Approachable CMMC: Accelerate with our SSP Template

Are you a DIB company working toward CMMC compliance? Accelerate your efforts with our new NIST 800-171 Rev. 3 System Security Plan (SSP) template!

Understanding CMMC 2.0

Are you part of the Defense Industrial Base (DIB) or have Department of Defense (DoD) contracts? Then your deadline for implementing the Cybersecurity Maturity Model Certification (CMMC) 2.0 requirements is fast approaching. You may have already read our CMMC 101 Guide (and if you haven’t, it’s the best place to start when it comes to understanding the history of CMMC and how it applies to you), but if you haven’t, then here is the “Cliffs Notes” version:

• Government solicitations are starting to include the level DIB companies must adhere to in order to work on their contracts. Once the CMMC 2.0 rulemaking period is over, any company working on DoD contracts will need to work towards CMMC certification. Level 1 is for organizations only handling Federal Contract Information (FCI); Level 2 covers organizations handling Controlled Unclassified Information (CUI); and Level 3 covers CUI and high priority information that could be a higher target for Advanced Persistent Threats (APTs).

• CMMC 2.0 aligned the security requirements with existing cybersecurity frameworks, specifically NIST SP 800-171 and NIST SP 800-172, which deal with protecting CUI.

• Each tier has different assessment requirements for proving to the DoD that your company has implemented the security controls for your required level. Level 1 companies only have to complete annual self-assessments. Level 2 may be able to complete annual self assessments, but if working with national security information these companies will also have to perform triennial third-party assessments. Companies operating at Level 3 must complete triennial government-led assessments, due to the often mission critical nature of these contracts.

“So what does this mean for me?”

If you are part of the DIB, have DoD contracts, or are planning to pursue DoD contracts, you are going to need to implement the CMMC controls for your level, document how they are implemented, and test your company’s compliance with those controls in order to become CMMC certified. Right now, only a select number of pilot programs are required to comply with CMMC, but once the CMMC 2.0 rule making process is complete the DoD will release specific timeframes in which companies need to be brought into compliance. The certification level you need to meet will be defined in the solicitation.

If your contracts deal with CUI, you will need to be at least CMMC Level 2 certified. This means you will have to implement, document, and test at least 110 controls from NIST 800-171 Revision 3.

“How do I even know where to start?”

Hive Systems has developed one of the first publicly available System Security Plan (SSP) templates for NIST 800-171 Revision 3. This SSP Template has two components:

• The NIST 800-171 SSP covers all overarching information for the system(s) that will store, transmit, or process CUI, including system diagrams, leveraged connections with other systems, general system descriptions, and system owner details.

• The NIST 800-171 Appendix A outlines all 110 controls required for CMMC Level 2 compliance. These controls are based on the new NIST 800-171 Revision 3 draft, which incorporates updates from NIST SP 800-53 Revision 5.

The SSP template also lists a number of appendices covering items such as Configuration Management and Incident Response Plans, and other additional documentation required by the NIST 800-171 Revision 3 controls. While Hive Systems has not included templates for these appendices on our website, our subject matter experts are well-versed in the development of these plans and documents and are ready to provide guidance. The DoD has yet to release information about CMMC Level 3, but Hive Systems will release an additional Appendix A to cover the Level 3 control requirements once more information becomes available.

“Where can I go for more information?”

The DoD has made information related to CMMC 2.0 available on their website, but has noted that updates will be limited during the rule making process. For more information about the security controls that need to be implemented for CMMC Level 2 we’ve create the following two templates:

• NIST SP 800-171 Revision 3, Security and Privacy Controls for Information Systems and Organizations

• NIST 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations

Don’t have time or resources to decipher over 100 security controls, what they mean, how to scale the control for your organization, or identify what solutions are available for each control - all while needed to implement and operationalize them? Hive Systems can help!

We provide a flexible approach customized to each organization’s unique CMMC needs. We can help you understand what the control objectives and nuances are, provide guidance on implementation and different solutions available on the market, and get you ready for your CMMC certification.

Already have your controls implemented, and just need to know where your gaps are? Hive Systems also offers CMMC Readiness Assessments and can help with documenting your POA&Ms and remediation plans, and even design and operationalize your security controls for your organization. Take the first step on your CMMC journey with Hive Systems today!