There are several things you can do to prepare for a CMMC assessment.
CMMC is all about the protection of Controlled Unclassified Information (CUI).
The first step you should take on the path to CMMC compliance is to determine where you have CUI. If a prime contractor or other subcontractor is sending you CUI, try to limit the amount of CUI you receive to only the data required for you to do your work.
The less CUI you have, the easier it will be to protect it.
Use Proper Encryption
For an IT system to be CMMC compliant, it must use FIPS validated cryptography to protect data at rest and in transit. A platform that uses FIPS validated cryptography has been submitted to the National Institute of Standards and Technology (NIST) for validation and certification. NIST maintains a list of FIPS validated cryptographic platforms.
Manage CUI with Defined Policies and Procedures
When protecting CUI, using the correct processes is as important as the correct technology. You should take a lifecycle approach to security where you define your policies and specify approved procedures to manage CUI within a platform. Moving forward, you need to make sure you are monitoring and validating the systems, then periodically perform a management review.
Avoid the Shopping Cart Approach
Don't rush to purchase a compliance tool that purports to make it easy to achieve CMMC compliance. The best technology in the world won't help you if it's not configured properly. CMMC compliance is about technology and processes.
Just like buying a vacuum cleaner doesn't guarantee you will have a clean floor, buying a compliance tool doesn't guarantee you will pass a future audit.
Before purchasing any type of self-analysis tool intended to identify gaps where it is expected you will fall short during a future CMMC assessment, make sure you have the correct expertise in-house to use the tool. We frequently hear feedback from companies that were unable to make use of tools they purchased. Avoid wasting time and money on tools that don't get you much closer to passing a CMMC audit.
Once you have determined the CMMC level to which you need to certify, you can meet internally to identify gaps in your processes and systems that you know need to be corrected. Corserva can help you identify these gaps.