The CMMC Assessment Lifecycle Step 1: Selecting Your Desired CMMC Maturity Level

CMMC Model Refresher

As a reminder, the CMMC Model defines 5 “Maturity Levels” at which an organization’s cybersecurity program can be certified. Maturity Level 1 is the minimum level at which your organization must be certified if your contract includes CMMC requirements (i.e., if it incorporates DFARS 252.204-7021). If your organization has been awarded a Maturity Level 1 certification, you are approved to hold Federal Contract Information (i.e., less sensitive, nonpublic information) but not Controlled Unclassified Information (“CUI”).

Your organization must be certified at or above Maturity Level 3 if you will be creating, receiving, storing, processing, or transmitting Controlled Unclassified Information. To make the requirements a little easier to follow, we will use the phrase “handling CUI” rather than repeating the phrase “creating, receiving, storing, processing, or transmitting”. As a basic reference, DoD’s estimates are that approximately 30% of contractors will handle CUI. That means the vast majority of contractors, or approximately 70%, will not handle CUI and will not need certification above Maturity Level 1.

Required vs. Prudent

Throughout our articles, we will focus on what is required of an organization under certain circumstances. To be clear, it is generally prudent to implement more than “just” the practices required at Maturity Level 1. We are, therefore, not suggesting that your organization only implement what is required, especially if your organization has valuable intellectual property or you are heavily dependent on your IT systems for day-to-day operations. That is an internal business decision based on your organization’s risk tolerance and beyond the scope of these Assessment Lifecycle articles.

Inventory the Information and How it Flows

Although CMMC focuses on information and the way information flows within your organization, many organizations think about their IT environments from a systems perspective, and we recommend starting the information inventory by first inventorying all of the systems in the IT environment. We created a tool, which can be downloaded via the link below, to assist in inventorying both the systems and the information in your environment.

Define the Systems

According to DoD, systems refer to “…the discrete sets of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.” Put another way, they are the computers, network equipment, and cloud services involved in supporting different functions in your organization. For example, many organizations have E-mail systems, accounting systems, human resources systems, software development environments, end-user computers, and other systems.

As part of the inventory, we recommend identifying or assigning business owners (i.e., the management-level person who requested the creation of the system) and the administrators (i.e., the technical person responsible for ensuring the system remains operational) who are associated with each system. The owners and administrators become the points of contact for the next step in the process, inventorying the information in the environment.

Existing Government Contractors

We recommend that existing government contractors inventory the types of information they already have in their environment. For those organizations, if they haven’t created or received CUI in the past there is less likelihood that they will create or receive CUI in the near term, unless they are fairly new to government contracting. This means they won’t likely need to be certified above Maturity Level 1 and achieving Maturity Level 1 certification should be their initial focus.

At the same time, organizations that have created or received CUI in the past can be confident that they will likely need to be certified at Maturity Level 3 or above. Since the requirements and assessment process for Maturity Levels 4 and 5 are still being developed, we will focus our discussion, and we recommend most organizations creating or receiving CUI focus their efforts, on Maturity Level 3.

Describe not only what you have, but where it came from and where it goes

One approach to conducting the data inventory is to ask each of the system owners and (separately) the administrators about the information that is stored in each system. Another approach is to use customized tools that automate data identification and classification. Still another approach is to use a hybrid of these previous options. Each approach has its advantages and disadvantages, including costs and resource allocation, and you will have to decide which approach is best for your organization.

Even if you choose to use a tool to automate the data identification, the system owners and administrators will still need to be involved. That is because your organization will want to track not only the information in your systems, but also how it got there (i.e., which systems and organizational units, subcontractors, and/or customers were the source or involved in the receipt) and whether and how the information in the system is subsequently moved back out of the system. The system owners and administrators are typically the best people to answer those questions.

This data flow information is critical for later steps in the Assessment Lifecycle, because all IT equipment that is involved in handling the information, including the systems and the networking equipment that allows them to function, will be “in scope” for the eventual assessment. Without this information, all equipment in the environment will be considered “in scope”. This can significantly increase the cost and complexity of the assessment. In addition, defining the equipment involved up front allows you to ensure that you have properly analyzed all of the relevant equipment in your environment as part of the assessment preparation process. We are aware of many instances where inventories such as these identify unexpected devices and systems on the networks, and it is better to identify and remediate those before the assessment begins.

Newer (and new) Government Contractors

For organizations newer to government contracting, we recommend looking on Beta.SAM.Gov to identify contracts that are similar to those of interest to you. If you can’t tell from the RFP and related document whether CUI is involved, we recommend talking to the corresponding prime contractors, the Contracting Officers, or the Contracting Officer’s Representative to discuss whether CUI is likely to be involved in those contracts. If the contracts involve the handling of CUI, then your organization should plan on being certified at Maturity Level 3.

Describe what you expect to have, where it will come from, and how it will move

Once you know what kinds of information you expect to have in the environment, the next step is to define how it will be received or created, where it will be stored or processed, and how it will be transmitted. The process is similar to that described above for the actual information in the environment. Think about the way you will receive information from the government, including which computers will be used to initiate any data transfer, as well as those involved in storing the information. For example, if the government will be E-mailing you, you would list the E-mail system as well as all devices that you use which have copies of those E-mails, such as your mobile device, laptop, etc., as well as the E-mail server or system. As described above, carefully mapping out how the information will flow can streamline the assessment preparation and assessment processes.

Labeling Systems and Equipment Based on Information Type

We also recommend that all equipment be labeled with stickers to identify the type(s) of information on that equipment, and how it is expected to be used in the future. For example, a computer on the production floor of a warehouse might never need to access CUI or FCI. That equipment should be labeled with a sticker reminding employees that the equipment is “Not Authorized for CUI or FCI” (or similar words). This can remind employees not to use that equipment to handle CUI or FCI. By contrast, equipment containing CUI should be labeled “This Equipment Contains CUI”. This can serve as a reminder to employees who are not authorized to access CUI to stay away from the equipment. It also reminds your IT service providers that such equipment may be subject to heightened controls when it is decommissioned. Similar labels can be attached to equipment containing FCI.

Avery 5160 labels can be purchased online and from many office supply stores. Below are templates for stickers which mark equipment that is not authorized for use with FCI or CUI, as well as equipment containing FCI, and equipment containing FCI and CUI.

Be sure to Subscribe to our Newsletter for the next articles in this series!