The final rule mandating third-party assessors must conduct Cybersecurity Maturity Model Certification (CMMC) assessments is expected to be published by 2025. While there is a short phase-in period, there will be significant demand for third-party assessments from CMMC Third-Party Assessment Organizations (C3PAOs). Plan and prepare now to help prioritize scheduling your assessment.
Identify the CUI
Review your contracts – do any contain the Controlled Unclassified Information (CUI) clauses: DFARS 252.204-7012, -7019, -7020, -7021, or -7024? Check your data from clients or the U.S. government – is any of it marked CUI? If you’re bidding on U.S. government work, review the request for proposal for the same clauses or any mention of CUI in the statement of work. If in doubt, confirm with the contracting officer or government program manager. Identify what CUI is required for the contract performance and the level of assessment required for compliance.
Determine the CMMC level needed
There are three CMMC certification levels:
Level 1 – Contracts containing Federal Contract Information (FCI) require an annual self-assessment by the contractor.
Level 2 – Contracts containing CUI require a 3rd party assessment for most contractors every three years with annual contractor affirmation each year between the assessments.
Level 3 – Select contracts and programs designated by the U.S. government require a level 2 assessment and an additional DOD assessment every three years.
Set your assessment scope
The assessment does not have to cover the entire organization. A CMMC assessment is only about the personnel, equipment, and processes involved in the CUI processing, storage, and transmission. Limiting the people, systems, applications, and locations of where CUI is handled reduces the scope and improves protection of the CUI.
Identify your technology partner
Assess your organization’s IT/security maturity and capability. Most small/medium organizations do not have the capability and capacity to meet the monitoring and reporting requirements of CMMC. Many opt for using a cloud service provider (CSP) or a managed or external service provider (MSP/ESP). More information about selecting an external service provider in the next issue.
Conduct an internal assessment of the NIST SP 800-171r2 controls
An internal assessment and remediation of the organization’s CMMC processes using the 110 controls and 320 assessment objectives contained in NIST SP 800-171 is required before proceeding through an official CMMC assessment. This will assist your organization in understanding where you stand on complying with NIST, identify strengths and weaknesses, and provide the road map for the third-party assessment. An internal assessment can be conducted using internal staff or outsourced, but the organization and persons who conduct this internal review can’t be the same ones who conduct the final assessment.
Getting help with meeting the CMMC
Trained and certified professionals in the CMMC ecosystem can assist with efforts:
- Registered Professionals and Organizations (RP and RPOs) – Trained in the implementation of CMMC, prepare organizations for an assessment.
- CMMC Certified Professionals and Assessors (CCPs and CCAs) – Trained and certified to conduct official assessments, assist organizations in preparing for the assessment or conducting the internal assessments, can’t do both.
- CMMC C3PAOs – Authorized to conduct the official certification assessments using CCPs and CCAs.
The Cyber-AB (accreditation body for CMMC) website has a marketplace for these different professionals.
Develop a System Security Plan
The System Security Plan (SSP) must clearly delineate your cybersecurity policies, processes, and procedures. It’s the evidence-based documentation and assignment of responsibilities for the requirements of NIST SP 800-171. A more complete SSP makes a smoother CMMC assessment.
Schedule a C3PAO assessment
Once your organization has completed the internal assessment, remediated outstanding requirements, and received management approval to move forward to the official third-party assessment, schedule the assessment with your C3PAO. Select your C3PAO as soon as you determine you need a CMMC assessment.
C3PAOs can not provide consultation or recommendations on implementing CMMC compliance, but they can provide guidance on scoping, general cybersecurity concerns, and more. Scheduling will become a challenge when the rule is released, so preparing now will afford your organization valuable prioritization. All authorized C3PAOs may be found on the Cyber-AB website (cyberab.org) under the Marketplace section. Choosing a C3PAO can be critical to your organization’s CMMC compliance journey. Do not rush the process, ask a lot of questions, and choose carefully.
If you have any questions, please reach out to our team of cybersecurity and assessment professionals.
https://www.smithers.com/services/audit/cybersecurity-maturity-model-certification
Explore the June/July 2024 Issue
Check out more from this issue and find your next story to read.
Latest from Defense and Munitions
- Sharrow Propeller now available through ADS as an approved supplier for U.S. defense applications
- RTX's Raytheon awarded $590 million production contract for Next Generation Jammer Mid-Band
- Curtiss-Wright’s NXP 16-Core Arm-based VPX single board computer
- RTX's Raytheon completes Delta Design Review for F/A-18E/F Advanced Electronic Warfare prototype
- BAE Systems to aid secure Department of Defense software development
- 4D Technology's AccuFiz SWIR interferometer
- Best of 2024 - #3 Most Read News Story from Defense and Munitions Online
- Curtiss-Wright, Sintavia deliver first submarine component using additively manufactured impeller