By now, you are familiar with the term CMMC—the DoD’s Cybersecurity Maturity Model Certification requirements as part of the Pentagon’s mandate to protect the industrial base networks and controlled unclassified information from cyber-attacks. What you may not know is where your company falls in the process. And you might be worried about the costs involved. Navigating and achieving compliance can be a daunting task, even for the security savvy. Let’s see if we can get you started on the process.
Know your cybersecurity level
Without the required level of certification for a particular solicitation, a company will be deemed non-compliant and ineligible for an award.
CMMC defines five cybersecurity maturity levels, ranging from basic cyber hygiene (ML-1) to advanced cybersecurity practices (ML-5). Each level outlines the capabilities, processes and practices to reduce the risk of a security threat breaching a company’s cybersecurity defenses.
You can establish which level you will be expected to comply with by considering:
The type of DoD data stored or processed on your networks currently.
The requirements passed down to you from any prime you support.
Requirements specifically spelled out in any new contracts you will be bidding on in the next 12-36 months.
Your competitive positioning and growth strategies.
The majority of companies will require ML-1 initially, with ML-2 as an intermediate step for contracts/programs that will require a higher level of CMMC maturity. Maturity levels 3, 4 or 5 are for companies handling controlled unclassified information (CUI), at least right now.
Ready by remediation
Small- and medium-sized businesses, and those without cybersecurity expertise on staff, may need outside subject matter experts to determine how they stack up to required practices. A third-party review can be performed by a registered practitioner organization (RPO). RPOs have been trained on CMMC methodologies and processes and adhere to the RPO Code of Ethics. The process will identify gaps, remediate any practices that need help, and generate reports that will be used during your official CMMC assessment.
The RPO you select should provide an explanation of your gaps and the proposed solutions in terms you can understand, as well as a clear scope of work, estimated costs and a schedule for the work. There are several paths to fixing some of the more common control issues, so it’s up to your RPO to present options and make a case for their recommendations.
A side note about the cloud and remediation
A common security fix for many companies is to move controlled unclassified data and processes to a secure cloud environment. At first, Microsoft was suggesting the only cloud environment that would be compliant for CUI/ML-3 in the CMMC model would be the Government Community Cloud High, aka GCC High. This is an expensive option for small businesses that may far exceed most needs.
As controls and policies have been refined in the last year, more-affordable cloud solutions are being considered for storing most data, and the industry may only need GCC High for specified controlled unclassified information that has specific restrictions for data sovereignty and staffing of U.S. persons.
Determine your CMMC costs
Now is a good time to talk about the cost of CMMC. We know that some of the costs associated with the CMMC process will be allowable but that’s little comfort to small businesses who need to outlay the funds now to bring their systems up to par and get their certification. This is where you’ve got to look past today and consider your company’s future.
The controls for CMMC ML-1 are good practices that we all know we should have been doing by now. Remediation isn’t free but it is an investment in your business that can drive efficiency, improve the employee experience, and ensure that you will be eligible to bid on and be awarded contracts.
You can keep an eye on those remediation costs by choosing a company that explains costs and controls thoroughly so unnecessary “extras” aren’t padding your final bill.
You’re ready? Follow the CMMC Assessment Process
CMMC assessments are scheduled to start this fall. If your systems and policies are all in place and you have contract awards coming up in the next 12 months or hope to go after new business/partnerships/subcontracts soon, you should register for an assessment as soon as it’s possible. It may be possible to register for a Provisional Assessment now if your company is pursuing one of the CMMC Pilot Contracts. If your contract isn’t renewing for more than a year, it’s OK to wait on the actual certification process, and give your policies time to mature.
When you’re ready, here’s how things will go:
Register with the CMMC-AB.
Select a CMMC Third Party Assessor Organization (C3PAO) from the CMMC-AB marketplace.
Your C3PAO will request some initial documentation to review, like the result of any readiness assessments or self-reviews, scope boundaries, recent certification results, and the Maturity Level sought.
The C3PAO Lead Assessor will review the information and also negotiate terms and costs. Pricing is negotiated between each C3PAO and the company. Neither CMMC-AB nor DoD set the pricing. Costs and the timing for the assessment will likely be based on the C3PAO’s staffing ability, the network architecture being assessed, and the thoroughness of the Readiness Review Report provided.
Finally, the actual review can start. Expect remote and in person interaction as the Lead Assessor conducts a thorough examination.
Your C3PAO will generate a report of their findings and provide a timeline for submission of results to the CMMC-AB. You’ll have 90 days to remediate minor issues that prevented certification.
After any issues are remediated, the Lead Assessor finalizes the report and submits to the C3PAO.
The C3PAO then performs a Quality Assurance Review of the assessment report and sends the recommended assessment results to CMMC-AB.
As a last step, the CMMC-AB performs an independent Quality Assurance review if the recommendation is to issue a Certification.
CMMC represents a giant leap forward for the contractor industry, but the entire process can take up to six months to complete. It’s important to get started now and not miss critical business opportunities.
Edward Tuorinsky, managing principal of DTS, a government and commercial consultant business, is a Service-Disabled Veteran with nearly two decades of experience in management consulting and information technology services. Derek Kernus, Director of Cyber Security Operations at DTS, holds CISSP and CCSP certifications and has a strong background in IT and government compliance