The ABCs of CMMC: 10 Top Tips to Help Companies Get Ready
How can small business owners get CMMC ready in the shortest possible time and for the least cost? CoSolutions’ expert shares 10 top tips.
From IC Insider CoSolutions, Inc.
Cybersecurity Maturity Model Certification (CMMC) is a formalized set of standards that the United States government will use to evaluate the security capabilities of companies in the defense industrial base (DIB) that are seeking federal contracts. It grew out of NIST 800-171 and encompasses practices (sometimes known as “controls”) and processes across five levels. The goal of CMMC is to protect U.S. economic and national security interests by enhancing the cybersecurity protection around controlled unclassified information (CUI) in the DIB sector.
CoSolutions, Inc., a Woman-Owned Small Business (WOSB) and technical services firm based in Sterling, VA, has been an early adopter of CMMC standards. As a trusted mission-essential services provider of highly cleared and credentialed program support to the Department of Defense (DoD) and Intelligence Community (IC), CoSolutions has been leading the way on CMMC readiness in the IC contracting space for three years. Hand-in-hand with CMMC certification being mandated by DoD, preparing for the stringent certification requirements is a critical part of the company’s commitment to always delivering for clients and partners, with zero security risk.
“The central question, especially for small businesses, is how can we become compliant in these upcoming requirements without it costing too much?” said Walt Constantine, founder, president, and co-owner of CoSolutions. Constantine’s additional roles as the company’s facility security officer (FSO) and chief technology officer (CTO) have turned him into a subject matter expert in facility and personnel security, especially as it relates to the federal government’s increasingly complex and stringent security policies and mandates.
“At CoSolutions, we saw immediately that the standards initially outlined in NIST 800-171 would become a barrier to entry for any business seeking to do business with the federal government. We wanted to be ready the first time the government asks us to be CMMC compliant as a condition of contract award. That’s why we’ve been tracking and working on this issue for the past three years, after DoD mandated industry’s compliance with the NIST 800-171 standard,” Constantine said.
Many companies, however, are not ready for CMMC’s upcoming requirements. Some are starting from scratch, while others don’t have a clear sense of how their current security posture measures up to CMMC. Yet CMMC certification will soon become a must-have for companies to win contracts. What can small business leaders do – starting now – to ensure their companies won’t be left behind when CMMC certification becomes mandatory to win contracts?
If your company isn’t CMMC ready, here are Constantine’s 10 top tips to accelerate your progress and springboard your organization to CMMC compliance:
CMMC Tip 1: Set your sights on Level 3 compliance (or “certification”)
Constantine’s top piece of advice is to get started by learning all you can about CMMC and the requirements of each level. Give CMMC the attention it needs. It’s a big step for most companies to start to secure all of the elements of their network, their systems, their email, and their endpoints. Get on top of things like document marking, encrypted transmissions, and DNS filtering, understanding how they help to protect sensitive information.
Federal IT service providers will want to set their sights on level 3. That’s the threshold the government will be looking for in their contract requirements. Companies doing business with DoD and intel agency customers and that are working with CUI will likely be required to be CMMC level 3 certified in order to win contracts.
“You can’t ignore it. If you do, you won’t be doing government work five years from now,” said Constantine. “As a business owner, you need to meet this head on.”
CMMC Tip 2: Treat CMMC like any other mission-critical project
Appoint a CMMC project leader. Because he is the company’s FSO and CTO, CoSolutions chose Constantine to spearhead the project, in close collaboration with the company’s head of IT.
Put the same project management tools in place as you would for a client project, including a timeline, a portal or repository to keep track of all notes and documents related to your CMMC efforts, and a Gantt chart to keep track of all of the bits and pieces of the process.
“It’s essential to apply the same quality-focused process to achieving CMMC compliance that your company uses for its most important customers. The good news is, your company likely already has an established project management process in place – you just need to make sure you’re using it to guide your CMMC work as well,” Constantine said.
