If you have had any dealings with the DoD in the past few years, chances are you have heard of the new cybersecurity maturity model certification (CMMC). The DoD has made sweeping changes from the previous NIST self-certification framework and now requires DoD contractors to certify to the CMMC using a certified third-party authority (C3PAO), enter the CMMC auditor.
A CMMC auditor will help your business attain CMMC by giving the accreditation from a certified third party authority.
CMMC Auditor and the Maturity Model
The CMMC replaces the current NIST 800-171 self-certification model. Before the CMMC, any organization that had dealings with the DoD had to ensure cybersecurity best practice. By adhering to the NIST 800-171 framework, organizations could prove their cyber resilience.
However, this proved inadequate when it came to cyber defense. Self-certification requires a lot of organizational discipline to maintain. There was no real net-positive change in data loss and cyberattacks on the DoD supply chain. It is, for this reason, the DoD revised the self-certification model to require third-party certification.
C3PAO is not the only thing that has changed with the CMMC. The model builds on the NIST 800-171 but reworks a lot of the components. The primary way to attain certification is by assessing at which level of maturity your organization must adhere to; this is where an auditor helps, but more on that later.
There are five different levels of cyber maturity in the CMMC model, and the type of DoD data your organization processes decides the level of maturity. Two groups of data categories decide maturity, and those are:
- Federal Contract Information (FCI)
- Controlled Unclassified Information (CUI)
FCI only applies to maturity level one, and CUI requires higher maturity levels. The maturity is on a 5 level scale and incorporates both process and practices. You must be at the same level for both practices and processes to attain the specified level. For example, if you achieve level 3 practices, but your processes only reach level 2, you will be certified for level 2 maturity.
Now that we have discussed the basics of the CMMC model, we can explore what a CMMC auditor does. But first, what is an auditor?
If you work within or run an organization in any regulated industry, you will be familiar with auditors and auditing. Whether it be regulation or framework certification, at one point or another, you will need the help of an auditor.
Auditors are the meticulous type who will check to see how your organization is doing and what is needed. They often get a bad rap, but it is best to see them as someone that is there to help, which is what they are often hired for.
The biggest positive for hiring an auditor is that a good one will ensure that the organization will pass the required certification or adherence to a specific regulation. In short, their success is your success.
What does a CMMC Auditor Do
Fundamentally a CMMC auditor’s responsibility does not vary significantly from that of a regular auditor except that the model itself requires third-party certification.
However, this does not mean specifically that the CMMC auditor can give you third-party certification unless they are qualified to do so. Still, they can certainly help you on the road to certification.
In this section, we will explain how.
A CMMC auditor will have a strong understanding of the model and tell you exactly what kind of data the organization processes. This check is crucial if you are unsure, as this data audit alone will dictate what the correct maturity level is for the organization.
Another thing to point out is that even if UCI is the kind of data you handle, it may not be necessary to achieve level 5 maturity. An auditor will know the model’s nuances and pinpoint the precise level required, saving you time and money.
Cyber Health Checks
Otherwise known as cyber resilience, an auditor will assess the overall cyber health of the organization. This check is vital to the CMMC as, without a general cyber checkup, the model’s controls will be difficult to implement.
In this audit process, the auditor should be able to identify any weaknesses in the information system, including but not limited to:
- Hardware and software inventories
- Staff awareness levels
- Industry threat landscape
- Data mapping
- Physical security
Once the auditor has a better understanding of the organization’s general cybersecurity situation, they can advise on the best ways to implement the controls of the CMMC.
Staff Awareness Checks
Although mentioned as part of the general cyber health check, most auditors will take particular care to assess the staff awareness level and if any training practices are implemented. This audit is tuned to higher maturity levels, but it is good to start this early to ensure cybersecurity maturity within the staff.
Domain and Capabilities Audit
The CMMC model, like frameworks of a similar nature, is a series of controls that should be implemented according to the maturity level required. A CMMC auditor will address this issue by checking the domains that are necessary for your certification.
The domains are groupings of security-related areas that have been borrowed and adjusted from the NIST and other cyber frameworks.
An auditor will check the domains and the subsequent capabilities necessary to implement for the desired maturity level.
The capabilities are the model’s version of “controls” the capabilities fall under one of the 17 domains. The auditor will assess that the capabilities have been implemented correctly and advise on a course of action if they have not.
Process Integration Audit
The final, most vital audit is that of process integration. How well the capabilities have been integrated into the organization’s overall culture will ultimately decide if the organization has reached the intended maturity. This fact will, in turn, allow a C3PAO to award certification.
So an auditor will check the process integration. This check could be achieved through a survey, questionnaire, or other means outlined by the auditor.
These are a few of the audits that a CMMC auditor might carry out, but it will be dependent on the maturity level you must adhere to; it could be a more involved process.
Benefits of Getting an Auditor
Fundamentally, your organization will want to know, is it worth it? The short answer is yes.
A CMMC auditor will save you in many different areas.
As briefly described in a previous section, an auditor will save you a lot of hassle when it comes to implementation and certification. They are cyber experts and they know what they are looking for. Your organization might be making military-grade equipment but not have the in-house resource to carry out a cyber health check; an auditor can and will do it in half the time and half the cost.
Streamlining the Process
Building from the previous point, an auditor will streamline the certification process by ensuring you are compliant before applying for certification. In the best of cases, the auditor might even be an accrediting body.
An added benefit to streamlining the process is that certification is likely to be awarded on the first try.
Finally, an auditor will reduce the downtime to business operations when the CMMC goes into full swing. There is currently a few years of grace period for organizations to transition into the new model. A CMMC auditor will ensure regulation readiness when the time eventually comes.
How We Can Help
RSI Security has years of compliance and cybersecurity experience. You don’t need to fall behind on your compliance needs, and you can be ahead of the curve.
With our compliance experience, we are the right CMMC auditor for you. As the initial round of accreditation is still undergoing, currently, there are no official C3PAOs. Nevertheless, you can rest easy as RSI Security is on the road to becoming an accreditation authority ready to certify your organization.