CMMC Assessment Checklist

How can you get the ball rolling internally towards achieving CMMC readiness at your organization? That’s a question we hope to help you answer with our CMMC Assessment Checklist. This high-level outline with links to additional resources will empower your group to take strategic and informed action on CMMC readiness.

We also thought it would be valuable to mention our Pivot Point Security “Proven Process” — an action-based framework that will guide you in a positive direction and simplify your CMMC journey. Use our Proven Process in concert with the resources identified in this CMMC Assessment Checklist to guide your NIST SP 800-171 and CMMC efforts.

CMMC Assessment Checklist

1. Perform a CMMC Scoping, Risk Assessment, and Control Maturity Assessment

You’ll need to understand where federal contract information (FCI) and controlled unclassified information (CUI) controls are required and which systems need to be protected. Ideally, you will work with an internal or external resource with government contracting and NIST expertise to ensure that you develop a clear picture of where you are and where you need to go.  Identify relevant artifacts (e.g., existing policies, network diagrams) and conduct scoping interviews with a broad cross-section of the organization to understand how FCI and CUI flow to, within, and from your organization. Any systems/applications/locations/personnel/subcontractors that store, process, or transit CUI are in your CUI scope (e.g., CUI relevant). You’ll also need to understand other information security requirements (e.g., DFARS obligations, ITAR), known risks, and the maturity of your CMMC relevant controls. This step is essential to establishing the scope of your CMMC System Security Plan (SSP).  

• Gotcha: Do not begin the process by conducting a Gap Assessment. You will not know which systems/applications/locations/personnel/subcontractors the CMMC controls apply to (and which they don’t apply to).
• Pro Tip: Your current CUI scope is likely not ideal.  Where possible, reduce/re-engineer the scope to reduce the time and cost to certification and reduce ongoing operating costs to maintain it.
• Pro Tip #2: If your current contract(s) contain a DFARS 7012 clause—and most DoD contracts do—read it carefully! DFARS 7012 defines DoD-specific cybersecurity obligations that precede CMMC, including compliance with NIST SP 800-171 and cyber incident reporting requirements. Your new/updated contract(s) may also mandate compliance with additional one or more additional DFARS clauses (DFARS 7019, DFARS 7020 and DFARS 7021) created by the “interim rule” of November 2020, which pave the way for CMMC.

2. Develop an initial System Security Plan (SSP)

The SSP is critical to documenting the security controls that are in place for all the systems that are CUI relevant, and it is a requirement for CMMC compliance.  The initial SSP should focus on the data flow diagrams, system boundaries, asset lists, stakeholders lists, system interconnections, etc.

• Gotcha: Be sure to meet with your Contracts Officer/Prime/Agencies to understand all of your FAR and DFARS related requirements. You may have requirements that exceed CMMC (e.g., ITAR, RMF).
• Pro Tip: Hold off on documenting the controls until you get through remediation.

3. Drive Risk Remediation & Document your Policies

The bulk of preparing for CMMC will be working to remediate risks and close the gaps identified during the Scoping, Risk Assessment, and Control Maturity Assessment phase. Remediation will include developing extensive documentation and implementing supporting technologies (e.g., multi-factor authentication, SIEM, secure email/file sharing, mobile device management) needed to stand up your CUI enclave. You should document policies and maintain a standard operating procedures document that “enables individuals to perform them (CMMC practices/requirements) in a repeatable manner.”

• Gotcha: If you choose to use a cloud service to store CUI, be sure to validate that the service provider (not the cloud location) has a FedRAMP moderate ATO or equivalent. Without one, you will fail your CMMC assessment.
• Pro Tip: When you are documenting policies and processes, be sure to document the types of evidence they will produce, who will be responsible for it, and where it will be stored. 

4. “Finalize” Your System Security Plan (SSP)

Now that your CUI enclave is up and operationalized, you should be in a position to finalize the SSP.

• Gotcha: The SSP needs to include the full CUI lifecycle, and the data should include the Prime (or Agency) and CUI relevant vendors.
• Pro Tip: The SSP outlines how an organization implements its security requirements. That includes defining the roles and responsibilities of security personnel and detailing the different security standards and guidelines that the organization follows. An SSP should provide high-level diagrams that show how connected systems talk to each other. The SSP should also explain your organization’s “design philosophies” (e.g., defense-in-depth and/or Zero Trust strategies, as well as allowed interfaces and network protocols). All information in the SSP should be high-level. Include enough information in the plan to guide the design implementation of the organization’s systems, and be sure to reference existing policies and procedures.

5. Conduct a CMMC Readiness Assessment (CRA)

Ensuring you have what you need for a successful CMMC certification assessment is best done by validating your readiness. Have an appropriately qualified and independent person (or team) conduct your CRA using the same standards for evidence. As necessary, you may need to implement Plans of Actions and Milestones (POAMs) to drive closure on open issues identified during your CRA to ensure your certification assessment is a success.

• Gotcha: You need two different forms of evidence (not instances of the same form) for each CMMC practice.
• Pro Tip: Aspire to a very formal approach to operating your cybersecurity program.  You can do this in many ways, including a GRC platform, a help desk ticketing system, or a project management tool.  The important thing is that you do it! Long-term success requires a “single source of truth” that spans from the CXO Suite to the IT team to external assessors.

Pivot Point Security: Leading Information Security Assessment and Consulting Firm Since 2001

Since 2001, Pivot Point Security has been helping public sector and commercial organizations understand and effectively manage their information security risk. We work as a logical extension of your team, simplifying the complexities of security and compliance. We are a CMMC Registered Provider Organization (RPO) that has helped thousands of organizations build cybersecurity programs that comply with government and industry regulations.  We will make sure that we understand your DFARS obligations and address all things DIB, including DFARS 7012, NIST SP 800-171, SPRS, and CMMC Level 3.

For more information:

• EP#44 – John Verry Guest Appearance with Eric Hess on The Encrypted Economy: Why CMMC Is the Most Significant Standard of All Tim‪e – Pivot Point Security
• DFARS: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) – Pivot Point Security
• Do You Need a Score in SPRS to be DFARS 7012 Compliant? – Pivot Point Security
• What is the DFARS 7019 Clause? – Pivot Point Security
• What is the DFARS 7020 Clause? – Pivot Point Security
• What is the DFARS 7021 Clause? – Pivot Point Security
• This is Why DoD Suppliers Need to Move Soon to CMMC Readiness – Pivot Point Security
• Here’s What Your CMMC Level 3 Readiness Assessment Will Look Like – Pivot Point Security
• 3 Things Every SMB Needs to Become “Provably Secure and Compliant” – Pivot Point Security