Congratulations! You have successfully achieved compliance with the Cybersecurity Maturity Model Certification (CMMC). That’s no simple feat, and it deserves a moment of celebration with those who helped you get across that finish line. But don’t celebrate too long, because your work has just begun.
Once you’ve achieved compliance under CMMC, you need to move into continuous compliance mode for your certification. “Continuous compliance mode” indicates that compliance isn’t something you do once and step away from — you need to actively maintain it on an ongoing basis.
Maintain CMMC Throughout the Year
One of the biggest challenges that many organizations face is a mindset that their annual certification is an annual process — something that’s done once per year, as the audit approaches. While there are some items to manage once per year, most items in CMMC should be maintained on a periodic basis throughout the year.
There are things that CMMC requires you to maintain on a daily, weekly, monthly, quarterly, semi-annual, and annual basis. For example:
- Vulnerability scanning (RA.L2-3.11.2) — Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
- Security Control Monitoring (CA.L2-3.12.3) — Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
- Security Control Assessment (CA.L2-3.12.1) — Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
- Risk Assessments (RA.L2-3.11.1) — Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
- Event review (AU.L2-3.3.3) — Review and update logged events.
- Information System Flaw Remediation (SI.L1-3.14.1) — Identify, report, and correct information and information system flaws in a timely manner.
Get TCT’s Complete Guide to CMMC
Don’t Assume CMMC Maintenance Is Happening
Another challenge organizations face is the assumption that cybersecurity activities are happening throughout the year, simply because the right people have been tasked with those assignments. I can tell you from experience, that’s often not the case.
While the leadership makes certain assumptions about what’s happening, the responsible personnel drop the ball on ongoing maintenance. They go on vacation or get sick, other priorities compete for their attention, or they simply didn’t know they were supposed to tend to those tasks.
Personally, I’m a huge fan of the concept of Trust But Verify. TCT consultants have frequently sat down with clients at their annual compliance assessment, and discovered that things the organization assumed were being done, weren’t. In some cases, they weren’t being done at all. In other cases, they were being done inconsistently or incorrectly.
One of the worst feelings you can have is sitting down with your CMMC Third-Party Assessor Organization (C3PAO) and discovering in that moment that you’re missing something you thought you had. Now you have some really tough questions you have to address with your Assessor. No one wants to be in that position — especially when a large DoD contract is on the line.
That’s why we created Operational Mode within the first year of the launch of TCT Portal.
Easy CMMC Maintenance in TCT Portal
TCT’s Operational Mode ensures that you don’t get to the annual audit, only to discover that you’re missing CMMC requirements that should have been taken care of all throughout the past year.
Operational Mode eliminates those “Oops, I forgot” moments. It shields your organization from dropped balls and incorrect activities. By sending automated alerts to the right person at the right time, Operational Mode ensures that nothing slips through the cracks so you aren’t caught off-guard in front of your C3PAO.
Most maintenance tasks need to be completed on a regular schedule, but there are also items to be completed when an event arises — for example, incident response. You only have to deal with incident response when you have an incident. Incidents don’t come up on a regular, recurring schedule, so TCT Portal prompts you each quarter to attach your documentation for any incidents that may have occurred during the period.
Imagine the confidence of knowing without a doubt that you’re absolutely ready for your annual CMMC Assessment, because you have the backstop of protection that TCT’s Operational Mode provides. Better yet, your organization can automate the internal QA workflow to validate evidence before your annual Assessment.
The framework for CMMC compliance is intended to ultimately protect your organization. Doing these periodic activities throughout the year, and validating that the activities are taking place, is certainly something that provides increased protection of your organization.
Related: Use TCT’s Operational Mode to Do the Busywork for You
But Won’t Insurance Cover Your A$$ Just as Well?
I had a conversation with someone the other day about the value of proactive elements of a security and compliance program such as CMMC. They weren’t convinced that Operational Mode was really worth the effort, especially when passive safeguards are in place like cyber liability insurance.
At one point the question was posed, “If you were the CEO of a company and you could only do one of two things — either pay your cyber liability insurance or actively do continuous compliance for CMMC — what would you choose?” For me, I would drop the cyber liability insurance like a bad habit.
Cyber liability insurance is your emergency parachute that you use when the plane is about to crash and burn. Active CMMC maintenance helps keep the plane in the air so there is much less likelihood that you’ll need the parachute. Which option would you prefer?
Best Practices for Ongoing CMMC Maintenance
As you practice active maintenance of your CMMC compliance, be sure to track several key metrics to ensure that you stay on track and nothing slips through the cracks:
- Who is assigned to each task
- When each task is due
- When each task is completed
- What evidence is required
- What evidence is actually provided
Consolidate all of that information — and the evidence — into a single location, so that you can easily refer back to it as needed. Everything is organized and ready for your C3PAO when the time comes. Year over year, this repository becomes CMMC gold, because you have a historical record of your activities and what passed muster with the C3PAO. Your job becomes easier, because you don’t have to experience Groundhog Day each time around.
And as new personnel are brought on board, they have a reliable source of information to guide them through it.
Don’t Gamble with CMMC Maintenance
It’s human nature to forgive when someone drops a ball — even a ball as significant as cybersecurity. But in my estimation, the Department of Defense isn’t quite so forgiving when an organization doesn’t stay on top of CMMC maintenance responsibilities.
Without active CMMC maintenance, you’re just rolling the dice that your next audit will pass muster. That’s your choice — and if you’re willing to lose DoD contracts over it, you can cut corners on maintaining CMMC compliance. But when TCT’s Operational Mode is so easy, why would you gamble on your business?
Discover how TCT Portal makes CMMC maintenance easy. Get a demo today!