CMMC and internal audit connections

Now that the U.S. Department of Defense (DoD) released its interim Cybersecurity Maturity Model Certification (CMMC) rules and its timeline is becoming more clear, any organizations that work — or would like to work — with the DoD should be completing their CMMC preparation efforts. Before they move toward the CMMC assessment, organizations should employ their internal auditing function for assurance of their CMMC readiness.

Because of its independent and objective assurance role, internal audit is positioned to assess whether an organization is taking the steps necessary to appropriately safeguard the DoD’s data at the CMMC maturity level that will soon be required to compete and win certain DoD contracts.

Contractors that only have access to federal contract information (FCI) and do not foresee pursuing contracts with any kind of data beyond FCI need only to meet and maintain the 17 practice requirements of CMMC Level 1, which map directly to existing Federal Acquisition Regulation (FAR) 52.204-21 requirements. Contractors already working with controlled unclassified information (CUI) or that would like to do so in the future must put into place the 130 practices and three processes required by CMMC Level 3.

Understanding where FCI and CUI data exist in your environment is an important first step to determine the level and scope that needs to be covered by your CMMC. This is where the organization’s internal audit function or an objective third party can help to confirm and/or recommend how management sets the boundaries on where FCI and CUI exist within the organization’s environment. Limiting the scope winnows down where robust CMMC-required practices must be applied, which could speed up the CMMC readiness process.

Internal audit may want to support management’s CMMC readiness efforts by using a phased approach. The following describes a suggested scope and phasing strategy. (Note: The approach below applies to organizations seeking CMMC Level 3 certification.):

Phase one

Once management begins to feel confident that the FCI and CUI is appropriately covered by the scope they intend to have certified, it is time to consider involving internal audit with the following:

Governance

(Like other initiatives, CMMC requires the right engagement from senior leaders to drive the process maturity required to comply with CMMC Level 2 and above)

  • Understand how the organization has managed its CMMC readiness efforts and whether the right focus, attention and resources are in place
  • Confirm the active participation in the readiness effort of all key functions that will be impacted by CMMC
Scope and level verification

(The scope that you intend to have certified should align to and follow where FCI and CUI is stored, processed and transmitted.)

  • Validate the appropriateness of the CMMC level and scope that the organization intends to have certified; understand whether a data enclave or otherwise segmented scope should be employed because CUI is only stored in a portion of the company’s systems and doing so is more time- or cost-efficient
  • Inquire and review potential information, such as associated commercial and government entity (CAGE) codes, used by the organization during its prior National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” self-assessments or other reviews to ensure the company can clearly articulate the scope it intends to have certified and how it relates to the broader organization
  • Review and provide feedback related to the CMMC level of compliance needed or desired
  • Review the organization’s processes and support to represent that FCI and CUI exists only within the scope of the environment defined for CMMC
FCI/CUI tracking and inventory

(Incomplete understanding of where FCI and CUI exists could result in a certification that does not adequately address contractual requirements.)

  • Understand where FCI and CUI exists within the organization’s environment and whether policies, procedures and processes are in place to track, monitor and ensure that data is not stored out of scope; an incomplete understanding of where FCI and CUI exists could result in a scope problem later
  • Conduct inquiry of operations, product management, project/customer-facing/contract teams and/or service delivery leads to validate where FCI and CUI exists and compare those results to the known inventory
  • Provide recommendations to improve current FCI and CUI tracking and monitoring practices

Phase two

When internal audit and management are comfortable with the scope, the organization now should focus on performing a gap assessment of the 130 practices and three processes required for CMMC Level 3. It should also confirm that business processes are ready to handle changes that might result from CMMC.

Gap assessment

(Keep in mind that of CMMC Level 3’s 130 practice requirements, 110 of them are derived from the NIST SP 800-171 framework, a self-assessment against which was previously required and is the subject of the new Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7019 clause.)

