Self-assessment has long been a staple of regulatory compliance programs. Companies take the initiative to review and audit the systems and procedures they are responsible for, and then forward the results to the regulatory body overseeing the program. The problem with this model lies in the fact that not all parties applying for certification can be trusted to accurately report the nature of those assessments. Moreover, even applicants who are 100 percent honest may underestimate the importance or complexity of the processes necessary to achieve true compliance.
To preserve the integrity of the cyber security infrastructure across the collective DIB, the DOD has implemented a compliance framework that requires certification via CMMC third-party assessment organizations (C3PAOs). Accredited by the CMMC Accreditation Body (CMMC-AB), which operates independent of the US government, these organizations perform on-site assessments that demonstrate whether a given contractor has met the requirements necessary to achieve certification based on the rules defined by the CMMC compliance model.
Analyzing The Assessment Process
CMMC assessment involves a thorough evaluation of the mechanisms implemented to safeguard sensitive data. These assessments will specifically target controlled unclassified information (CUI). Any other information, even data sets protected under compliance frameworks such as the Health Insurance Portability and Accountability Act (HIPAA) or Trade Agreement Act (TAA), is of little relevance. The importance of such information will ultimately be defined by its alignment with CMMC certification.
While the specifics of the auditing process have yet to be revealed, our familiarity with regulatory compliance programs across the cyber security landscape gives us an idea of what CMMC assessment should look like.
Assessment of the IT Infrastructure
In most cases, the auditor will arrange a meeting with the individual that heads up the company’s cyber security operations. Because some firms outsource IT security to third-party specialists, C3PAO officials may review the credentials and responsibilities of the security contact. This initial assessment is performed to validate the individual’s level of competence and ability to efficiently manage the infrastructure.
Once the contact’s security prowess has been validated, the auditor will perform a comprehensive evaluation of the infrastructure and the scope defined by DOD standards. It is not uncommon for auditors to question various IT components deemed essential to the operation. In the case of CMMC, particular emphasis will be placed on CUI. As such, any system that transmits or stores this information is significant.
Assessment of Existing Security Practices
One of the most important aspects of the auditing process is a thorough evaluation of the security mechanisms currently in place. The objective here is determining whether the company has taken the measures to protect the CUI covered by CMMC. Depending on the contractor’s level of preparedness, the security officer may be informed that significant changes are required. The slightest inconsistency could be considered a hole that renders the infrastructure vulnerable to security threats.
Process Validation
Third-party auditors must confirm that the security measures specified have been properly implemented. How this analysis is conducted will be determined by the company’s desired CMMC level, as well as the security control under evaluation. For example, the auditor may request to review a company-wide password policy across protected databases.
In the case of technical processes, a hands-on demonstration may be required to illustrate the capabilities of the systems that facilitate those specific functions. The inability to produce viable evidence could result in violations, or even legal repercussions should the action be deemed dishonest, or a purposeful misrepresentation of the implementation in question.
Audit Report
After conducting an extensive review of the security environment, the auditor will issue a documented report of the findings. In determining the company’s level of compliance, the report will highlight performance in each assessment area. Keep in mind that any noted issues does not guarantee a failed audit. In fact, it is fairly common for audits to yield faults, particularly when new standards are introduced. Most assessments offer a threshold of allowable failure, which is typically based on whether the fault compromises protected data.
Acing the CMMC assessment is a big win for those seeking certification — but not an invitation to relax. Per the DOD, the framework is an evolving standard that will likely demand considerable modifications as new security threats emerge. With a clear understanding of the process, contractors can make preparations that greatly improve their prospects of obtaining that coveted certification.