It is now June, and we are still waiting on the finalization of the audit process and training of the Cybersecurity Maturity Model Certification (CMMC) auditors. This is one of the final steps before members of the Defense Industrial Base (DIB) can begin the audit process, and eventually receive the coveted CMMC certification level required for bidding on any Department of Defense (DoD) contracts. Unfortunately, many contractors have been watching the process unfold and feel that the best plan at this point—especially amid the current pandemic—is to wait until everything is in place before initiating an audit without doing any prep work or review during the “lull” in business.
This mindset, while understandable, is dangerous. A better mindset to be in right now is to be prepared for what comes next. As an old military adage describes: Proper Planning Prevents Poor Performance; this remains true with CMMC preparedness and security.
The DoD and DIB Did Not Shut Down
The ongoing pandemic severely damaged many businesses, but not the Department of Defense or Defense Industrial base; they were labeled as essential businesses and therefore remained open. Because of this, we do not anticipate any major delays in the CMMC rollout that could push this beyond the June/July 2020 initial rollout, or the September full rollout timeline. As it stands, the CMMC rollout is anticipated to be on schedule; the accreditation body has been diligently working to complete the training for the auditors and audit review personnel.
While the rest of the world got derailed, the train that is CMMC did not, and has lost very little steam.
On a recent video call, Katie Arrington echoed this point:
“Covid‐19 did give us a break, and while we were planning on conducting training in person, we are in no way shape or form are we slowing down the pace. We are not going to let this virus stop us from getting things done. In fact, it has propelled us into needing cyber security standards to ensure the sanctity of our industrial base.”
Preparing for CMMC Compliance
The CMMC standards and required controls were released in January of 2020. Barring any major adjustments between now and the introduction of the CMMC level requirements, we know what the DoD is looking for in regards to compliance. Under the current requirements, you need to self‐assess your compliance to NIST 800‐171, which means you want to complete the NIST Handbook 162: the NIST 800‐171 compliance guide. Missing any of the necessary controls and requirements means you could potentially fail to receive the CMMC certification level you were looking to receive, and therefore be unable to bid on your desired contracts.
While this could be done in house, we recommend performing an assessment via an impartial third party, which should uncover gaps in your cyber security infrastructure. These gaps could be related to your hardware, software, policies or procedures. The fixes to any of these items will take time and effort to implement properly. By reviewing your cyber security infrastructure now, you will have ample time to remediate any gaps that will be found in your assessment.
Current CMMC Audit Process
The proposed plan will be each member of the DIB to submit to a CMMC audit through a certified 3rd party auditing organization or C3PAO. Once the audit is complete, the audit findings will be submitted to the Accreditation Body for review, who then issues and files the certification level for each audited company. There will be a review and appeals process; companies who dispute their certification will have up to 45 days to appeal the findings or submit a second audit. A big concern through all of this is the following:
- There are approximately 350,000+ contractors and sub‐contractors in the DIB
- As it stands now there are approximately 200 firms pending certification as C3PAOs across the country
- There is 1 board reviewing all audits and reviewing appeals.
As we stated earlier, you will have 45 days from the date of receiving your desired level, during that time you will have to review your gaps, implement any remediation items and then request the appeal, before you are kicked to the back of the line and have to submit to and pay for a second audit. Ask yourself: When was the last time you were able to successfully implement a new solution and then confirm that the new solution was successful and being utilized correctly in less than 45 days?
Inconvenience Now or Hardship Later
While the AB is now accepting C3PAO and auditor applications, as it stands now no one can be certified to a specific CMMC level. Completing an assessment now will not guarantee that you will fulfill the necessary requirements for your desired CMMC level when everything is rolled out. That doesn’t mean you shouldn’t be reviewing and assessing your infrastructure now either.
What happens if you process through an audit and it is determined weren’t as compliant as you thought you were? Can you implement all the solutions you will need to in order to meet your desired CMMC level? Can you afford to miss out on a new contract, or lose a contract renewal, all because you were unable to meet the desired CMMC requirements?
Preparing for compliance now, as best you can, can help you to avoid loss later. In addition, with the summer lull now is the time to ensure your cyber security infrastructure is in place and ready for when the process opens in earnest.
How can Summit Business Technologies Help?
As mentioned above, the process of accepting applications for C3PAOs and auditors has only just begun. No one is yet available to conduct audits. Summit is currently assisting firms with conducting assessments based on the NIST 800‐171 standard and reviewing your cyber security infrastructure against the additional controls defined in the CMMC standard. We then return to you with our recommendations, along with an SSP and a POAM to remediate any gaps that we find during our assessment. In addition to the work pertaining to the NIST 800‐171 assessment and the CMMC control review, we will perform a vulnerability scan of your system, which will give you an immediate list of where your network is vulnerable. We can then work with you to strengthen those areas.
If you are interested in understanding the current status of the CMMC rollout or want an impartial second set of eyes to review your cyber security framework and assess where you stand against the upcoming DoD cybersecurity standards, we can help. Contact us directly and schedule a quick conversation with our team on where we see CMMC going, and our process for handling the assessment in the current social distancing climate.