  • Review mapping of existing controls to the CMMC model and identify any gaps
  • Review available evidence in support of the 130 practices and test whether the practices are designed and operating effectively; where issues are identified, provide recommendations for remediating the gaps
  • Confirm that the Level 3-required processes are in place for all 17 required domains of CMMC and evaluate the evidence that supports those processes
  • Compare those gaps and associated scoring that management reports under the new requirements of DFARS 252.204-7019
Supply chain

(CMMC requirements also extend to an organization’s subcontractors.)

  • Understand the organization’s efforts to risk rank subcontractors and teaming partners by those that would cause the greatest concern if they fail to achieve CMMC
  • Evaluate management’s efforts to determine and monitor subcontractors’ progress and readiness to meet CMMC requirements
  • Review the organization’s readiness to monitor the existence of CMMC-related clauses and flow down those requirements
Bid and proposal

(CMMC will affect how an organization responds to a request for information (RFI) or request for proposal (RFP).)

  • Assess the organization’s plans to respond and address RFI and RFP requirements pertaining to CMMC
  • Ascertain implications of CMMC on the bid and proposal process, including how to:
  1. Determine whether the project scope and/or proposed solution (i.e., the content of an RFP submission) aligns with the current CMMC scope; if it doesn't, the organization may need to adjust its CMMC scope and get recertified and/or change the proposed solution to better align with the environment that has already been certified
  2. Estimate and include costs related to CMMC
  3. Ensure protocols are in place to effectively team with prime contractors and subcontractors that have met the required CMMC level to win the contract
  • Document results and any recommendations for enhancing the bid and proposal process to meet CMMC expectations

Phase three

Once the organization has a solid understanding of where it stands in regard to its practices and business processes, internal audit can review and provide feedback in a real-time fashion on the remediation plan.

Remediation

(Based on the results of the initial gap assessment)

  • Review and provide feedback on management’s plan to close existing gaps
  • Provide advice and feedback to encourage management’s efforts to formalize processes and controls and make them habitual and systematized
  • Make independent assessments and provide assurance to executives and the governing board related to the organization’s CMMC compliance efforts

Phase four (ongoing)

Finally, the organization should remember that after it achieves its desired level of CMMC maturity, it must work to stay there, which is where the objective perspective of internal audit or a third party could be of continuing help.

Continuous monitoring

(As organizations change and grow, so does their technology and those types of changes will affect their CMMC status.)

  • Act as (or assist in identifying) the responsible party to monitor and maintain the CMMC practice requirements through a regime of regular testing; for example, establish a rotational program where a portion of the 130 practices and three processes of Level 3 are assessed each year to provide confidence that the required practices remain in place and/or detect issues early
  • Assist management as they consider or endeavor to reach the next CMMC maturity level
  • Provide feedback on solicitations and proposals where the scope might not ideally align to the scope from the CMMC certification
  • Address CMMC-related risks in teaming or joint business offerings or with subcontractors as risks arise

Regardless of what avenue the organization takes in preparing for CMMC, management should understand that as CMMC presents a key risk, government contractors should expect to engage internal audit or some other objective oversight function in obtaining and maintaining CMMC compliance. Internal audit should be ready by either developing or engaging a strong capability related to CMMC so it can provide effective support as outlined above or similarly. If the organization fails to achieve the required CMMC level on its first try, it may need to go to the back of the line to get a second assessment, delaying the possibility of being awarded certain contracts. On the other hand, if the organization makes effective use of its available objective resources and achieves CMMC early, it will have an advantage over competitors and may even win additional work.

However the organization decides to prepare, it should not underestimate the weight of the CMMC assessment and, if it needs to work with a third party, the organization should make sure that third party has experience with not only cybersecurity, but also government contracting, and most helpfully with CMMC directly. Knowing the CMMC rules and regulations as well as the broader business implications of government contracting can help avoid unnecessary risk and expensive delays.

Achieve your CMMC and compliance objectives by drawing on Baker Tilly’s extensive cybersecurity, government contracting and technology risk experience. Connect with us, or fill out our questionnaire so we can understand how to best serve you.

Matt Gilbert
Principal, CISA, CRISC
Next up

U.S.-Mexico-Canada Agreement (USMCA) – What do De Minimis changes mean for U.S. Small- and Medium-Sized Enterprises (SMEs)?