Sign in Subscribe
INFOSEC

The CMMC Countdown: The Action Plan, Part 2

Start your CMMC action plan with this high-level review of the five-point controls required to get a conditional certificate.

Miguel A. Calles

3 min read
The CMMC Countdown: The Action Plan, Part 2
This image was generated by Microsoft Copilot.

The CMMC Final Rule was published on October 15, 2024, in the Federal Register. What does this mean for the Defender Industrial Base?

  • CMMC certifications may be required as early as 2025 Q5.
  • The controls are based on NIST SP 800-171 R2 (not the latest R3)
  • A minimum of 88 points (80%) with no missing five-point controls is needed to receive a conditional certificate.
  • Any missed controls will be put in a Plan of Action & Milestones (POA&M).
  • All POA&M items must be resolved, and all 110 controls must be implemented within 180 days.

DIB companies that choose to wait may start losing business if they cannot get certified in time. Let's discuss a strategy to get CMMC compliant and ready for a CMMC assessment.

CMMC Action Plan

This plan assumes you have taken the steps identified in the first part of this series.

You must implement the five-point controls to get a conditional certificate successfully. Let's review them.

AC.L2-3.1.1

Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
Determine if:
[a] authorized users are identified;
[b] processes acting on behalf of authorized users are identified;
[c] devices (and other systems) authorized to connect to the system are identified;
[d] system access is limited to authorized users;
[e] system access is limited to processes acting on behalf of authorized users; and
[f] system access is limited to authorized devices (including other systems).

To meet this requirement, consider showing:

  • List of active users
  • List of processes running on your system (e.g., web servers)
  • List of devices (i.e., PCs, Macs, smartphones, tablets)

AC.L2-3.1.2

Limit system access to the types of transactions and functions that authorized users are permitted to execute.
Determine if:
[a] the types of transactions and functions that authorized users are permitted to execute are defined; and
[b] system access is limited to the defined types of transactions and functions for authorized users.

To meet this requirement, consider showing:

  • List of functions and transactions allowed for users.

For example, show what regular user accounts can do in the CMMC scope (e.g., process CUI using specific applications and store CUI in the designated digital and physical storage locations).

AC.L2-3.1.12

Monitor and control remote access sessions.
Determine if:
[a] remote access sessions are permitted;
[b] the types of permitted remote access are identified;
[c] remote access sessions are controlled; and
[d] remote access sessions are monitored.

Consider showing the following if you allow RDP, SSH, VPN, etc., to access devices in the CMMC scope:

  • Logs for those sessions are being collected.
  • An automated or manual report that is reviewed periodically.

You could simplify your compliance posture by preventing remote access.

AC.L2-3.1.13

Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
Determine if:
[a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified; and
[b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.

Consider showing the following if you allow RDP, SSH, VPN, etc., to access devices in the CMMC scope:

  • The list of FIPS 140 approved algorithms (e.g., AES) used to secure the connection.
  • The hardware or software modules are FIPS 140 validated.

Use the Cryptographic Module Validation Program search page to find FIPS 140 validation certificates.

You will get 3 points and a POA&M item by not having a FIPS-validated module.

You could simplify your compliance posture by preventing remote access.

AC.L2-3.1.16

Authorize wireless access prior to allowing such connections.
Determine if:
[a] wireless access points are identified; and
[b] wireless access is authorized prior to allowing such connections.

Consider showing the following if you allow wireless access into the CMMC scope:

  • The list of devices authorized to access the wireless network.
  • The security settings that limit access to the wireless network.

You could simplify your compliance posture by preventing wireless access.

AC.L2-3.1.17

Protect wireless access using authentication and encryption.
Determine if:
[a] wireless access to the system is protected using authentication; and
[b] wireless access to the system is protected using encryption.

Consider showing the following if you allow wireless access into the CMMC scope:

  • The list of FIPS 140 approved algorithms (e.g., AES) used to provide authentication and encryption.
  • The hardware or software modules are FIPS 140 validated.

Use the Cryptographic Module Validation Program search page to find FIPS 140 validation certificates.

You will get 3 points and a POA&M item by not having a FIPS-validated module.

You could simplify your compliance posture by preventing wireless access.

Before you go

We will review the other five-point controls in the next CMMC Countdown post.

Sign up for my mailing list at https://miguelacallesmba.medium.com/subscribe