A Gap Assessment provides a clear understanding of where to prioritize your limited cybersecurity resources. You may not be aware that your organization’s existing security program, architecture, selected technologies, and 3rd party solutions may present obstacles to achieving certification. The Gap Assessment will identify roadblocks and make the necessary changes early-on, thus avoiding costly mistakes as you move through the CMMC process.
- Provides an overview of the CMMC process and includes a cost-effective framework to quickly identify the gaps in your organizations cybersecurity program as they relate to NIST SP 800-171 and/or CMMC
- Identifies the selected, or desired, maturity level to ensure the necessary practices and processes are implemented or planned.
- Review your organizations boundary to ensure adequate separation and data compartmentalization is achievable
- Identifies potential supply chain and third-party risks to your organization
- Prepares your organization for a CMMC Third Party Assessor Organization (C3PAO) assessment
Understanding the requirements needed to safeguard Controlled Unclassified Information (CUI) is critical to developing a robust security program. Findings from the gap assessment will allow your organization to prioritize areas of your cybersecurity program that may lack the required maturity level practices and processes.
- Cybersecurity program should align to the CMMC and 800-171 security domains, capabilities, practices, and processes
- Ensure organizational security policies and procedures are updated and aligned to CMMC and 800-171 requirements
- The program must address threat and risk management areas to include insider threat, 3rd party risk, and supply chain risk management
- Develop the necessary security documentation and plans
- Implement the required security safeguards, controls, and practices in coordination with the development of required security documentation
Once your organization has built the program that includes the implementation of the domains, capabilities, practices, and processes that align to your selected maturity level, your organization should now focus on achieving CMMC certification. The assessment must be conducted by a CMMC Accreditation Body (AB) approved C3PAO.
- Select a C3PAO that has proven experience in assessing environments and understands other regulatory frameworks.
- Ensure the C3PAO provides a detailed project schedule and cost estimate that outlines the scope of the assessment
- Designate a project manager to interface and serve as the liaison for the C3PAO
- Plan for assessment findings and ensure the necessary resources are available to remediate any findings in the required CMMC timelines
Once you have achieved CMMC Certification, your organization must continue to maintain a comprehensive cybersecurity program. Continuous Monitoring is a critical part of maintaining the security controls, practices, and processes necessary to safeguard CUI and your organization’s sensitive information.
- Develop a set of objectives and desired outcomes for continuous assurance
- Schedule project activities that align to these objectives
- Implement measurement capabilities to ensure ongoing compliance is maintained within the certification boundary
- Assess changes to your environment that could impact your certification status and boundary.
