The CMMC Countdown, Part 2

Start your CMMC action plan with this high-level review of the five-point controls required to get a conditional certificate.

The CMMC Countdown, Part 2
This image was generated by Microsoft Copilot.

The CMMC Final Rule was published on October 15, 2024, in the Federal Register. What does this mean for the Defender Industrial Base?

  • CMMC certifications may be required as early as 2025 Q5.
  • The controls are based on NIST SP 800-171 R2 (not the latest R3)
  • A minimum of 88 points (80%) with no missing five-point controls is needed to receive a conditional certificate.
  • Any missed controls will be put in a Plan of Action & Milestones (POA&M).
  • All POA&M items must be resolved, and all 110 controls must be implemented within 180 days.

DIB companies that choose to wait may start losing business if they cannot get certified in time. Let's discuss a strategy to get CMMC compliant and ready for a CMMC assessment.

CMMC Action Plan

This plan assumes you have taken the steps identified in the first part of this series.

You must implement the five-point controls to get a conditional certificate successfully. Let's review them.

AC.L2-3.1.1

Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).

To meet this requirement, you should show:

  • List of active users
  • List of processes running on your system (e.g., web servers)
  • List of devices (i.e., PCs, Macs, smartphones, tablets)

AC.L2-3.1.2

Limit system access to the types of transactions and functions that authorized users are permitted to execute.

To meet this requirement, you should show:

  • List of functions and transactions allowed for users.

For example, show what regular user accounts can do in the CMMC scope (e.g., process CUI using specific applications and store CUI in the designated digital and physical storage locations).

AC.L2-3.1.12

Monitor and control remote access sessions.

You should show the following if you allow RDP, SSH, VPN, etc., to access devices in the CMMC scope:

  • Logs for those sessions are being collected.
  • An automated or manual report that is reviewed periodically.

You could simplify your compliance posture by preventing remote access.

AC.L2-3.1.13

Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

You should show the following if you allow RDP, SSH, VPN, etc., to access devices in the CMMC scope:

  • The list of FIPS 140 approved algorithms (e.g., AES) used to secure the connection.
  • The hardware or software modules are FIPS 140 validated.

Use the Cryptographic Module Validation Program search page to find FIPS 140 validation certificates.

You will get 3 points and a POA&M item by not having a FIPS-validated module.

You could simplify your compliance posture by preventing remote access.

AC.L2-3.1.16

Authorize wireless access prior to allowing such connections.

You should show the following if you allow wireless access into the CMMC scope:

  • The list of devices authorized to access the wireless network.
  • The security settings that limit access to the wireless network.

You could simplify your compliance posture by preventing wireless access.

AC.L2-3.1.17

Protect wireless access using authentication and encryption.

You should show the following if you allow wireless access into the CMMC scope:

  • The list of FIPS 140 approved algorithms (e.g., AES) used to provide authentication and encryption.
  • The hardware or software modules are FIPS 140 validated.

Use the Cryptographic Module Validation Program search page to find FIPS 140 validation certificates.

You will get 3 points and a POA&M item by not having a FIPS-validated module.

You could simplify your compliance posture by preventing wireless access.

Before you go

We will review the other five-point controls in the next post.

Sign up for my mailing list at https://miguelacallesmba.medium.com/subscribe