CMMC. If you work as a U.S. defense contractor, chances are you have heard this term thrown around since 2019. While the COVID-19 pandemic, changes in DoD leadership, and content revisions delayed roll-out of the CMMC program, it will be back on track for implementation by late 2023. But what is CMMC? Are you ready to meet its requirements? And what can you do to prepare now that the rollout is once again moving? This article has been written to help address your unanswered questions on the Cybersecurity Maturity Model Certification (CMMC) program.
How Did CMMC Come to Be?
CMMC was created because of the DoD’s understanding of the complexity of risk within the Defense Supply Chain. With $400B obligated spending[1] on suppliers in the Defense Industry Base (DIB), and ever-increasing threats to all of them, something had to be done. It fell to the Office of the Undersecretary of Defense for Acquisition and Sustainment to develop a platform for securing sensitive information and the systems on which the information is processed, stored, and transmitted.
Voila! CMMC was born.
CMMC was developed in collaboration with Carnegie Mellon and Johns Hopkins Universities and targeted for release in late 2020. Originally, contractors could self-assess and report their results. Easy, right? Unfortunately, companies are still exploited, placing Controlled Unclassified Information (CUI) at risk. Between changes in DoD leadership and COVID, neither the timeline nor the security goals were met. In the meantime, controls and requirements were reviewed and revised, resulting in the current form – CMMC 2.0. Though the rollout of CMMC has been fraught with delays and revisions, there is no doubt that DoD contractors will be required to meet a final set of standards if they seek award of any contracts in the future.
We now have a set of standards known as DFARS 7012-800-171, which establishes 110 practices across 14 control families or domains. These practices define how defense suppliers must secure CUI as a condition of contract award. Some think of CMMC as a kind of Risk Management Framework (RMF) for contractors. Indeed, many RMF controls overlap with CMMC practices and point to supplemental guidance sources. Cybersecurity professionals recognize these controls as industry-wide best practices, which many defense suppliers already follow to some degree of effectiveness. By fully implementing, institutionalizing, and demonstrating these controls, an organization proves their cyber-worthiness and can be considered for contract awards. The process of demonstrating their compliance, however, requires a certified assessment of the organization. That’s where ArCybr comes in. Listed among the handful of CMMC Third Party Assessment Organizations (C3PAO), we assess your organization’s CMMC control implementations for recommendation to the Federal Certifying body, CMMC AB.
CMMC 2.0 Levels
CMMC 2.0 is broken down into three levels: Foundational (Level 1), Advanced (Level 2), and Expert (Level 3). Each level ensures that organizations are meeting the appropriate strength for the information they are expected to ensure. Levels correspond with the scope of assessment and how deeply the assessor will dig into practices. Most organizations will seek Advanced (Level 2) certification, as that level allows the broadest opportunities for competition.
The Foundational Level is right for you if your organization’s use of Federal information is limited to Federal Contract Information and does not handle CUI. Your organization conducts a self-assessment that covers 17 of the 110 practices, and the results are uploaded to the Supplier Performance Risk System. You provide a self-attestation or declaration of regulatory compliance and a Plan of Action and Milestones to inform the Contracting Officer of the risk they accept in awarding you the contract. And what is a risk assessment for, if not to inform decision makers of the risk they’re accepting?
Most contracting organizations will want to maximize their options to include contracts that require handling of CUI, and they require Advanced or Expert certifications. To achieve these levels, you’ll need the services of an approved third-party assessor.
CMMC Expert compliance is still being drafted, but we anticipate that organizations seeking Expert compliance will need to complete an Advanced (Level 2) third-party assessment. It is expected that a government entity will conduct Expert compliance assessments.
Planning and Preparation
As an Organization Seeking Certification (OSC), you must first identify your assessment scope. To do this, you will identify which assets fall into the certification boundary (anything that stores, processes, or transmits CUI) and will face the closest examination. Many organizations will also have assets that support systems and staff but do not support CUI. Those assets must be included in a wider assessment boundary and may include security personnel who provide access to controlled spaces but never deal with CUI themselves, or a maintenance laptop that scans systems that are within the certification boundary. Accurate scoping will save time and ensure efficiency while the live assessment is in progress.
Assessment Pro Tip #1: Limit the scope of your certification boundary by placing CUI assets within subnets that are easily diagrammed and controlled with specific configurations that only apply to those assets.
