The Department of Defense (DoD) introduced Cybersecurity Maturity Model Certification (CMMC) in early 2020 to standardize how contractors protect government information. While CMMC builds upon existing regulations, including Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 and NIST SP 800-171, the “certification” part is new and will require prime contractors and subcontractors be certified by third-party assessors.
Organizations have plenty of questions about who needs certification, how long the process will take, what level of certification they will need and, most importantly, when will they be able to start the assessment process. Baker Tilly’s IT risk and cybersecurity practice recently hosted a CMMC readiness webinar series to help answer these questions.
In part one, "Understanding CMMC and the implications for DoD contractors," Matt Gilbert, principal, and Mike Cullen, director, discussed the basics of the certification and what organizations needed to know to prepare. In part two, "Navigating the CMMC assessment," Gilbert interviewed Jeff Dalton, CMMC-AB board member and chair of its accreditation and credentialing committee, who gave a status report on when organizations may expect assessments and how long it may take.
The DoD launched the CMMC to ensure all contractors supporting the defense industrial base had proper cybersecurity in place. If the DoD is sharing either federal contractor information (FCI) or controlled unclassified information (CUI) with an organization, that organization will have a responsibility to protect that data. The CMMC certification makes certain the right protections are in place, and contractors will not be able to work with the DoD in the future without appropriate certification. Cullen said, there is an exception for products sold to the DoD that are also sold commercially, for example, office chairs.
The certification itself has five levels, reflecting an organization’s different levels of maturity. Starting from level 1 at the lowest up to level 5 at the highest, the levels are designed to build upon each other. For example, to attain level one certification, an organization will have to meet 17 practice requirements, and for that organization to move up to level two, it will have to maintain those 17 as well as an additional 55 new practices plus two processes. To achieve level three, 58 new practices and one new process pile on to those previous requirements, etc. In total, Cullen said, for an organization to meet the qualifications for the highest certification, it will have to have in place and working 171 different practices to maintain the protection of data on the systems it uses.
The level of certification an organization will need depends on the information it will be receiving from the DoD. If the contractor is only receiving FCI, it will need to have just a level one, but if it is receiving CUI, it will need, at the minimum, level three certification. According to our webinar attendees, 58% plan to attain level three certification, while 12% will go for level one and only 7% will work for the highest level.
The good news is the framework of the CMMC draws from the NIST SP 800-171, which borrowed heavily from NIST SP 800-53 and from ISO Standard 27001. In fact, for an organization to reach level three certification, 110 of those requirements are the exact requirements from NIST SP 800-171. Furthermore, because those frameworks were used as primary sources for CMMC, if an organization was already doing the work for those certifications, it can map back to those frameworks and leverage existing practices and controls for its CMMC certification.
One of the biggest differences between CMMC and NIST SP 800-171 is enforcement. With NIST SP 800-171, contractors were able to self-assess and self-certify, and no one was checking. As previously stated, to earn a CMMC certification, prime contractors as well as their subs will have to have an assessment conducted by a certified third-party assessment organization (C3PAO) in order to win contracts with the DoD going forward that will increasingly include CMMC requirements.
To help the DoD administer and organize the certification process, the not-for-profit CMMC Accreditation Body (CMMC-AB) was formed, comprising a volunteer group of experienced industry professionals. The CMMC-AB has nine committees and seven working groups (with more to open as needed) to define pretty much everything — the key roles, training coursework, accreditation process, etc. — and they have to act quickly since the DoD would like contractors to be certified by some point this Fall.
During the second webinar in the series, Dalton said the CMMC-AB anticipates the process for certification will be straightforward: An organization seeking certification (OSC) will ask for requests for proposal (RFPs) or quotes from C3PAOs. Once the C3PAO is contracted to conduct an assessment, the C3PAO will either have a certified assessor on staff or will engage an independent assessor to perform the work. The C3PAO will manage the process, including performing quality assurance, ensuring the assessment was credible and executed properly, and submitting the results to the CMMC-AB for evaluation. He believes, from start to finish, the process should take eight to 12 weeks, depending on size and scope.
The concern is, as of early August, no assessors have been trained or certified and no C3PAOs have been licensed and authorized to conduct assessments.
The CMMC-AB anticipates training will start by the end of July, Dalton said, with a group of trainees capped at 60 people. The “provisional assessors” have not yet been selected, but more 150 people have applied to be certified so far. The CMMC-AB will select experienced people for this first group. Dalton said they will go through basic training on the CMMC and assessment method, but then they will be able to conduct assessments, participate in retrospectives with the CMMC-AB and submit results back to the AB. The pilot group should provide the CMMC-AB with feedback on the method and framework and whether it’s workable in the industry. Dalton said the CMMC-AB believes it should be viable because so many experienced professionals collaborated to create the process.
The CMMC-AB expects “a large number of assessments” will be conducted during the pilot, which will be necessary in order to meet the DoD’s goal of using 10 initial pathfinder contracts to ascertain how effectively the program is working. Gilbert said the DoD estimates 1,000 prime and subcontractors will need to be certified this fall in order to be considered for these contracts.
Fortunately, it seems organizations are already doing the work toward certification. The majority of our webinar attendees, 65%, said they were “somewhat prepared” with another 12% saying they were “very prepared” for CMMC. For those that aren’t, C3PAOs and registered provider organizations (RPOs) and registered practitioners can be engaged to help contractors get ready for their assessments.
Even with all of that preparation, nearly half of the attendees said they were unsure of their next steps. Dalton said organizations should just focus on the data and maturing their processes, not only producing documents and training people to say certain things because that is not what the DoD is looking for with CMMC.
“What they care about is that you are protecting the data and the networks,” Dalton said. “So don’t worry about passing as much as protecting because if you do that — and you do it well — you will in fact pass and get that certificate.”