Soon, new Requests for Proposals (RFPs) will gradually begin requiring CMMC certification, which means that DoD contractors who haven’t yet familiarized themselves with the CMMC audit process need to do so as soon as possible.
Goodbye NIST SP 800-171, Hello CMMC
If there’s one thing the Department of Defense has learned since it started requiring contractors to self-certify compliance with the NIST SP 800-171 set of cybersecurity best practices, it’s that self-certification of compliance doesn’t work well.
Why? Because not all contractors are 100% honest when it comes to the maturity of their cybersecurity defenses. And even those contractors who are honest may unknowingly overestimate their ability to defend themselves against the latest cyber threats.
That’s why the Office of the Assistant Secretary of Defense for Acquisition initiated the creation of the Cybersecurity Maturity Model Certification (CMMC), a certification and compliance process that requires contractors to become certified by a CMMC third-party assessment organization (C3PAO) to one of five CMMC Levels:
- CMMC Level 1 (Basic Cyber Hygiene) – 17 Controls must be applied.
- CMMC Level 2 (Intermediate Cyber Hygiene) – 72 Controls must be applied.
- CMMC Level 3 (Good Cyber Hygiene) – 130 Controls must be applied.
- CMMC Level 4 (Proactive) – 156 Controls must be applied.
- CMMC Level 5 (Advanced/Proactive) – 171 Controls must be applied.
Each CMMC Level builds on the previous one, and their common goal is to protect controlled unclassified information (CUI), which the U.S. National Archives and Records Administration (NARA) defines as information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies.
An Overview of the CMMC Audit Process
As we’ve already stated, contractors who want to be able to bid on future DoD contracts must become certified to one of the five CMMC Levels by a C3PAO.
C3PAOs are third-party organizations that have received accreditation by the CMMC Accreditation Body (CMMC-AB). Such organizations can perform CMMC assessments, which are evidence-based and take place on-site. The result of a successful CMMC assessment is a CMMC certification. This certification represents that the contractor has demonstratively achieved a certain level of cybersecurity capabilities, as defined by the CMMC model.
Here’s how a CMMC audit may look like in practice:
- Review of the current security program: First, the C3PAO will get in touch with the person who is responsible for the organization’s cybersecurity. This can be a dedicated CISO, but it can also be the network administrator or a third-party. The C3PAO will go over the current security program to better understand the environment that it’s dealing with. Specifically, the C3PAO will want to know what CUI is stored and transmitted by the organization and how.
- Review of currently used controls: After familiarizing itself with the organization’s security program, the C3PAO will review the currently used controls, which are the countermeasures that the organization has implemented to detect, prevent, reduce, or counteract security risks. At this point, the goal is to find out whether all controls that are supposed to be in place are actually in place.
- Verification of the implementation of controls: Next, the C3PAO will perform an in-depth analysis of individual controls to verify their implementation. An auditor may ask the person who is responsible for the organization’s cybersecurity to explain a certain process or demonstrate how a specific control works.
- Issuing of an official audit report: Finally, the C3PAO will issue an official audit report, detailing how well the audited organization performed and whether or not it meets the requirements of the target CMMC Level. The C3PAO will keep details about specific findings confidential, so the organization doesn’t have to worry about suffering damage to its reputation.
It’s important to keep in mind that passing one CMMC audit doesn’t mean that the audited contractor can stop worrying about CMMC and its requirements. According to the DoD, CMMC is intended to be an evolving certification and compliance process that will very likely introduce new controls to the various levels in response to emerging threats.
That’s why DoD contractors should make cybersecurity their ongoing priority otherwise CMMC audits may turn into a major source of stress and uncertainty. Smaller contractors that can’t afford to employ a dedicated cybersecurity professional should consider partnering with a managed service provider (MSP) that has a strong background in cybersecurity and understands what it takes to pass a CMMC audit.
To learn more about how your organization can become CMMC audit ready contact OSIbeyond.