Now that the U.S. Department of Defense (DoD) released its interim Cybersecurity Maturity Model Certification (CMMC) rules and its timeline is becoming more clear, any organizations that work — or would like to work — with the DoD should be completing their CMMC preparation efforts. Before they move toward the CMMC assessment, organizations should employ their internal auditing function for assurance of their CMMC readiness.
Because of its independent and objective assurance role, internal audit is positioned to assess whether an organization is taking the steps necessary to appropriately safeguard the DoD’s data at the CMMC maturity level that will soon be required to compete and win certain DoD contracts.
Contractors that only have access to federal contract information (FCI) and do not foresee pursuing contracts with any kind of data beyond FCI need only to meet and maintain the 17 practice requirements of CMMC Level 1, which map directly to existing Federal Acquisition Regulation (FAR) 52.204-21 requirements. Contractors already working with controlled unclassified information (CUI) or that would like to do so in the future must put into place the 130 practices and three processes required by CMMC Level 3.
Understanding where FCI and CUI data exist in your environment is an important first step to determine the level and scope that needs to be covered by your CMMC. This is where the organization’s internal audit function or an objective third party can help to confirm and/or recommend how management sets the boundaries on where FCI and CUI exist within the organization’s environment. Limiting the scope winnows down where robust CMMC-required practices must be applied, which could speed up the CMMC readiness process.
Internal audit may want to support management’s CMMC readiness efforts by using a phased approach. The following describes a suggested scope and phasing strategy. (Note: The approach below applies to organizations seeking CMMC Level 3 certification.):
Once management begins to feel confident that the FCI and CUI is appropriately covered by the scope they intend to have certified, it is time to consider involving internal audit with the following:
(Like other initiatives, CMMC requires the right engagement from senior leaders to drive the process maturity required to comply with CMMC Level 2 and above)
(The scope that you intend to have certified should align to and follow where FCI and CUI is stored, processed and transmitted.)
(Incomplete understanding of where FCI and CUI exists could result in a certification that does not adequately address contractual requirements.)
When internal audit and management are comfortable with the scope, the organization now should focus on performing a gap assessment of the 130 practices and three processes required for CMMC Level 3. It should also confirm that business processes are ready to handle changes that might result from CMMC.
(Keep in mind that of CMMC Level 3’s 130 practice requirements, 110 of them are derived from the NIST SP 800-171 framework, a self-assessment against which was previously required and is the subject of the new Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7019 clause.)
(CMMC requirements also extend to an organization’s subcontractors.)
(CMMC will affect how an organization responds to a request for information (RFI) or request for proposal (RFP).)
Once the organization has a solid understanding of where it stands in regard to its practices and business processes, internal audit can review and provide feedback in a real-time fashion on the remediation plan.
(Based on the results of the initial gap assessment)
Finally, the organization should remember that after it achieves its desired level of CMMC maturity, it must work to stay there, which is where the objective perspective of internal audit or a third party could be of continuing help.
(As organizations change and grow, so does their technology and those types of changes will affect their CMMC status.)
Regardless of what avenue the organization takes in preparing for CMMC, management should understand that as CMMC presents a key risk, government contractors should expect to engage internal audit or some other objective oversight function in obtaining and maintaining CMMC compliance. Internal audit should be ready by either developing or engaging a strong capability related to CMMC so it can provide effective support as outlined above or similarly. If the organization fails to achieve the required CMMC level on its first try, it may need to go to the back of the line to get a second assessment, delaying the possibility of being awarded certain contracts. On the other hand, if the organization makes effective use of its available objective resources and achieves CMMC early, it will have an advantage over competitors and may even win additional work.
However the organization decides to prepare, it should not underestimate the weight of the CMMC assessment and, if it needs to work with a third party, the organization should make sure that third party has experience with not only cybersecurity, but also government contracting, and most helpfully with CMMC directly. Knowing the CMMC rules and regulations as well as the broader business implications of government contracting can help avoid unnecessary risk and expensive delays.
Achieve your CMMC and compliance objectives by drawing on Baker Tilly’s extensive cybersecurity, government contracting and technology risk experience. Connect with us, or fill out our questionnaire so we can understand how to best serve you.