Page Summary
What are the seven tasks to do now to prepare for CMMC Certification?
If you are a DoD contractor, now is the time to take action to improve your organization's cybersecurity. With the release of CMMC 2.0, DoD has delivered a clear message that it's getting serious about cybersecurity. No organization should wait until the new framework is a mandatory requirement. What can you do now to ensure you can comply.
Understand, that audits will continue while the rulemaking process for CMMC 2.0 runs its course. The Rulemaking organization (DIBCAC) has announced plans to increase the size of its audit staff in response to the pressing need to improve security across the supplier community. The lowest-hanging fruit for DIBCAC is to simply check whether organizations has submitted its NIST SP 800-171 self-assessment score (SPRS score) as required: reports are that DIBCAC is steadily increasing such spot checks. Any organization that doesn't have an SPRS score on file is sending a clear and problematic message about its cybersecurity capabilities to both DoD and prime contractors assessing potential subcontractors for teaming relationships.
AtWork's Centrum Cyber Cybersecurity GRC Platform
their Cybersecurity program allowing them to meet the requirements of NIST and CMMC.
In this post, we provide seven tasks that you can do now that will prepare you for CMMC certification. Some of these can in done in less than 10 minutes, others will take days to complete. We encourage you not to wait get started now.
What are the seven tasks to do now to get prepared for CMMC 2.0 certification?
Task 1: Familiarize Yourself with the CMMC 2.0 Framework
Continue to stay abreast of the developments by regularly checking the DoD's CMMC website and the Cyber AB's website. These two official sites should serve as your primary sources for all the latest CMMC information.
Task 2: Determine CMMC Level Your Organization Needs to Achieve
Review your current DoD contracts to determine if your organization is already handling federal contracting information (FCI) or controlled unclassified information (CUI) and to gain insight as to whether DoD could consider the work you do to be critical to national security and, therefore a prioritized acquisition. If that's the case, then you most likely will be required to achieve CMMC level 2 and undergo a C3PAO assessment once every three years. DoD examples of prioritized acquisitions include contracts for developing parts for a weapons system, or for a command-and-control communications system.
The DIBAC is advising organizations to prepare for CMMC Level 2 as if they will need to undergo third-party assessments. That's simply because the mindset for self-assessment should not be any different than if you were preparing for an external audit. In either scenario, the bar is set at the same level and the same cybersecurity regulations apply.
CMMC level 3 (Expert) is for defense contractors and university researchers that work with CUI on DoD's highest priority programs. Cybersecurity requirements for these companies have not yet been finalized by DoD.
Task 3: Scope Your Compliance Boundary
Any defense contractor or university researcher hoping to achieve the new CMMC Level 2 will need to meet NIST SP 800-171's 110 security controls. The question is, how can an organization determine the scope of its compliance project and figure out which of its users, systems, devices, and processes are subject to 800-171? We know that this standard focuses on the protection of CUI. Therefore, organization that work with CUI need to determine who in their organization assesses CUI; which devices process CUI; which organizational processes are related to the protection of CUI; and, importantly, how these users, systems and devices can be segregated into an enclave separate from non-CUI part of the organization. The DoD's guidance regarding defining the compliance boundary, CMMC Assessment Scope: Level 2, Version 2.0, makes it clear that CUI enclaves will be acceptable.
If all your organization's work is on DoD contracts and many of them involve CUI, then it makes sense to include your entire organization in scope for NIST SP 800-171 compliance. If only a portion, of your organization handles CUI, then it makes sense to narrow the scope of the security requirement as much as reasonable.
Task 4: Conduct a NIST SP 800-171 Self-Assessment
Once you determine the CMMC level you need to achieve and the scope of your compliance boundary, the next step is to examine the current state of your cybersecurity and identify gaps between organization's capabilities and the requirements for the CMMC level you want to obtain. You may need to work with an outside consultant to complete this gap.
If your organization is aiming for CMMC Level 2, the obvious place to begin you gap analysis is NIST SP 800-171, given the new Leve 2 security controls will mirror NIST SP 800-171's security controls. And while CMMC 2.0 wont be effective until federal rule making process is complete, DoD has already stepped up enforcement of NIST SP 800-171. Specifically, while DFARS 252.204-7012 has required implementation of NIST 800-171 controls since early 2018; DoD has until recently permitted self-attestation of compliance. The DoD's November 202 DFARS Interim Rule changed that, and now contractors are required to report the results of their NIST SP 800-171 self-assessments to DoD's SPRS system.
Assess Commercial Cloud Options
If your organization has migrated to the cloud, standard commercial cloud services such as Microsoft 365 Commercial are not CMMC compliant and so you need to assess alternatives and confirm that they meet CMMC level2 requirements. Specially, cloud service providers (CSPs) should meet DFARS 252.204-7012 (c)-(g). Briefly, those requirements are:
c) cyber incident reporting to DoD Cyber Crimes Center (DC3)
d) malicious software, if discovered, to be submitted to DC3
e) media preservation and protection for 90 days
f) provide DC3 access to additional information if requested
g) assist DoD with cyber incident damage assessment if requested
Meet FedRAMP Moderate Baseline or Equivalency standards or higher. FedRAMP stands for the Federal Risk and Authorization management Program, and "Moderate Baseline" is an official certification within the FedRAMP program. This means that contractors need to confirm that their CSP is either FedRAMP Baseline Moderate or that it can demonstrate Equivalency.
