10 Top CMMC Assessment Checklist Resources

Intro from Agile IT: This is a guest post from John Verry, CISO and Managing Partner at PivotPoint Security.

Businesses that provide products or services to the US Defense Industrial Base (DIB) need to conform with the FAR (e.g., 52.204-12) and DFARS (e.g., 252.204-7012, 7019, 7020, 7021) requirements.  For those handling Controlled Unclassified Information (CUI), this also necessitates NIST 800-171 (7012, 7019, 7020) or Cybersecurity Maturity Model Certification (CMMC) V2 Level 2 certification.  For those just handling Federal Contract Information (FCI), this necessitates CMMC V2 Level 1 self-attestation.

While CMMC V2 is still pending updates to CFR32, many DIB firms are rightly concerned about the time and effort it will take to get to full compliance, especially at or above CMMC V2 level 2. Another concern is the anticipated scramble to engage assessors and other consultants as tens of thousands of defense contractors pursue CMMC in the months ahead.

What can you do now to prepare for CMMC certification? The perfect place to start is a CMMC assessment checklist, like this one from Pivot Point Security. A comprehensive checklist and related resources will give you a place to start, help you structure a workable plan, and keep you moving forward.

But because different organizations have different cybersecurity postures and varying contract requirements, no one checklist can fully meet everyone’s needs. So, we’ve compiled this list of 10 free CMMC assessment resources that are some of the best out there.

One: Official CMMC OSD Guidance

Stay up to date on the definitive guide to all things CMMC: https://www.acq.osd.mil/doing-business.html

Two: The CMMC Accreditation Body

The marketplace provides a listing of critical resources, including; Licensed Training Providers, Registered Provider Organizations, and Certified Third Party Assessors: https://cmmcab.org/

Three: Microsoft Product Placemat for CMMC

This “interactive view” (an Excel file with macros) from Microsoft provides invaluable guidance for Microsoft customers on how Microsoft cloud products and services—including GCC High—“inherit”/satisfy requirements for CMMC Level 3 practices: https://www.microsoft.com/en-us/download/details.aspx?id=102536

The interactive document even offers customer implementation guidance for each practice that Microsoft cloud offerings cover or support. Use it to augment your CMMC compliance activities with the prescriptive actions you need to take to meet CMMC audit requirements within the scope of shared responsibility for CMMC V2 Level 2 compliance between your business and Microsoft.

Four: NIST SP 800-171A Assessor’ Guide

The perfect complement to your CMMC assessment checklist as you move toward your internal CMMC audit, this NIST guidance for NIST 800-171 assessors will open a window onto what you can expect your CMMC V2 Level 2 external audit to look like, so you can better plan and prepare: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171a.pdf

Five: DoD Environmental Research Programs templates for DFARS and NIST 800-171

This website for DoD’s SERDP and ESTCP environmental research programs includes a Templates and Checklists page with applicability to CMMC compliance: https://www.serdp-estcp.org/Tools-and-Training/Installation-Energy-and-Water/Cybersecurity/Templates-and-Checklists

You can find basic templates including; a DFARS CUI Cyber Incident Report Form, a Security Audit Plan, a Plan of Action & Milestones (POAM) Template, and an ESTCP Information Technology Policies and Procedures template.

Six: NIST 800-171 System Security Plan Template

This NIST template outlines the requirements for a DFARS 7012 compliant System Security Plan (SSP) as is currently required for DIB orgs that handle controlled unclassified information:

Seven: NIST 800-171 Plan of Action & Milestones (POAM) Template

Similar to the NIST SSP, this NIST template outlines the requirements for a DFARS 7012 compliant Plan of Action & Milestones (POAM) as is currently mandated for DoD contractors that handle controlled unclassified information: https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/CUI-Plan-of-Action-Template-final.docx

Eight: DFARS Clauses

It is important to remember that the goal is NOT to become CMMC or 800-171 compliant – it is to become FAR and DFARS compliant.  The 17 practices in CMMC Level 1 fully address the 15 security requirements in FAR 52.204-21.  The 110 practices in CMMC V2 Level 2 DO NOT fully address the cumulative requirements specified in 7012/7020 or 7012/7021.

Nine: BYU CMMC Assessment Calculator Tool

Created by the Office of Research Computing at BYU, this Google Sheet is designed to help DIB orgs prepare for CMMC audits: https://rc.byu.edu/cmmctool

No need to create a DIY spreadsheet; start with this convenient calculator. It’s even tunable for CMMC Level.

Ten: DoD CUI Resources

Last but not least on our list is the DoD CUI Program website, with official direction on how to identify and handle controlled unclassified information: https://www.dodcui.mil

The site includes a downloadable DoD CUI registry, DoD CUI classification, protection policies, and a link to DoD CUI training content. There’s also a “desktop aids” page with the latest CUI marking tools. Identifying what CUI you have and how you store, process, and transmit CUI are critical initial steps in every CMMC compliance project, so don’t fail to investigate this content.

What's Next?

Achieving and maintaining FAR and DFAR compliance and your CMMC certification is critical to ensuring you can retain and grow your DoD business. But finding the time and resources to make sure it happens can be a challenge. Whether you’re just getting started with CMMC or think you’re ready for your CMMC audit, our CMMC compliance services can give you the expertise, implementation support, and confidence you need to achieve certification.

We (Pivot Point Security) have been helping SMBs prove they’re secure and compliant for 20 years. As one of the first Registered Provider Organizations (RPOs) for CMMC, we offer a proven approach tunable to your unique budget, timeline, cyber maturity, and staffing requirements.  More importantly, our team has EXTENSIVE experience in the DIB, so we understand its unique language and challenges. Don’t worry; we won’t speak in acronyms! We’d be happy to help you navigate the complexities of these requirements and frameworks. Contact: [email protected]