The U.S. Department of Defense (DOD) developed the Cybersecurity Maturity Model Certification (CMMC) to assess and improve the cybersecurity practices of companies that work with the DOD and handle Controlled Unclassified Information (CUI).
As part of the process of becoming CMMC certified, an organization usually conducts a CMMC gap analysis or assessment. Organizations also conduct assessments in response to changes in goals, industry standards, contractual requirements, or the desired level of security resilience.
This guide explains what a gap analysis is, its significance, and the steps to take to conduct an assessment for your organization.
A CMMC gap analysis is an internal cybersecurity assessment that helps organizations understand what they need to improve in their policies, procedures, practices and technical abilities to meet the certification standards. Since the CMMC and NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” share content, organizations often use NIST SP 800-171 and its compliance checklist to perform a CMMC gap analysis.
Using NIST SP 800-171 to prepare for a CMMC assessment is a great way to start! The NIST publication covers all of the CMMC requirements, it is free, and it does not require any special knowledge beyond what an internal computer security team probably already has. In essence, the assessment allows you to determine what gaps exist in your current controls and where your cybersecurity posture needs improvement.
The challenge in moving from a gap analysis based on NIST SP 800-171 to CMMC is not in the content but in the CMMC assessment methodology. CMMC determines compliance differently than the NIST publication. Where as NIST SP 800-171 asks the question “do you have this asset in place?”, CMMC looks for a holistic approach based on organization policy, training, process, consistency and continuity of implementation, and resilience. As organizations aim for higher levels of certification in cybersecurity, meeting certification standards becomes more challenging and CMMC gap analyses become progressively more complex. For example, moving to Level 2 certification is a significant jump from Level 1, as the organization would need to implement almost 100 new controls. As the number of controls grows, organizations may find it difficult to track and analyze them and ensure all aspects are covered without a properly organized system in place.
A CMMC gap analysis covers all your company’s existing and needed CMMC controls, including:
Controls vary depending on the certification level you aim to achieve:
As you can see, moving between levels involves a large jump in the number of security controls an organization must implement. For organizations moving to a higher level, cross-checking all those practices can be a chaotic, disorganized process requiring proper guidance and rigor. Working with a qualified CMMC consulting firm can help streamline the process resulting in more comprehensive results obtained more quickly.
The cost of a CMMC gap analysis depends on several factors, including:
Again, the duration of a gap analysis varies depending on the complexity of your system, your company size, the certification level you want to achieve and the C3PAO you work with. Generally speaking, smaller companies with simple, streamlined systems will take significantly less time than large businesses with complex system landscapes.
The C3PAO’s experience is vital when assessing your cybersecurity systems. Look for a C3PAO that prioritizes a systematic process, performance, and overall efficiency when choosing who you will work with, as they will help you achieve your CMMC goals efficiently. A C3PAO that is familiar with your customers, the cybersecurity risk and threat environment in which your organization functions, and the technical environment (operating systems, applications, cloud environments, etc.) you use will require the least familiarization before getting to work.
One further consideration is the internal security environment of the C3PAO themselves. Although all C3PAOs must achieve CMMC Level 2 before being eligible to be a C3PAO, that does not mean that the C3PAO is prepared to deal with the cybersecurity environment that your organization exists in:
Why is this important when CMMC is about assessing handling of CUI? Because a C3PAO who finds a flaw in an organization’s CUI controls may have just discovered revealing information about your organization’s work in a classified domain. You can reduce this risk by selecting a C3PAO with the right FCL and personnel security clearances.
Both CMMC audits and gap analyses serve the same purpose — to evaluate your progress toward CMMC compliance. However, there are some important differences between the two.
A gap analysis aims to identify the gaps in your CMMC compliance status. A gap analysis is an off-the-record, unpublished assessment conducted by an experienced evaluator to identify gaps organizations can address and recommend solutions.
Any documentation produced during a gap analysis is intended for your organization only.
A gap analysis can also help your organization track where you are in the process of moving between CMMC levels. For example, if you plan to upgrade to the next level, your assessor can help you identify aspects of your organization needing improvement and highlight areas where you currently perform well.
A CMMC audit is a formal evaluation of an organization’s cybersecurity practices to determine if it complies with the specific CMMC requirements. A certified CMMC auditor who works for an authorized C3PAO performs audits.
An audit report serves as official proof of your CMMC compliance status. Starting with CMMC Level 2, organizations must undergo a third-party audit every three years with a Cyber-AB accredited assessor. At Level 3, organizations must undergo an audit from a government agency.
Before you begin your assessment or analysis, determine which CMMC certification level best matches your organization’s future objectives. For example, if you have a Level 1 certification and intend to handle federal CUI, you’ll want to start incorporating Level 2 controls.
Here’s a quick breakdown of the steps you’ll go through in a CMMC gap analysis:
The scope of the gap analysis depends on the CMMC level you want to achieve. Also think about whether your CUI systems are all “in the cloud”, which would require only a virtual assessment, or involve physical assets such as a computer in your offices, which may require an in-person assessment.
List the CMMC requirements necessary to achieve certification.
Now you’re ready to officially prepare for your gap analysis. Document your current controls, processes, training, and policies. Make sure you include both current and historical records that demonstrate past and ongoing compliance.
An assessor will often ask for a demonstration of a particular control actually being exercised. Determine who and how you’ll offer this demonstration–and rehearse!
Assessments are based on more than observing a system. The people in your cybersecurity implementation are imporatnt. Determine who they are, what they can speak to, and how they will speak. Several people being interviewed may provide information beyond what an auditor asks and thereby open up new topics for the CMMC auditor to explore.
Compare where you are with where you need to be.
Map out how you’ll address the gaps you identified, and create a realistic timeline for when you’ll achieve the proper certification requirements.
Once you’ve addressed any gaps, you’re ready to move to the next CMMC level.
As a Cyber-AB accredited C3PAO, we at Business Transformation Institute, Inc. (BTI) are dedicated to helping your company navigate the complex landscape of CMMC compliance. We offer both CMMC gap analyses and formal audits, so we can assist you at any stage of the process.
Additionally, our CMMC consulting services help businesses understand their current compliance status and improve their efficiency at the same time. We aim to reduce our clients’ liability so they can enjoy peace of mind knowing they are doing everything possible to protect critical government information. We also offer Cyber-AB CMMC training and certification courses to help businesses increase their cybersecurity while boosting their overall performance.
If you need guidance in evaluating your CMMC compliance level, BTI’s expert team is here to help. Contact us today for more information.