The federal rulemaking process is on track to finalize the November 2020 DFARS Interim Rule into a Final Rule in early 2023. The imminent Final Rule is a clear signal of DoD's intent to enforce defense contractors' compliance with NIST SP 800-171 before CMMC 2.0 goes into effect.
Task 5: Complete a System Security Plan and POA&M if required.
The soon-to-be DFARS Final Rule stipulates that:
- Contractors must create a System Security Plan (SSP) as a prerequisite for further considerations for DoD work.
- DoD's NIST SP 800-171 Assessment Methodology must be followed and all contractors who handle CUI must perform at least a Basic level self-assessment.
- DoD's assessment methodology assigns each of the 110 NIST SP 800-171 controls a weight of one, thre, or five points. Scoring starts at the lowest possible score of -203. One, three or five points are earned for each control met, all the way up to the maximum of 110.
- Self-assessment scores must be filed in the DoD's SPRS system by the time of contract award, and your security program must be maintained for the duration of the contract.
Once your SSP is in place,
- If the self-assessment score falls below 110, contractors are required to create a POA&M and indicate to the DoD by what date the security gaps will be remediated and a score of 110 will be achieved.
What Should Your GRC Tool Include?
Project Management, Workflows, Scorecards, Dashboards for Tracking, and Robust Reporting.
If you are missing one or more of these features, it's time to make a switch!
Task 6: Budget for the Costs of Achieving CMMC Certification
The DoD has indicated that the cost of achieving CMMC certification will be allowable, meaning that the cost can be built into organizations' bids for defense contractors. Your organization will need to incur the cost up front, though, and will recoup trough your indirect rates. Meaning your costs can be recovered only if you win a contract. Note too that DFAR Interim Rule published in September 2020 had this to say about the costs of CMMC certification at that point in the program's evolution (when DoD had added 23 security requirements on top of NIST 800-171's 110 requirements): "Contractors pursuing ... [the old CMMC] level 3 Certification should have already implemented the 110 existing NIST SP 800-171 security requirements. Therefore, the estimate engineering cost per small entity is associated with the implementation of 23 new requirements (20 CMMC practices and 3 CMMC processes).
The extent to which DoD will consider the costs of CMMC certification to be allowable is unknown at this point. As part of the rulemaking process, DoD will publish a comprehensive cost analysis associated with each CMMC 2.0 level. Which should shed mor light on what organizations in the DoD industrial base should expect and budget for.
Centrum Cyber: All-In-One Cybersecurity
including Built-in knowledge base, Solutions Mapped to Controls, and Solution Cost Estimate. All in one secure platform!
Task 7: Identify Cybersecurity Partners to Get Help You Need
Depending on your organization's security capabilities, you may consider hiring outside help. Many cybersecurity companies have devoted extensive time and resources to gain a deep understanding of the NIST SP 800-171 and CMCC framework and have developed services to help organizations in the defense supply chain - many understandably lack the necessary internal security expertise to achieve CMMC level 2. In a related blog, Utilizing Managed Services for Fractional CISO Support we described how to hire a managed service provider (MSP) who can provide fractional CISO services to support your cybersecurity initiate. They can assist your organization by helping you conduct a self-assessment and gap analysis and provide help completing your required SSP.
Conclusion
Attaining CMMC certification requires commitment and investment that pays off when it comes time to receive an accreditation. Government agencies trust contractors with CMMC certification to protect their data because they know about the rigorous security controls that have been put in place to secure their data. Gaining that trust via an accreditation like the CMMC demonstrates the company's commitment to security and strengthen its value as a trusted partner.
In a related blog, Utilizing Managed Services for Fractional CISO Support we discuss how to by utilizing managed services to outsource the entire compliance process. Managed Service providers (MSP), such as AtWork Systems, provide both the governance, risk, and compliance (GRC) tools as well as the security resources needed to continuously assess and monitor compliance. Selecting the right MSP can provide a significant step forward, allowing the contractor to leverage processes and systems that have already been certified.
Learn More About AtWork Systems
AtWork Systems is an Arlington, Virginia based managed services and software development company. Its principals have decades of experience doing business with and working for federal, state, and local government. They developed OneLynk as a configurable and scalable SaaS platform that digitizes and optimizes processes while providing just in time business intelligence for decision making. OneLynk contains a suite of easily configurable web applications for automating and monitoring business transactions, including: human capital management, accounting, timekeeping, expense management, procurement, contracts and project management, payroll services and more. Discover the latest ERP System for Government Contractors at www.atworksys.com.