Department of Defense Contracting
What are the next steps for CMMC?
CMMC has become a requirement as of January 2020 for DoD contractors due to low compliance rates for NIST 800-171. Certification will rely on the assessments of an auditor network of 3rd Party Assessment Organizations (3PAOs) that is yet to be determined. The results these assessments will be submitted to a database used by contracting officials to validate the compliance status of both primes and subcontractors. Certification levels will be made public but the details regarding specific findings will not be publicly accessible.
Evaluation: Preparing for a CMMC audit
All organizations should evaluate if they are currently meeting the technical and process maturity standards in CMMC. Though, at this time, there is no guidance on what 3PAOs will use for the assessments.
The common assumption is NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, will act as the source for the criteria used by a 3PAO when evaluating against a CMMC requirement that is correlated to a NIST 800-171 rev1 control. However, ultimately, the intent of CMMC is to combine the various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-3, ISO 27001, ISO 27032, AIA NAS9933 and other into one unified standard for cybersecurity. Beyond cybersecurity controls, CMMC will also assess the contractor’s maturity and institutionalization of cybersecurity practices and processes.
Prior to the release of guidance on what 3PAOs will use for assessments, the primary focus of preparing for a CMMC audit should be on the development of clear, concise documentation around CMMC specific policies, standards, procedures, a System Security Plan (SSP), Plan of Actions and Milestones (POA&M), etc. This is because a documentation review will likely be one of the first items to occur, particularly before the 3PAO conducts any staff interviews. Therefore, the more that can be address by clear documentation then the less your staff will have to address in response to auditor questions.
The CMMC training and assessment guides are planned to be finalized in March by DoD which will tell vendors what it takes to be certified at levels 1, 2 and 3. Stacy Bostjanick, the director of the CMMC policy office in the Under Secretary of Defense for Acquisition and Sustainment, stated, “These guides are where people can find answers and what artifacts are needed. It is where all the answers to all your questions will be if you go through the assessment guide.”
Remediation: Resolving the gaps
Until the release of the CMMC training and assessment guides, it is early to speculate what the best path for remediation will be for government contractors. However, with the release of CMMC Model v1.0 that includes a list of controls, a CMMC Readiness Assessment can be performed to provide a gap analysis and create a remediation plan.
The remediation plan could involve anywhere from small fixes to a network and its processes or a more extensive development of compliant networks and processes. Upon completion of the remediation plan with the contractor’s systems and procedures compliant with the appropriate CMMC level, ongoing cybersecurity monitoring and reporting will be necessary. This can be done in-house or through a managed service provider.
It will be important to determine what tools are necessary to achieve compliance and maintain it. Many software companies have foreseen this need in advance and developed tools to help ensure contractors can achieve these goals. In particular, Microsoft has become a leader in cloud storage and cybersecurity offering Azure for Government.
Assessments: How an organization becomes certified
Contractors planning to compete for DoD contracts will need to coordinate directly with accredited 3PAOS to request and schedule a CMMC assessment. The contractor will need to specify the level of the certification requested based their specific business requirements. Certification will be awarded to the contractor at the appropriate CMMC level upon demonstrating the proper maturity in capabilities and organizational maturity to the satisfaction of the assessing 3PAO.
The auditor network has yet to be determined by the recently incorporated accreditation body, formed independently of DoD. A number of organizations are lined up to provide assessments however the training and examination requirements to become a 3PAO are not in place yet. Sometime between April and June, the accreditation body will develop the training classes for prospective 3PAOs.
Bostjanick stated, “The accreditation body is working with us to develop training material to accredit third-party assessors. There will be a marketplace for them as they go through the two-week course and test for level 3 accreditor certifications. […] We also will have Defense Acquisition University training where we will be working with program managers and contracting officers so they understand what the different CMMC levels are and give them a layman’s guide to controlled unclassified information so program managers can figure out how to disaggregate the data and flow down the CMMC requirements.”
The Timeline: How much time do organizations have?
It is important for contractors to be aware and responsive to the CMMC rollout because they will want to ensure compliance as it starts to appear in an increasing number of contracts. That being said, it has been emphasized by Katie Arrington, chief information security officer for DoD acquisition policy, and other DoD leaders that the rollout will be gradual. The expectation by DoD is that it will take 5 years for CMMC to fully rollout with only a handful of RFPs requiring CMMC in 2020. Arrington has shared that DoD expects 3PAOs to certify approximately 1,500 vendors in 2021, 7,500 additional in 2022 and 25,000 additional by 2023.
Even with a gradual rollout, the belief is however companies will be active in pursuing CMMC. “I doubt it will take five years because companies want to do this,” she stated. This should be particularly so since security is an allowable cost now. She elaborated saying, “We are working through the Office of Management and Budget to ensure we have cost realism built into our estimations for our programs and acquisitions moving forward.”
As a contractor you should not hesitate to start evaluating your organization ahead of the CMMC rollout. FSi Strategies can counsel with your organization and offer any needed remediation ahead of your CMMC assessment.