CMMC Checklist

CMMC 2.0 Checklist

The Department of Defense has mandated contractors and subcontractors who handle Controlled Unclassified Information achieve Cybersecurity Maturity Model Certification (CMMC). Navigating the process of readiness and achieving DOD cybersecurity maturity model certification can pose significant challenges, as it often entails complexities and intimidations for many organizations. Our CMMC Checklist can help you start taking steps in the right direction!

 

 

 

 

Do you have a System Security Plan (SSP)?

The SSP is meant to be a document that contains all the implemented security controls relevant to your organization.

You will want to have evidence & documentation/policies for each control that is implemented.

 

Have you established a Plan of Action & Milestones (POAM)?

The POAM is a working document of your controls that still need to be completed.  You can view this as your “to-do list” or “roadmap”.

 

Have you created a Disaster Recovery Plan?

The DR plan is your documented procedures around how your organization will respond to unplanned events.  These events could be IT or cyber-related and pertain to natural disasters, power outages, etc.

 

Have you created an Incident Response Plan?

Your incident response plan is a document containing the tools and procedures that your security team can use to identify, eliminate, and recover from cybersecurity incidents.

 

Do you have policies & procedures around handling sensitive information?

You should have documentation regarding all the CMMC controls. Part of this is defining how you store, transmit, and process CUI and FCI.

 

Are you using Endpoint Detection Response software?

Basic anti-virus might have been good enough ten years ago; however, proper endpoint detection and response software will better protect your organization and help check off more controls.

 

Are you utilizing Multi Factor Authentication (MFA) for all remote connections (VPN) and privileged accounts (admins)?

This is a requirement of NIST 800-171 and CMMC, but it is also good practice within any business. Most cyber liability insurances are starting to require these practices.

 

Have you assessed your organization for vulnerabilities?

Determine when the last time (if ever) you performed a vulnerability assessment of your organization. Also, put together a plan to remediate vulnerabilities and document them.

 

Are patches and updates performed regularly and audited to confirm status?

Are you doing patches and updates manually? Are you using a RMM software to perform these tasks?  There are many ways to automate this and make the auditing process more manageable.

 

Are you actively reviewing event logs, or have you deployed a SIEM?

Do you have a Syslog server set up to collect all event logs?  Who is responsible for reviewing them and checking for anomalies if you are doing this?  Another way to accomplish this is by using a SIEM backed by a 3rd party SOC (security operations center).  Some SIEM tools use Artificial Intelligence to correlate the logs stored safely in a central repository.  If anything is anomalous, it will put an alert in to have a security engineer look into the logs for you.