Outlining the CMMC Process: Gap Analysis and SPRS Score

Outlining the CMMC Process: Gap Analysis and SPRS Score

Perform a Gap Analysis

What’s a gap analysis and why is it necessary? 

Great question…

A gap analysis is the process of identifying the gaps between your organization’s current cybersecurity practices and the practices required by the CMMC framework. 

A gap analysis helps organizations identify the areas where they need to improve to meet the certification requirements.

Gap Analysis Process

The process involves reviewing your current policies, procedures, and controls to identify any areas that need to be updated or improved.

We take two to three (2 to 3) virtual or in-person meetings to determine where your company currently stands with CMMC requirements.

What’s the Result of a Gap Analysis?

The result of a gap analysis is a report that highlights the gaps between your current practices and the CMMC requirements. This report can be used to develop a plan to address the gaps and achieve compliance.

That’s where we come in.

Our cyber security professionals review your assessment and provide recommendations through conversations with you about how to make CMMC work best for your company.

Deliverables involved:

  • Gap Analysis
  • SPRS Score
  • A detailed quote for any requested IT or policy services

What’s a SPRS Score?

The SPRS score is a rating system used by the Department of Defense (DoD) to assess the cybersecurity practices of its suppliers. 

The SPRS score is based on a cybersecurity assessment questionnaire that suppliers must complete. 

The questionnaire evaluates the supplier’s compliance with the cybersecurity requirements outlined in the Defense Federal Acquisition Regulation Supplement (DFARS) and the NIST SP 800-171 cybersecurity framework. 

The SPRS score ranges from 0 to 110, with a higher score indicating better compliance. A score of 110 is required for suppliers to be eligible to bid on certain contracts.

In the context of CMMC compliance, the SPRS score is used to assess a supplier’s readiness to achieve certification. The SPRS score can help organizations identify areas where they need to improve to meet the certification requirements. The score is used by the DoD to prioritize suppliers for assessment and to monitor the cybersecurity practices of its suppliers.

Why You Need Gap Analysis and SPRS Score for CMMC?

In summary, gap analysis and SPRS score are important tools for organizations seeking to achieve CMMC compliance. Gap analysis helps organizations identify the areas where they need to improve to meet the certification requirements, while SPRS score is used to assess a supplier’s readiness to achieve certification and to monitor the cybersecurity practices of its suppliers.

How to identify if you need CMMC?

How to identify if you need CMMC?

Identify CMMC

Before we identify CMMC, we must understand Controlled Unclassified Information (CUI).

CUI is an important factor in achieving CMMC, because protecting CUI is a key component of cybersecurity.

The CMMC model is a framework that helps organizations assess and improve their cybersecurity posture. It’s designed to help organizations achieve a baseline level of cybersecurity maturity that aligns with their risk management goals and objectives.

One of the key security controls in CMMC is the protection of CUI. Organizations that handle CUI must ensure that they are safeguarding this information in accordance with applicable laws, regulations, and guidance. This includes identifying and marking CUI appropriately, as well as implementing the appropriate security controls to protect it.

Understanding CUI (Classified Uncontrolled Information)

CUI is a category of sensitive but unclassified information that is regulated by the US government. To ensure that CUI is appropriately safeguarded, specific markings and controls are used to identify it. They are:

1. Banner & Footer Markings

These markings may include a statement indicating that the document contains CUI and should be handled accordingly. For example, a banner marking might read “Controlled Unclassified Information – Do Not Release Without Authorization.” Footer markings may include the specific CUI category and subcategory.

Pro-tip: There is no requirement to add the “U,” signifying unclassified, to the banner and footer as was required with the old FOUO marking (i.e., U//FOUO).

CUI markings in classified documents will appear in paragraphs or subparagraphs known to contain only CUI and must be portion marked with “(CUI).” “CUI” will not appear in the banner or footer.

Last tip – there will be an acknowledgement added to the warning box on the first page of multi-page documents to alert readers to the presence of CUI in a classified DoD document.

2. Category & Sub-Category Markings

These are used to identify the type of information and the level of protection it requires. Categories may include areas such as “Legal,” “Financial,” or “Defense.” Subcategories provide further specificity within each category. For example, within the “Defense” category, subcategories may include “Weapons Systems Design” or “Military Operations.”

