10.05.21

The CMMC Assessment Process

Why Are Cybersecurity Self-Assessments No Longer Sufficient?

In 2020, the Internet Crime Complaint Center received a staggering 791,790 complaints totaling $4.1 billion in damages, up 69% since 2019. As these attacks continue to accelerate, the Department of Defense (DoD) supply chain industry has been a prime target, many of the most brutal hits occurring in 2021.

Until 2021, companies could conduct self-assessments on their cybersecurity measures by following the NIST SP 800-171 regulations. However, the rapid increase of attacks prompted the Department of Defense to implement Third Party Verification with the Cybersecurity Maturity Model Certification (CMMC). 

up 69%

The CMMC was designed in response to the ineffectiveness of the standards and regulations previously in place. CMMC is a conforming standard with specific, exact, and detailed requirements for their contractors. By the end of 2025, any contractor that wants to keep their status as a supplier with the DoD will need to be CMMC compliant. 

However, any contractor working with the DoD or even as a subcontractor on DoD projects should expect these new requirements to apply to their business sooner rather than later. Organizations must know which CMMC Level they will need to obtain, but any contract will clearly state the project’s required CMMC Level. One thing to note is that anyone that has contracts with the DoD will need some Level of CMMC certification-this could range from anyone in food service to those making weaponry. 

The Assessment Guide: Your Starting Point

As organizations ready themselves for their audit, the best place to start is with the assessment guide. The assessment guide is the document assessors use to conduct CMMC audits. The authoritative sources for all CMMC information including the assessment guides found are on the OUSD CMMC website

These guides were developed collaboratively by the CMMC model team, various industries, assessors from the Defense Contracts Management Agency (DCMA), and the Cybersecurity Maturity Model Accreditation Body (CMMC-AB). Together they scoured through many iterations and the guides were used in mock assessments. Varying viewpoints were considered among many different organizations. CMMC assessments will be conducted on businesses both minuscule and extensive, so assessment guides needed to be accessible for all types of companies.

Once you’ve identified your required CMMC Level, you’ll want to identify all the CUI within your organization next. Organizations already following NIST SP 800-171 won’t have too heavy of a lift. For those organizations that haven’t, this is where you need to start to help you identify the technology that needs to be protected:

  • Identify where the CUI is within your company
  • What are the business processes that handle CUI?
  • What technology supports the CUI?

 

Next, you’ll want to perform a gap assessment and identify the differences between your current state and what you’ll need to be CMMC compliant. You’ll need to keep in mind that the requirements are specific and beyond basic security controls, including documentation, policies, and objective evidence. 

Once you’ve conducted a gap assessment, the next best thing to do is practice and conduct a mock assessment. Beyond conducting self-assessments, you can determine the documentation and policies and the narrative behind those policies. Getting your team comfortable talking and interacting with the security measures will help when it’s time for the actual assessment. 

When Should You Take The Assessment?

Don’t take the assessment until you’re 100% sure you’ll pass. Take a practice test with someone that understands the grading criteria. The focus of CMMC has to do with maturity rather than compliance. It’s not about checking items off a list, it’s about knowing how to keep people and information safe, so when an incident occurs, teams are prepared and know what to do. It’s more than being able to write an incident response report–it’s about knowing how to respond to an incident.

The sections of this assessment aren’t concealed; the exam is the assessment guide. The guide is a lengthy document that takes you through every requirement for every practice and tells you exactly what an assessor will do. You’ll be able to evaluate whether or not you’ve met the requirements or not. 

You’re Ready For The Assessment, Now What?

It’s now time to find a Certified Third Party Organization (C3PAO). To find a C3PAO, go to the accreditation body marketplace. However, the marketplace is still in the process of having C3PAOs ready to certify. Many of them are still in vetting processing; they have met specific security standards and are CMMC compliant. It is up to the Organization Seeking Certification (OSC) to choose which C3PAO they’d like to use and schedule the assessment. Although there aren’t many listed yet, check back frequently for updated information on consultants and assessors. 

 

Sources

https://insights.sei.cmu.edu/blog/follow-the-cui-4-steps-to-starting-your-cmmc-assessment/

https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=650680

https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf

https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf

https://cmmcab.org/marketplace/

https://www.youtube.com/watch?v=aVtiRIEouZg&list=PLTwPLYYqvojqbkfYLOOOxboYH4XF_MGJ6

https://www.youtube.com/c/DIBTechTalk/featured