlled and protected at those boundaries.
- The requirements around compliance here are robust—particularly with companies that are leveraging cloud-based tools, and compliance can become complicated.
- Often, working with an expert consultant to define your needs, implement tools and technology, and protect your assets is required.
17. System and Information Integrity
Definition: Systems and Information Integrity is ensuring that system problems, weaknesses, software and firmware vulnerability, information, and updates are properly and promptly communicated and acted upon. This might include:
- Preventing access to malicious software or content
- Identifying system vulnerabilities
- Email protection
To begin Systems and Information Integrity CMMC compliance:
- Confirm that you regularly monitor vendor sites for patches, service packs, ideally on a weekly basis.
- Prioritize flaws based on severity, and establish a cadence for updating user equipment and system equipment (like servers).
We Can Help Ensure Your Company is Secure & Compliant
For many DoD contractors, some of these domains and systems are common sense and already in place. For others, it might seem that this is a large, unwieldy task.
However, it doesn’t need to be. Our team has been helping DoD contractors develop their security and IT roadmaps and protect their assets for more than 20 years.
Once you’ve reviewed this CMMC compliance checklist, consider joining us for a quick 20-minute conversation to determine how much work is ahead of you and your team to achieve CMMC compliance.
