Putting Together a NIST CMMC Compliance Checklist

WRITTEN BY

Corrin Jones

POSTED ON

May 2, 2022

TAGS

Categories: Security

SHARING THIS ARTICLE

Putting Together a NIST CMMC Compliance Checklist

It’s coming up: Companies need to get serious about their CMMC compliance. It’ll happen sooner than you think. One of the first steps to ensuring that you are CMMC compliant is to build a NIST CMMC Compliance Checklist.

Let’s take a look.

When is CMMC Compliance Due?

The new CMMC compliance standards will be due in 2025. After 2025, the short answer is: whenever you want to do business with the Department of Defense (DoD). But organizations should be well on their way toward CMMC compliance before 2025. This is a brand-new, shifting initiative; if you aren’t already working on your compliance, you’re not likely to achieve it in time.

Who Needs CMMC Compliance?

CMMC compliance is required for any company that wants to do business with the Department of Defense (DoD). That includes companies that work with defense contractors, as well as those who sell products or services to the DoD.

What’s the Process for Achieving CMMC Compliance?

There is no “one size fits all” answer to this question, as the process for achieving CMMC compliance will vary depending on the size and scope of your organization and the tier of compliance you’re trying to achieve. However, there are some general steps that all organizations should take:

  1. Assess your current security posture. This will help you identify where you need to improve in order to meet the CMMC requirements.
  2. Develop a plan for how you will improve your security posture. This plan should include specific steps that you will take to meet the CMMC requirements.
  3. Implement the plan. This includes putting new security measures in place and training your employees on how to use them.
  4. Get certified. Once you’ve met all the requirements, you can apply for CMMC certification.

The NIST CMMC compliance controls include all of the requirements that you need to meet in order to be compliant. These requirements are divided into three levels, each of which has its own set of requirements. To see the full list of requirements for each level, you can check out the CMMC Model with the Department of Defense.

The CMMC Compliance Checklist

CMMC Compliance Checklist

Your organization’s checklist will vary depending on the level of compliance you need. Here’s an example of what a CMMC checklist could include:

  • Awareness and training. All employees should be aware of the CMMC requirements and understand their role in meeting them. You should also have a plan in place for training new employees on these requirements.
  • Information security policy. You should have a written security policy that covers all aspects of information security, from data classification to incident response. This policy should be reviewed and updated regularly.
  • Asset management. You should have a process in place for managing all your organization’s assets, including information systems, data and equipment. This process should include regular inventory and security audits.
  • Access control. You should have controls in place to limit access to your organization’s assets. This includes physical access controls, as well as logical access controls such as user accounts and permissions.
  • Incident response. You should have a plan in place for responding to security incidents. This plan should be tested regularly to ensure that it is effective.
  • Audit and accountability. You should track and review all activity on your organization’s information systems. This includes logging all user activity, as well as auditing data changes.
  • Security assessments and authorization. You should have a process in place for assessing the security of your information systems. This process should include regular vulnerability scans and penetration tests.
  • Configuration management. You should have a process in place for managing the configurations of your information systems. This includes documenting all changes and ensuring that only authorized changes are made.
  • Media protection. You should have controls in place to protect all removable media, such as USB drives and CDs. This includes encrypting all data on these devices and physically securing them when not in use.
  • Physical and environmental security. You should have controls in place to secure your organization’s physical premises. This includes measures such as security guards, access control systems and CCTV.
  • Recovery. You should have a plan in place for recovering from a security incident. This plan should include backup and disaster recovery procedures.
  • System and communications protection. You should have controls in place to protect your organization’s information systems and communications. This includes measures such as firewalls, intrusion detection/prevention systems and encryption.
  • Information integrity. You should have controls in place to ensure that your organization’s data is accurate and complete. This includes measures such as data backups and checksums.
  • Personnel security. You should have controls in place to screen and monitor your employees. This includes background checks, security clearance and training.

Your organization will need to assess and analyze your existing protocols first, determine which changes need to be made and then create a plan for adhering to these changes. All this together at once can seem like a tremendous ask, but your organization likely already has all this infrastructure in place—it simply needs to be made compliant.

What If You Don’t Get CMMC Compliance in Time?

If you don’t achieve CMMC compliance by the 2025 deadline, you will not be able to do business with the Department of Defense. This could have a major impact on your business, so it’s important to start working on compliance now.

The good news is that there are plenty of resources available to help you get compliant. The Department of Defense has released a CMMC Accreditation Body (AB) Framework, which provides guidance on how to get accredited. There are also a number of certification bodies that offer CMMC certification, such as the Cybersecurity Maturity Model Certification Accreditation Board (CMMC-AB) and the Council on CyberSecurity (CC).

How Can You Get Help with CMMC Compliance?

If you need help getting compliant, there are a number of resources available. But the best solution is to work with an MSP.

At Red River, we can help your organization’s CMMC compliance by providing a complete audit and rundown of your current security issues and inefficiencies. From there, we can assess and analyze areas in which you will need to improve to transition to full CMMC compliance and create a full roadmap for your organization’s digital transformation.

Compliance isn’t easy. But the burden doesn’t have to shift to your internal team. Contact us today to find out more about what you need to do to achieve true CMMC compliance.