The Center for Strategic and International Studies estimates that as much as $600 billion, nearly 1 percent of global GDP, is lost to cybercrime each year. The Department of Defense (DoD) is well-aware of the need for comprehensive cybersecurity measures, which is why it developed a certification and compliance standard for DoD contractors, called the Cybersecurity Maturity Model Certification (CMMC).
Soon, all contractors and subcontractors who want to bid on defense contracts will have to not only comply with cybersecurity best practices but also pass a CMMC audit so they can become certified. Those who fail to do so won’t be able to continue offering their products and services to the DoD.
Understanding the CMMC Audit Process
Prior to the arrival of the CMMC, defense contractors dealing with Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), both of which are used to describe information that needs to be protected against release, were required to self-certify that they follow cybersecurity best practices.
The CMMC introduces the requirement for DoD contractors to be certified compliant by passing a DoD CMMC audit performed by a certified third-party assessor organization (C3PAO). The job of C3PAO is to validate the contractor has achieved one of the five CMMC maturity levels (from Level 1-5).
According to the CMMC Accreditation Body (CMMC-AB), contractors should start preparing for a CMMC audit at least six months in advance, depending on their current cybersecurity readiness and the amount of resources at their disposal.
CMMC eBook
DoD Contractors Guide to CMMC Certification.
Preparing for a CMMC Audit
It can take a lot of time and work to prepare for a CMMC audit, so it’s better to start as soon as possible and tackle the potentially daunting task methodically. We recommend the following approach.
Step 1: Start with a Readiness Assessment and Gap Analysis
The CMMC combines and improves upon multiple previous cybersecurity standards, such as NIST 800-171, so it’s very likely that many DoD contractors already have most of the work required to achieve one of the lower CMMC maturity levels.
The goal of a readiness assessment is to provide a detailed inventory of information technology systems, how data flows through them, how data is stored, who is responsible for the implementation and enforcement of incident response plans, and so on.
This information is then used to perform a comprehensive gap analysis in order to pinpoint exactly what needs to be done to move from the current state to the desired future state. A gap analysis plays an essential role in helping DoD contractors prepare for a CMMC audit because it identifies risks, reveals the cost of remedial steps, and helps prioritize their order.
Step 2: Creating a Remediation Plan and Resolving the Gaps
Once all cybersecurity gaps have been identified, they must be resolved according to a remediation plan, which is an actionable plan that lists all activities necessary to resolve security issues in the order they should be performed.
The remediation plan should describe how the cybersecurity gaps were uncovered and quantify the risk they represent. A timeline should be provided to help ensure the remediation doesn’t take too long, and estimated remediation costs should be included to avoid budget overruns.
Step 3: Ongoing Monitoring and Reporting
The Department of Defense expects contractors to monitor their systems on an ongoing basis and report any incidents they detect. For large contractors with a wealth of resources and plenty of cybersecurity experience with specialized cybersecurity monitoring tools, this last step won’t be too much of a challenge. Smaller contractors, on the other hand, may find it to be the most difficult step of the three.
Such contractors are often unable to do everything in-house without losing focus on their core business and maintaining the quality of service that has helped them secure a government contract in the first place. Fortunately, they can outsource cybersecurity monitoring—and all other activities associated with CMMC audits, for that matter—to a Managed Security Service Provider (MSSP).
A partnership with an experienced MSSP allows DoD contractors to get the expertise they require without stretching themselves too thin, and it typically results in substantial time and cost savings compared with the in-house approach, making it the best way to prepare for a CMMC audit.
Conclusion on CMMC Audit
There are many companies that rely heavily, and sometimes even entirely, on DoD contracts, and such companies must do whatever they can to align their cybersecurity processes with one of the five CMMC maturity levels. Only then will they be able to pass a CMMC audit on the first try and turn this new certification and compliance standard for DoD contractors into a competitive advantage.
OSIbeyond can help start getting your organization CMMC compliant join our newsletter for updates on CMMC and contact us with any questions.