Tips to Prepare for a First CMMC Assessment
With cyberterrorism acknowledged as an ever-increasing threat to national security, it came as no surprise when the Defense Department last year introduced a more robust cybersecurity framework in the form of the Cybersecurity Maturity Model Certification (CMMC).
Businesses must meet one of five levels of certification, with the new standard already required for certain defense contracts, while the planned five-year rollout aims to ensure that, by 2026, all government defense work will include the CMMC requirement, impacting more than 300,000 contractors.
Preparation is the key to success. The sooner a company begins preparing for a CMMC third-party assessor organization, or C3PAO, to come in, the smoother its progress along the journey will be.
A major change that will affect companies is the requirement for comprehensive documentation and institutionalization of the CMMC practices. Depending on the security level, these changes mean organizations must: have up-to-date policies; be able to demonstrate processes that enforce those policies; perform procedures with the frequency stated by the policy and/or processes; and document evidence to show that they meet the expected cyber hygiene for the required CMMC level.
There are three main areas executives should focus on to ready their teams for a third-party assessment.
The first is to identify the correct level of certification. A company needs to identify which level of CMMC it requires. A lot of companies think they need to be at Level 3 when, in fact, they really only require Level 1, which is obviously a considerable savings on time and money.
The jump between Level 1 with 17 requirements, to Level 3 with 130 requirements, is significant. Therefore, companies should look at their contracts, talk to their prime and subcontractors, and work out exactly which level is sufficient for their business needs.
At Level 3, not only do policies and procedures need to exist that address all of the requirements, but a company also needs to be able to demonstrate that these requirements are managed. A business must establish, maintain and resource a plan that includes all of the various domains and scope.
For an organization to properly document what they are doing and highlight how this meets the CMMC requirements will require substantial resources. Companies may need to invest in new systems and tools, or training for the individuals who will be responsible for resourcing and meeting those requirements.
The second step is to determine the scope for the assessment and document it.
A company will need to have everything documented and all its ducks in a row for when the C3PAO arrives. This will minimize potential problems during the assessment and, as far as possible, ensure a smooth process.
If everything is clearly documented the assessor should be able to immediately see and clearly understand the level the company is operating at, why it has justified that level, and the scope for the assessment. The documentation should then go on to explain what is and isn’t in scope, explaining why some areas are in scope and others aren’t.
As the scope increases, so does the level of assessment risk for a company. The more areas that remain in the scope, the more risk there is of potential failure. So, a key step is to correctly identify and include only the areas of operations which are absolutely necessary to the business when it contracts with the government.
That means determining system boundaries accurately so a company knows exactly which parts of the business and which personnel need to be assessed.
A third tip is to determine the assessment type. There are several different ways a company can be assessed.
The most comprehensive is to be assessed at an entity level, which means that everything across the entire organization is subjected to the same requirements. This may not make sense for the majority of companies applying for certification. The costs of preparing will be prohibitive, and many businesses also carry out work in the commercial space in addition to government contracting, which would add unnecessary layers of administration to that side of their operations.
An alternative approach is to establish an enclave where only the part of the business which is in scope for defense contracts needs to meet all the requirements, and the rest of the company is exempt.
There is, however, a third type, which is the hybrid model. This would be where the entire entity might receive a Level 1 certification, and then there would be an enclave focused on defense contracting that receives Level 3.
Identifying the most efficient and cost-effective type of assessment will be of key importance.
A contractor needs to confirm and document these three factors as the core of its readiness program so that when the assessor walks through the door both sides have a clear understanding of where the boundaries for the assessment lie, particularly around what is in and out of scope.
There needs to be agreement upfront on the scope, otherwise the assessment will not carry forward. To help achieve this, it’s important that a company chooses the right assessment organization to work with. Picking the cheapest vendor is often not a sensible idea. Instead, the contractor should take the time to figure out who will be the right fit for it.
Companies can help successfully ready themselves by identifying key team member roles and responsibilities, and also what will be considered as adequate evidence requirements by the assessor. The most efficient way to do this is by reviewing the employees who will be classed as the control owners and then actually testing the control requirements ahead of time, whether it is a documented policy or procedure or an automated control.
This information should be organized upfront. For example, if the assessor comes in and says they want to test the wireless network and look at the wireless access policy, a population of wireless accounts and the configuration settings for encryption, then the company knows exactly how to demonstrate compliance and who is the control owner for that part of the assessment.
The assessor’s focus will span these three key areas — examining supporting evidence, interviewing the control owner(s) and/or testing the procedure — so a business needs to identify the right personnel to be in place and responsible for each strategic area in advance, to avoid a scramble during the actual assessment.
Meanwhile, thorough preparation will lessen the likelihood of any issues but there will still inevitably be some cases in which roadblocks arise. The CMMC Accreditation Body, which will oversee the new certification, has established an arbitration process that will allow for companies to file a dispute if they feel they have unfairly failed the assessment or if qualifying issues arise with the assessors themselves.
Areas of disputes are most likely going to be centered on the misinterpretation of the standard by either side. For example, an organization might complete a readiness program and their consultant greenlights a certain process or says, “You don’t have to do it that way, you could do this instead.” Then three months down the line during the audit, the assessor could disagree with that interpretation.
In addition, there will probably be some discrepancies about incomplete implementation of controls. For example, a company might be carrying out only three of the required five controls and that will be an area they get picked up on.
And, finally, there will probably be some disputes about what can be remediated within the allotted 90-day grace period.
It’s inevitable there will be challenges on all sides until things settle down. If we look back historically at other compliance areas that have been introduced — the Sarbanes-Oxley Act, HITRUST, or various ISO standards — when anything is new there tends to be a lot of oversteer followed by some form of correction as the new certification matures over the first year or so. Companies should fully expect that to happen with CMMC but also understand that these enhanced standards will become the new normal when contracting with government agencies.
While the Defense Department is leading the charge, CMMC has already started to appear in other agencies’ contracts and is widely expected to become a requirement in additional civilian agencies down the road.
Readiness is key to success and preparing for a CMMC will take longer than many businesses realize. It’s absolutely essential that they undertake the whole cycle with real rigor. This isn’t a process where most organizations can see a contract hit the streets and quickly prepare and obtain the necessary certification in order to potentially be awarded within 30 to 60 days.
Best estimates are that the majority of companies should allow six months of preparation time — accepting there will be a spectrum. Some businesses will be more mature because of where they’ve operated and what they’ve done previously in adjacent areas of compliance, while others will have done nothing and be starting from scratch. And many organizations will be in the middle, with some areas of maturity but having not yet ventured down this specific certification path.
The suspicion is that many companies are underestimating the time and resources required to prepare properly to ensure they pass the assessment first time, without recourse to dispute. Committing to approaching the project with the necessary appreciation of the required inputs will pay dividends.
Neal W. Beggan is a principal in the risk and accounting advisory services practice of Cherry Bekaert LLP. He can be reached at firstname.lastname@example.org. The views reflected in this article are his own and do not necessarily reflect the views of Cherry Bekaert.