The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) requirements are not just inevitable; they are a few short months away from enactment. As recently as last week, officials from the DoD re-confirmed that CMMC 2.0 is expected to pass the rulemaking stage by March 2023, meaning the new regulations will start appearing in DoD contracts in May 2023.
For the skeptics, the days of “let’s wait and see” are over. While there’s a chance of slight modifications to the proposed rules, most of us in the industry expect the vast majority of the proposed rules to become requirements for all contractors going forward. And in the near future, we expect other agencies to adopt similar requirements for their contractors, with states following suit to various degrees.
Even now, absent formal CMMC requirements in DoD contracts, a number of contractors are finding for the first time that their contracts require the submission of Supplier Performance Risk System (SPRS) scores – essentially a self-evaluation of the same NIST 800-171 requirements that appear in the CMMC.
What do you need to do, and when should you start? Here are the steps we suggest.
Six Months Before a Formal CMMC Assessment: Gap Assessment
To understand what you should do months before a CMMC assessment, it is imperative to first understand that the formal CMMC assessment, performed by a Certified Third-Party CMMC Assessment Organization (C3PAO), does not have an advisory aspect. In other words, the C3PAO will not provide advice on how your organization can “pass” the assessment. When your organization enters the formal assessment stage, it is tested, and either passes or fails. The assessment is essentially the final exam.
For this reason, you don’t want to head into the formal CMMC assessment without an in-depth understanding of what your specific organization, with its unique infrastructure and network, needs to do or adopt in order to comply with CMMC requirements. For most DoD contractors – those that handle or create Controlled Unclassified Information (CUI) – there are 110 cybersecurity “controls” that will be tested using guidance from NIST SP 800-171. The worst thing you can do as an organization is head into the final exam without studying and knowing how your organization stands with regard to the 110 controls.
A Gap Assessment is what gives you that knowledge. Performed several months in advance of the formal assessment – we recommend six months – a Gap Assessment includes an analysis of your organization on all 110 controls, and it results in formal recommendations that your organization can adopt in order to be best prepared.
Can you hire anyone who proclaims to have CMMC knowledge to help you with the Gap Assessment? Sure. But we recommend retaining someone who has been certified by the DoD through training and testing. An entity that has aquired that certification is called a Registered Provider Organization, or RPO, and an individual with the certification is called a Registered Practitioner (RP). You can search the DoD-authorized CyberAB Marketplate for a complete listing of RPs and RPOs. Captiva is proudly an RPO and candidate C3PAO, and employs RPs as well as Certified CMMC Professionals (CCPs) and Certified CMMC Assessors (CCAs).
Two to Five Months Before the Formal Assessment: Remediations
Once your Gap Assessment has identified your weaknesses, you enter what is called the “remediation” stage. During this stage, your organization solidifies and fortifies the parts of its network and administration that may be lacking in one or more of the 110 controls.
An ideal Gap Assessment will make recommendations on how to better meet those 110 controls. But we caution you to be wary of those that recommend significant hardware purchases, particularly if the company that performed the Gap Assessment just happens to sell that hardware. For the vast majority of controls, solutions can be found with policy changes and software implementations. In the event your organization was told otherwise, we would welcome the opportunity to provide you with a second opinion.
Notably, we are recommending five months (or more) for your organization to get through the remediation stage. While this is not an absolute timeframe, it does provide advantages. First, it gives your organization time to implement the changes. Sometimes, that includes training employees and executives, and that training takes time. In other cases, it could require the implementation of new products and software that require a learning curve. But perhaps most importantly, it allows your organization to budget the process over a period of months. If you are a small company, having that budgeting time could make the difference between implementation and a government contract, and having to wait out for a season. As a fellow small business, we identify with your desire to go after government contracts despite your small business status. Allow us to help you in the process.
Formal CMMC Assessment with an Authorized C3PAO
When your organization is ready for the “final exam,” it’s time to schedule the formal Assessment. If you are what the DoD considers a Level 2 contractor – one that handles CUI – you will need to work with an authorized C3PAO to achieve a Level 2 CMMC Certification. This is required before you will be permitted to bid on any DoD contracts that have this prerequisite.
You can find authorized C3PAOs at the same DoD-sanctioned Marketplace. You should never use any organization other than those listed, because their “certification” will mean nothing to the DoD.
Given the small number of C3PAOs that currently exist (less than 30 at the time of this writing), it is important to do your research early and explore options long before you hope to bid on DoD contracts. As mentioned, Captiva is a C3PAO candidate, and currently works with another C3PAO to help our clients seeking certification. Let us know if we can be of service in your endeavors.