Perform a baseline self-assessment to evaluate your organization’s current state. It’s a smart move at the outset of the project. The Office of the Under Secretary of Defense for Acquisition and Sustainment’s CMMC website, which offers CMMC assessment guides, is a great place to start.
CMMC Tip 3: Decide whether you want to take a do-it-yourself approach or use an outside vendor to secure your data
Do you have the time, resources, and internal “smarts” to upgrade your corporate security posture yourself, or does it make sense to farm that work out to a managed services vendor that can provide you with a turnkey solution? Is your company equipped to take on the server hardening, network defense, and incident response work required to comply with CMMC? If so, you may feel most comfortable with a DIY approach.
Other small businesses may not want to take on such an intense project themselves. The DIY approach will be time-consuming, and it may cost more in time, effort, and actual dollars than you might have a tolerance for. For CoSolutions, this decision was made based on simplicity, safety, effectiveness, and cost. The company adopted a hybrid approach, doing some work in house and outsourcing other tasks.
One significant area CoSolutions decided to outsource was using a Cloud provider to secure company data. “We assessed the labor and maintenance costs – and the liability – and decided to go to the Cloud,” Constantine said. “Big Cloud providers have already made massive investments and continue to swiftly move ahead in meeting CMMC security standards. It made absolute sense to tap into their expertise to leapfrog us down the compliance path.”
CMMC Tip 4: Take advantage of other security or quality certifications
DoD delayed the start of CMMC audits in late 2020 because of a shortage of third-party certifying organizations due to the pandemic. In the absence of organizations qualified to conduct CMMC audits for DoD, CoSolutions decided to find other ways of substantiating its CMMC readiness.
“We asked, how can we verify our CMMC readiness before DCSA audits commence? Our lightbulb moment was to get ourselves ISO 27001 certified,” Constantine said. “Because we were already ISO 9001 certified, taking that next step to add ISO 27001 certification while at the same time preparing for our ISO 9001 annual audit was only an incremental extra effort. ISO 27001 is a robust cyber and information security framework, and we learned that this certification is a subset of the CMMC standard, equivalent to level 2.”
Earlier this month, the company learned it had passed its ISO 27001 audit and now awaits official certification notification by the ISO.
“Piggyback off the effort you’ve already put into getting your company certified, especially, like us, if you already have an ISO certification,” Constantine said. Similar certification opportunities may exist in your specific industry – you may find a “shortcut” to handling some of your CMMC compliance requirements. CoSolutions engaged its ISO consultant to assist with their pursuit of ISO 27001.
CMMC Tip 5: Cloud-based tools can leapfrog your organization ahead in CMMC compliance
Think about what Cloud services your organization currently uses and investigate whether there are enterprise-wide security tools and solutions you could implement cost-effectively and with relative ease.
Cloud tools can be surprisingly affordable. Cloud vendors often have packages that scale with a company as it grows, creating a predictable cost structure. Relying on Cloud providers when possible also gives companies peace of mind.
“Going it alone always has you looking over your shoulder and can cost a whole lot more than you’d ever imagine. In an industry where you need to predict and manage your internal costs, trusted Cloud services allow you to transfer risk and variable costs to external organizations better structured to handle these issues. You also reduce risk and gain cost predictability,” Constantine said.
As you evaluate Cloud providers (like Microsoft Azure, Google Cloud, or Amazon Web Services), consider related business systems that can go to the Cloud, such as your company’s phone system, accounting software, customer relationship management tools, test beds, and collaboration platforms. Cloud-based solutions can take a significant attack surface away from internal systems by moving to a bigger ecosystem that is more locked-down.
Because CoSolutions already used Microsoft products, moving to Office 365 made sense. This single move, Constantine said, took care of a large percentage of the CMMC level 3 requirements.