Once you’ve scoped the assessment, your organization should assign an OSC Assessment Official, a senior leader who is responsible for managing engagement in the assessment. They must be an employee of the OSC (not a consultant) who possesses decision-making authority regarding the CMMC assessment. They select and assign support staff and identify their roles to prepare for the assessment. Each supporting staff member will need to master their understanding of the controls that apply to their fields of expertise. For example, a system administrator can review the controls that refer to group and user policies, configurations, and other aspects into which they have unique visibility and awareness. A facilities or security officer can naturally speak to compliance with physical security controls. Personnel that conduct internal auditing of systems will understand auditing practices and can align them with CMMC controls. That alignment of your practices with CMMC controls is often the most time-intensive activity of your assessment preparation.
Some controls call for historical documentation, proving your organization has followed certain practices over a specified period. One example would be the review of your System Security Plan (SSP). To meet that requirement, you will show when the SSP was originally published, when qualified staff reviewed it, and when recommendations were approved and endorsed by an authorized leader. Another example would be the scheduled auditing of system access controls. The assessors will look for documentation that proves you have a policy or have specified in the SSP when audits are scheduled, as well as supporting documentation that such audits have been performed. The trick here is to define reasonable objective timeframes for reviews and audits, such as monthly, in the policies or SSP.
Assessment Pro Tip #2: If you’re planning your assessment for 3 months out, conduct the reviews and audits within that timeframe and tailor your documents to reflect that.
Assessment Pro Tip #3: Most controls call for organizationally defined policies. Write your policies and SSP in a reasonable manner for your organization while meeting the intent of the controls.
Evidence
Assessors may use the following methods to discover your level of compliance: Examination, Interview, or Testing. Examination of documentation may be a screen share showing compliant system configurations, but sometimes, the assessor may want a demonstration to prove that the configuration results in control of the item they are questioning. A screenshot showing that your systems are configured to require Multi-Factor Authentication (MFA) meets the examination method, but demonstrating that a user cannot access the system without using MFA meets the testing method. Don’t assume the assessor will only require examination. Be prepared to prove the control with a test demonstration. Interviews are conducted in either one-on-one or group settings. Prepare your staff to answer questions both individually and in a group setting. A thorough understanding of controls and their field of expertise will ensure success for interview questions.
Assessment Pro Tip #4: Conduct mock interviews with staff presenting their evidence while facing scrutiny from other staff role-playing as the assessor.
Adequacy and sufficiency are key words for successful presentation of evidence. You’re looking for detailed documentation that stands up to an assessor’s scrutiny. That could mean showing where a setting in your system configuration meets the criteria and showing how that setting works in a demonstration. Meeting both will fulfill the adequacy of evidence. Some controls may require a sample set of proofs when a single example is not sufficient. If you have several system administrators on staff, demonstrating that one of them cannot execute ordinary user functions without logging into their user account may not be sufficient for the assessor to determine compliance. They may ask other administrators to demonstrate under the same conditions. This provides adequate evidence of compliance.
Gap Analysis
Some companies provide Gap Analyses, initial assessments that identify deficiencies in an organization’s readiness prior to a formal assessment. Organizations with skilled technical staff who understand CMMC requirements may not benefit from this service. Smaller organizations with few personnel skilled in these areas will face more scrutiny and may choose a gap analysis to prepare. While this service can improve chances of passing the full assessment, it can extend the timeline and add cost to achieving certification. Any C3PAO that performs a gap analysis will not be allowed to perform a formal certifying CMMC assessment. This prevents conflicts of interest within the C3PAO community and preserves the integrity of the CMMC process.
Conclusion
The road to securing our defense supply chain is neither smooth nor certain, but rest assured, some form of CMMC will lay requirements on suppliers to meet higher cybersecurity standards across the industry. We should welcome these standards in the interest of national security and do our best to secure sensitive information and systems that process it. Compliance cannot be assured without highly trained C3PAO assessors. Those who are preparing now for CMMC 2.0 compliance will be best situated to win contract awards when others are eliminated from competing. To help prepare or to have more questions answered, feel free to reach out to the experts at ArCybr at moreinfo@arcybr.com.
[1] Source vital-signs_2021_digital.ashx (ndia.org):”Total contract obligations issued by DoD grew from $329 billion in 2017 to $394 billion in 2019—a 20% increase.”
Guy M. Bilyou
Leave a Comment