Totem Technologies' Small Business CMMC Preparation Methodology
This post describes Totem Technologies’ (Totem.Tech) three-phased approach and methodology to achieve CMMC Certification. We follow this Methodology to help prepare our client’s cybersecurity programs to meet DoD contractor cybersecurity requirements. We developed the Methodology after a decade+ securing our DoD customer IT systems, as well as our own “covered” contractor information system. As a by-product of executing our CMMC Preparation Methodology, your organization will be fully compliant with DFARS 7012 requirements, and will also generate your SPRS score.
Bear in mind the CMMC is a “maturity” model, so you have to show you’ve been operating your cybersecurity program for a while. You’ll need to execute this Methodology well in advance of the anticipated CMMC Assessment.
- Your small business organization is a member of the Department of Defense (DoD) supply chain, aka the DoD Industrial Base (DIB), because your organization provides products or services directly to the DoD or a Prime DoD contractor.
- Your organization’s product(s) are not definitively COTS. If so, your organization is exempt from the cybersecurity requirements.
- Your organization has a non-existent or fledgling cybersecurity program with minimal security documentation.
Below we describe at a high-level our three-phased CMMC Preparation Methodology. We offer a more detailed description of the Methodology for free as well. Click the button below to download the detailed Methodology.
Phase One: Determine Scope
Cybersecurity starts and ends with Configuration Management. We must know what the organization values in order to protect those valuables through managed configuration. So, we start by identifying things of value to the organization—its assets, both intangible and tangible.
- Identify the Federal Government information that the organization handles.
- Look to contracts, document markings, and the NARA CUI Registry for indicators of CUI in the environment.
- Characterize the CUI lifecycle in the environment.
- Where/how does your organization receive, store, process, transmit, and dispose of CUI? We offer a free CUI and System Inventory worksheet that will help you capture this information. Contact us for a copy of the worksheet.
- “Scope” out the “covered” system.
- This means determining all aspects of the information system that require protection, i.e. that are “covered” by the FAR and DFARS cybersecurity clauses.
- “System” means: all hardware, software, firmware, and networking assets that store, process, transmit, and/or protect the information characterized in the preceding steps, as well as the users of those assets and the policies and procedures that control the use of those assets.
- Catalog hardware and software assets.
- Work with your organization’s IT staff to capture information about in-scope hardware assets and develop a software baseline.
Phase Two: Document the System
Describe the system in a manner that will convince the assessors the organization fully understands and controls the system scope. “Artifacts” are documents that contain these descriptions and support the System Security Plan and other cybersecurity-related plans.
- Capture system asset interconnections information.
- Develop a matrix of interconnections between hardware services/functions, and a table of those interconnections across which FCI/CUI is shared externally.
- Our CUI and System Inventory worksheet has templates for these.
- Develop system diagrams (based on interconnections information).
- Develop at least two diagrams: CUI flow throughout the organization, and network topology. These can be abstract, not necessarily literal. Diagrams and graphical system representations go a LONG way! Feel free to develop additional diagrams.
- Generate a Contact list of roles with security responsibilities.
- Create a Separation of Duties matrix from the Contact list.
- You’ll want to show that no one role “has the keys to your information kingdom”.
- At a minimum, indicate that the network administration related duties should be separated from program governance and approval-related duties. Again, our CUI and System Inventory worksheet has a template for this matrix, which you can get free by contacting us.
- Generate a System Security Plan (SSP) Introduction document that provides a 30,000-ft view of the organization. Include the following sections:
- System Description
- System Users Overview
- System Environment
- Contact Information
- Introduction to the relevant Security Controls/Practices
- You may also want to include or reference your organization’s Security Engineering Process Guide (SEPG) or equivalent here. This will be necessary to show that your organization follows security engineering principles when developing and modifying your covered system.
Phase Three: Build the Plans
The name of the game is to “say what you are going to do” and “do what you said you were going to do.” Anything the organization says it is doing needs to be backed up with “compelling evidence.”
- Execute a Security Assessment.
- Now that you understand the scope of your organization’s covered system, you can start assessing current implementation of the NIST 800-171 and CMMC security controls/practices. Our Totem™ tool features a Security Assessment mechanism with the appropriate granularity to meet the CMMC requirements.
- In parallel with the Security Assessment, develop the System Security Plan (SSP).
- Our Totem™ tool is purpose built to help you generate a DFARS/CMMC compliant SSP.
- The SSP has two main aspects:
- A set of statements dictating expected outcome of the security control when implemented in your environment (policy statement)
- A set of descriptions of technology and/or procedures/processes your organization puts in place to enforce the policies (implementation description)
- Generate the Plan of Actions and Milestones (POA&M)
- Generate Corrective Action Plans (CAP) for groups of related deficient organizational capabilities. The sum total of the CAPs is the Plan of Actions and Milestones (POA&M).
- Totem™ can help you manage your POA&M as well.
- Develop an Incident Response Plan (IRP).
- Our Totem™ tool has a template IRP you can customize for your organization.
- You’ll need to ensure your IRP covers incident preparation, identification, containment, eradication, recovery, and lessons-learned activities.
- You’ll also need to ensure your organization exercises or practices using the IRP against realistic incident scenarios.
- Ensure your organization can report incidents to the DoD.
- Ensure your organization has an ECA certificate to report incidents involving CUI and/or the covered system directly to the DoD.
That’s the high-level overview of our CMMC Preparation Methodology. Of course, there’s lots to do as part of this Methodology.
Phase One usually takes a day or so for a small business, and Phase Two can take several days or weeks. It will take at least a week to perform a granular self-assessment and build the SSP (Phase Three).
Your POA&M is also likely to have multiple CAPs that need to be executed (usually about two dozen or so for an organization just starting its compliance journey). So full implementation of the plans developed in Phase Three takes months, not days.
Get started ASAP, otherwise it will be a painful scramble when you are faced with a contract that includes CMMC certification requirements. And like we mentioned up front, CMMC is a Maturity Model, so you have to be able to show you’ve been doing cybersecurity well for a while.
Let us know if you have any questions about how to execute any of the Methodology. We’re happy to help!