CMMC Tip 6: Once you’ve secured your data, turn to securing your endpoints
Once you’ve secured the data itself, it’s time to look at the next weakest link in the chain: the devices your employees use to access company data, from human resources data and customer contact details to financial information and code repositories. You have a lot of options here, depending on your company’s unique setup. CoSolutions opted to invest in company-owned tools, including mobile phones, laptops, and cloud-based applications – and established clear policies governing their use.
Now, CoSolutions employees can only access company data using company equipment. In addition, to minimize costs and comply with CMMC at the same time, CoSolutions changed its standard build so that each employee has a single laptop, which plugs into a docking station at home or at work.
As you’re considering endpoint security, don’t forget to look for a way to get company data off a machine remotely, in case of loss or theft. “We have a tool in place so if a laptop or phone goes rogue or disappears, we can turn it into a paperweight at a moment’s notice,” Constantine said.
CMMC Tip 7: Establish good policies up front and educate and train your entire workforce early and often
There are many ways to do this, but it’s essential to work toward embedding a security-first approach in your company’s culture. Every employee – not just the company’s leadership and IT department – must understand why good security hygiene is crucial.
Having solid systems in place is only half the battle. Good policies and employee education are just as important, because many experts consider users the weakest link in the information security chain. Get started with sound, written policies governing computer use, and look into tools that can help you educate your employees about things like phishing attacks, which remain the strongest attack vector there is.
CMMC Tip 8: Make it easy for employees to follow security protocols
Adding extra steps can create barriers to employee compliance, so make it simple for them to do the right thing. Make sure that your systems support the behavior you want.
For example, CoSolutions streamlined and integrated its Cloud-based environment into a single platform (Microsoft SharePoint), then created robust role-based rules and permissions that ensured employees only have access to the data that is relevant to their jobs.
CMMC Tip 9: Once you think you’re in good shape, conduct another self-assessment to gauge and document your CMMC compliance
Now that you’ve secured your data, buttoned up your endpoints, and established a security-first company culture, it’s time to check your work. Conduct another self-assessment against CMMC’s requirements and document the results. The Office of the Under Secretary of Defense for Acquisition and Sustainment has some CMMC assessment guides available for download, which can be a great progress-reporting tool throughout the process.
Conducting a self-assessment can help you verify that you’re on the right track, detect areas that need shoring up, and prepare your organization for your upcoming CMMC audit.
CMMC Tip 10: Consider using an outside expert to review your assessment and documentation
As an optional step, you can have an outside expert review your completed self-assessment and documentation and provide feedback and recommendations for next steps. An expert can also tell you if you’re headed down the right path or if course-corrections or tweaks to your project plan may be required.
Once you think you’re ready for CMMC, getting an outside expert opinion could be a great way to identify items you may have overlooked – without the high price tag that comes along with using a full-service consultant.
Although CMMC compliance may seem like a daunting prospect, the time to start is now. You might be surprised to learn that some simple changes to your current IT infrastructure or tools might take your company farther along the journey to CMMC compliance than you thought. The bottom line is this: as DoD contractors, protecting and securing the CUI we have been entrusted with is a critically important way to safeguard our nation. By working to meet CMMC requirements, you’re helping to strengthen our nation’s security and resilience in a meaningful and measurable way.
Continue the conversation with Walt Constantine and CoSolutions. Tell us what you think, let us know what’s worked for your company, and share your tips with industry colleagues by sending an email to firstname.lastname@example.org. We hope to share these new tips in a future update.
CoSolutions, Inc. is a highly respected, fast-growing technical services firm providing leading-edge technology solutions and trusted services to federal DoD and Intelligence Community customers. Our customer- and business-focused, responsive, and innovative support helps our customers cost-effectively achieve mission success.
As a trusted mission partner for the federal government, CoSolutions has been preparing for CMMC for the past three years. Our customers choose us for our forward-thinking, innovative approach to their toughest and most important problems.
About IC Insiders
IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.