3. CUI Basic vs. CUI Specified

CUI Basic refers to information that is not specifically listed in the CUI Registry but still requires safeguarding. CUI Specified refers to information that is specifically listed in the CUI Registry and has a designated category and subcategory. CUI Specified will also be marked with (SP-) on the document.

4. Limited Dessimination Controls

Limited dissemination controls are used to restrict the distribution of CUI to authorized individuals only. This may include controls such as password protection, access controls, or encryption.

5. Portion Markings

Portion markings are used to identify specific sections of a document that contain CUI. This allows individuals to quickly identify which portions of the document are sensitive and require protection. Portion markings may include labels such as “CUI,” “FOUO” (For Official Use Only), or “Limited Distribution.”

Quick side note: if Portion Markings used in one part of the document, they must be used throughout the entire document.

 

CMMC Downflow Requirements

CMMC Downflow Requirements

IDENTIFYING CMMC

You may need CMMC if your organization handles controlled unclassified information (CUI) for the US Department of Defense (DoD) and intends to bid on DoD contracts that require it. CMMC compliance is mandatory for all organizations that want to perform work for the DoD and handle CUI as part of that work.

Additionally, if your organization is involved in supply chain management or works with other organizations that handle CUI for the DoD, you may need to demonstrate compliance with CMMC to maintain those relationships.

It is important to note that the CMMC is only applicable to organizations that are directly involved with the DoD and handle CUI. If your organization does not fall into this category, it may not need to comply with the CMMC.

If you are unsure if your organization needs CMMC, it is recommended that you consult with a professional who is familiar with the requirements of the DoD and the CMMC framework.

HOW DO YOU KNOW IF YOUR ORGANIZATION HANDLES CONTROLLED UNCLASSIFIED INFORMATION?

Here are some steps to determine if your organization handles controlled unclassified information (CUI):

1. Review your contracts and agreements: Review any contracts or agreements with the US Department of Defense (DoD) or other government agencies to determine if they require the handling of CUI.

2. Assess your information systems: Assess your information systems and data to determine if they contain any information that is considered CUI. This information may include sensitive but unclassified (SBU) information, confidential business information (CBI), or other sensitive information that is not classified but still requires protection.

3. Review your data protection policies and procedures: Review your organization’s policies and procedures for data protection and security to determine if they specifically address the handling of CUI.

4. Consult with experts: Consult with cybersecurity experts, legal counsel, or other professionals who are familiar with the handling of CUI to determine if your organization is handling this type of information.

It is important to note that CUI includes a wide range of information, including technical data, software, and systems, as well as non-technical information such as personnel, financial, and legal information. If your organization handles any of this type of information, it is important to ensure that appropriate controls are in place to protect it.

WHAT ARE THE DOWN FLOW REQUIREMENTS OF CMMC?

The down flow requirements of the Cybersecurity Maturity Model Compliance (CMMC) refer to the requirements that organizations must meet in order to comply with the CMMC framework. These requirements flow down from the DoD to its contractors and suppliers who handle controlled unclassified information (CUI).

The CMMC framework consists of multiple levels, ranging from basic cybersecurity hygiene to advanced and proactive security practices. The specific down flow requirements for each level of the CMMC vary, but generally include the following types of controls:

1. Access controls: Controls to ensure that only authorized individuals can access CUI.

2. Asset management: Controls to ensure that CUI is properly identified, classified, and protected.

3. Configuration management: Controls to ensure that systems and devices used to handle CUI are configured in a secure manner.

4. Identity and access management: Controls to manage and monitor the identities of individuals accessing CUI.

5. Incident response: Controls to ensure that incidents involving CUI are promptly detected, reported, and responded to.

6. Maintenance: Controls to ensure that systems and devices used to handle CUI are properly maintained and updated.

7. Media protection: Controls to protect CUI during storage, transportation, and disposal.

8. Personnel security: Controls to ensure that personnel who handle CUI are properly vetted and trained.

9. Recovery: Controls to ensure that CUI can be recovered in the event of an incident.

10. Risk management: Controls to manage and mitigate the risks associated with handling CUI.

These are some of the down flow requirements of the CMMC. Organizations must meet the requirements for the specific level of the CMMC that they are being assessed against. It is important to note that the down flow requirements for the CMMC are subject to change as the framework evolves and new threats emerge.