Understanding Cybersecurity Maturity Model Certification (CMMC)
[ZOOM EVENT] Wednesday, June 23, 2021 @ 11AM-12PM ET REGISTER HERE
CMMC LEVEL 3 PRE-ASSESSMENTS: PART ONE
How Dox can help your company prepare for CMMC
By Ken Michael
Everyone involved with the defense industrial base (DIB) has now heard of the United States Department of Defense (DoD) cybersecurity requirement known as the Cybersecurity Maturity Model Certification (CMMC). This standard will eventually replace NIST 800-171 on DoD requests for information (RFI) and requests for proposals (RFP). There are five security levels within the CMMC and companies wishing to conduct business with the DoD must have a minimum level of security certification whether they are a prime contractor or a subcontractor.
Before spending the money to achieve certification through a certified CMMC third-party assessor organization (C3PAO), it behooves business owners and other leadership to conduct a CMMC Level 3 Pre-assessment first. This pre-assessment can be conducted by a registered provider organization (RPO) such as Dox Electronics. Achieving CMMC through a C3PAO costs thousands of dollars and it’s strictly pass or fail. A pre-assessment can be performed in order to get organizations on the right path toward achieving CMMC requirements before they are tested and vetted by the C3PAO. This means your organization is best prepared to achieve CMMC prior to being formally assessed and potentially wasting thousands of dollars.
Dox’s CMMC Level 3 Pre-Assessments
As a company conducting business with the DoD, you can only bid on contracts that require your level of CMMC or lower. For example, if a contract requires Level 3 certification, then your business must hold a CMMC certification of Level 3 or higher in order to even bid for the contract. To date, most companies are requesting a Level 3 certification though certifications are available through Level 5, which is the highest level of certification available.
Dox provides a security assessment team during the pre-assessment process. That team includes the following:
Certified Physical Security Auditors
CMMC Registered Practitioners
Certified Security Analysts
As a RPO, Dox’s role is to get your company well prepared to undergo the CMMC audit by a C3PAO. Dox does a complete security analysis of your network and systems from an IT standpoint but also looks at the physical and administrative aspects of your business security as well. This allows a complete audit of your business to see where it stands right now in terms of achieving CMMC Level 3. An audit by Dox includes:
Vulnerability scans using industry standard tools and techniques.
On-site inspection of physical and IT security.
Review of existing policy documentation against CMMC requirements.
Systems configuration reviews against CMMC requirements.
Each CMMC Level 3 Pre-Assessment is customized to the needs of your company with à la carte solutions to address any identified holes or shortfalls in your security. This is not a one-size fits all process, but is truly a white-glove boutique service to prepare your business for CMMC.
Dox CMMC Deliverables
There are 20 components associated with achieving CMMC. Through the CMMC Level 3 Pre-Assessment with Dox, our deliverables include an examination and determination of readiness for CMMC for all 20 of those components. Companies should expect the pre-assessment service to take several weeks to complete.
Through the CMMC pre-assessment as a registered CMMC RPO, Dox will perform a gap analysis on 110 controls of the NIST 800-171 plus the 20 additional “practices” and 51 process maturity requirements of CMMC Level 3.
Deliverables will include:
An organized report documenting all findings.
A POA&M spreadsheet listing each issue and how its remediation will help your CMMC readiness.
A list of your currently implemented requirements for your System Security Plan.
The Final CMMC Pre-Assessment Report
The pre-assessment culminates with a complete report regarding what your business has done well in the three audit categories and where it has shortfalls. That report will identify each shortfall as part of a threat matrix. This means that you will know where all of your security holes and gaps are within the IT environment from a technical, physical, and administrative perspective.
Each threat is scored based on the likelihood and impact it would have on your business. For example, a vulnerability found to have a high likelihood of being exploited that would have a drastic impact on business operations would be considered a critical shortfall that should be addressed immediately.
This report will be the instruction manual for your IT and physical security personnel so they know what gaps exist and how to remediate them.
The Remediation Process
Once your CMMC Level 3 Pre-Assessment is complete, you can follow our recommended remediation steps using your internal IT personnel or you may elect to hire the Dox remediation team which includes the following:
LAN Engineers (e.g. servers and workstations)
WAN Engineers (e.g. firewalls and managed switches)
By engaging with the Dox remediation team, you can ensure that all shortfalls, vulnerabilities, and security holes are addressed within your business.
Don’t wait to begin the Cybersecurity Maturity Model Certification process. Waiting could cost your business DoD contracts and earned income in the long run. The CMMC process is a lengthy one and the DoD is already beginning to require certification for the RFI and RFP process for new and ongoing contracts.
If you’d like more information about the CMMC Level 3 Pre-Assessment by Dox Electronics, contact Dox online today or call us at (585) 473-7766. The call and initial consultation are free and there is no obligation.