Organizations seeking lucrative DoD contracts need to meet rigorous regulatory guidelines for security. Preparing for a CMMC assessment requires scoping, implementing controls, testing for readiness, securing an assessment partner (if needed), and locking in the actual assessment.
Is your organization ready to assess for DoD compliance? Request a consultation to find out!
Five Steps to CMMC 2.0 Assessment Prep
The Department of Defense (DoD) will soon require all contractors working with it to achieve Cybersecurity Maturity Model Certification (CMMC). That means preparing for, conducting, and successfully reporting on a CMMC implementation up to a predetermined Level of compliance.
Organizations preparing for CMMC 2.0 assessments, especially from scratch, need to:
- Understand their CMMC Level and the scope it entails
- Implement the required controls for their specific Level
- Conduct readiness assessments and adjust, as needed
- Secure an assessment partner, per their Level requirement
- Schedule the authorized assessment and reporting process
Working with a qualified assessor or advisor is the best way to facilitate the entire CMMC assessment process. In some cases, working with outside assessors is actually required.
Step 1: Know Your Level and Scope
The first major hurdle to CMMC 2.0 compliance is knowing which of its requirements apply to your organization. This is because, at different Levels, there are different controls to install and different assessment protocols. So, scoping starts with understanding which Level you’re at.
At present, the CMMC framework groups all eligible organizations into Level 1, 2, or 3.
The difference in these organizations is the kind and amount of sensitive data they process, along with their risk environments. At Level 1, the primary data class protected is Federal Contract Information (FCI). At Levels 2 and 3, it’s Controlled Unclassified Information (CUI).
In earlier versions of the CMMC framework, there were five Maturity Levels that referred to “Processes” assessed for, beyond the actual Practices implemented. These ranged from “Performed” at Level 1 to “Optimizing” at Level 5. In CMMC 2.0, the scope has been condensed into three Levels that roughly approximate Levels 1, 3, and 5, respectively, in CMMC v1.0.
One straightforward way to scope for an assessment is to locate the Level requirement on existing or potential DoD contracts—in the future, all DoD contracts will require CMMC.
Step 2: Implement Required Controls
Next, DoD contractors need to actually install the controls required for their CMMC Level. To appreciate what these controls are, it’s helpful to understand their original source material.
The CMMC framework is based primarily on the National Institute for Standards and Technology (NIST) Special Publication 800-171 (SP 800-171). NIST SP 800-171 is explicitly designed to protect CUI across various governmental agencies and their contractors. The supplemental SP 800-172 builds on these protections and accounts for Advanced Persistent Threats (APTs).
In terms of CMMC compliance, each Level’s requirements break down as follows:
- Level 1 Controls – Organizations install 15 controls selected from NIST SP 800-171, corresponding to “Basic” Security from CMMC v1.0 and preventing risks to FCI.
- Level 2 Controls – Organizations install 110 controls representing the entirety of SP 800-171 for “Good” Security for CUI from CMMC v1.0 and stronger protections for FCI.
- Level 3 Controls – Organizations install all 110 controls from Level 2 plus an as-yet undetermined subset of controls from NIST SP 800-172 to combat APTs to CUI/FCI.
Installing all that’s required sets an organization up to assess seamlessly.
Step 3: Conduct Readiness Assessments
This next step is optional, but organizations seeking CMMC compliance for the first time should definitely prioritize it. A CMMC readiness assessment is an informal process of running through the requirements of an assessment prior to the actual audit to ensure that practices have been installed correctly and will stand up to scrutiny that the official assessors will eventually apply.
Critically, the point of readiness assessments is to determine how much work (if any) is needed in remediating or adjusting a deployment in preparation for the official assessment. A candidate might assume that its deployment is compliant, only to uncover during a readiness test that several controls actually do not hold up under pressure. That’s when their value is most clear.
There are assessment guides available for CMMC Level 1 and CMMC Level 2 for organizations considering this option. Level 3 is still under development. For organizations that require third-party or government assessments (see below), it may be beneficial to conduct readiness or other preliminary assessments with those parties (if possible) rather than purely internally.
Step 4: Secure an Assessment Partner
Once you’ve scoped and stalled controls, you’ll need to secure the means of your official CMMC 2.0 assessment. As with implementation, there are different requirements at each CMMC Level:
- Level 1 Assessments – Organizations conduct self-assessments annually and affirm the results of their assessments directly with the DoD Chief Information Officer (CIO).
- Level 2 Assessments – Organizations work with a Certified Third Party Assessment Organization (C3PAO) qualified by the Cyber AB to conduct triennial assessments with annual affirmations. Select organizations are eligible for Self-Assessment at Level 2.
- Level 3 Assessments – Organizations work with as-yet undetermined governmental agencies to conduct government-led assessments triennially with annual affirmation.
It should be noted that, for organizations at Level 2 who require third-party-led assessments, working with a Cyber AB qualified C3PAO is the only way to satisfy this mandate. The Cyber AB’s vetting process requires these assessors to undergo rigorous training, including proving to various DoD stakeholders that they are compliant with CMMC 2.0 up to Level 2 standards.
Additionally, organizations eligible for CMMC self assessment should still consider working with an assessor or advisor organization to ensure long-term compliance as operations scale up.
Step 5: Set Up Your Authorized Assessment
The final step to prepare for CMMC security assessment should be straightforward, assuming that the others have been followed carefully. Organizations should work with their advisors or assessment partners, if using, to establish a realistic timeline within which to complete the assessment. This includes accounting for remediation, if needed, along with reporting.
In terms of finding an assessment partner, C3PAOs—like RSI Security—are listed by the Cyber AB. All C3PAOs are qualified in the same ways, but they do not all offer the same value or functionality to clients. Vetting C3PAOs based on organization-specific criteria is critical.
Assessment timelines vary widely depending on the organization being assessed, the professional(s) conducting the assessment, the Level, and many other factors The assessment proper often takes multiple months to complete, as assessors need to analyze every element of the candidate’s IT infrastructure. Overall, it can take over a year from the initial preparation through the official reporting. It’s highly recommended to contact assessors as soon as possible.
Organizations seeking DoD certification should also consider whether and how their assessment partners can facilitate compliance with other applicable frameworks.
Facilitate Your CMMC 2.0 Assessment Process
CMMC compliance has gone through several changes over the past four years. And, while many of the updates leading up to version 2.0 have been in the service of simplification, it is still a challenging framework for many organizations to understand, let alone implement and assess.
Hence the value of qualified CMMC advisor and assessor organizations, like RSI Security.
RSI Security has been providing DoD assessment prep services to organizations since before the CMMC was developed. Our experts have an intimate knowledge of the NIST frameworks on which CMMC was built, and we’re committed to helping your organization rethink its security and streamline its implementation and assessments to ensure long-term compliance.
To learn more about our CMMC assessment services, contact RSI Security today!