You thought your IT checked off all of the requirements for the Cybersecurity Maturity Model Certification (CMMC). But after an audit was performed by a CMMC Third-Party Assessment Organization, you were told that your score wasn’t high enough. Now you’re wondering what that means for your business and your future DoD contracts. The good news: you still have options for reapplying. Here’s what I recommend for CMMC remediation following a failed audit.
Make Sure You Have a System Security Plan
Before you worry about anything else, your first step with CMMC remediation should be to develop a System Security Plan, or SSP. Its purpose is to outline what the roles and responsibilities are for any employees who handle your data. It also explains how security requirements are implemented, and how those requirements affect other systems. It details how your IT network will protect sensitive data, like Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).
Why is this important? Auditors will need your SSP to understand how your infrastructure is designed to satisfy the requirements under NIST SP 800-171, which is used by the CMMC framework.
A Note About CMMC Levels
Not only will your SSP be unique to your organization, it will also reflect which level of CMMC compliance you need. Requirements have changed under CMMC 2.0, so it’s vital that your team takes the time now to become familiar with these updates. If you’ve already failed an audit, it means that you were at least attempting to reach Level 2.
While a full explanation can be found on the DoD’s website, the basic breakdown for CMMC 2.0 is:
Level 1, which has 15 requirements (formerly security controls) and an annual self-assessment.
Level 2, which has 110 requirements from NIST SP 800-171, and a triennial third-party assessment (from a C3PAO).
Level 3, which has 110+ requirements from NIST SP 800-171 and -172, as well as a triennial government-led assessment.
Establish Plans of Action and Milestones
You may already be familiar with Plans of Action and Milestones (POA&Ms) if you used them following a CMMC mock audit, where they were responsible for outlining how you intended to rectify errors found in your gap analysis. If you’re developing POA&Ms after a failed C3PAO audit, they can still be used as a means of explaining to the DoD how you’ll make up for the requirements that you missed.
Most importantly, they will explain when you intend to have these changes completed. Some audit findings will only give you a window of 30 days, so it’s important that you plan accordingly.
Evaluate Your Cybersecurity Infrastructure
If an audit demonstrates that you’re missing key pieces of hardware or software, your POA&M should reflect how you intend to obtain them. I highly recommend that you focus on them heavily during your CMMC remediation because, even if you have the budget for making these changes, time is often the biggest hurdle with getting them established. This isn’t just about factoring in the time needed for implementation — it’s also about how long it takes to verify that your new hardware or software is working as intended, and make any adjustments as necessary once they go live.
Evaluate Your Cybersecurity Training
It’s not enough that your hardware and software meet safety standards. You also need to make sure that you have the training modules in place to educate your staff on the best practices for avoiding data exposure. This includes understanding the core concepts of cybersecurity, and how to apply them in specific roles at your organization. It’s also about teaching others about what they need to do in the event they believe your data has been compromised.
Do You Need CMMC Remediation Services?
As a Registered Provider (RP), I can consult with your IT and walk them through the steps above to make sure that your remediation plan is smooth, accurate, and effective at addressing the gaps that were identified in your CMMC audit. I can then help you understand the timeline involved to implement those changes, and what that will mean for a new audit. Contact me today to get back on the path to compliance.