If obtaining a Cybersecurity Maturity Model Certification (CMMC) certification is on your organization’s radar, you’ve come to the right place. We’ll share our four step process for preparing for a formal CMMC assessment leading to the issuance of a CMMC Maturity Level (ML) certificate.
As a refresher, the CMMC framework was initially made public in January 2020. The Department of Defense (DoD) issued an interim rule effective November 30, 2020 to implement the NIST 800-171 DoD Assessment Methodology and the CMMC Framework. As of July 2021, the CMMC Accreditation Body (CMMC-AB) has authorized three organizations as CMMC Third Party Assessment Organizations (C3PAO) who will conduct CMMC assessments against government contractor organizations.
We expect the initial set of formal assessments for government contractors to be conducted in the coming months. So what should you do next as a government contractor while waiting to be formally assessed by a C3PAO?
Step 1. Conduct a security assessment
The first thing to do is determine your target maturity level (typically CMMC ML 1 or 3). CMMI ML 3 is generally required if you process Controlled Unclassified Information (CUI) in your environment and/or have contracts that contain DFARS clause 252.204-7012 and you are already subject to NIST 800-171 requirements.
The next thing is to determine the scope (or system boundary) for your organization. You need to identify where Federal Contract Information (FCI) or CUI will be processed in your organization to determine which systems to include in scope (e.g. email, networking equipment) and which ones to exclude (e.g. HR systems or business applications uninvolved in conducting government work).
Lastly, go through the identified security practices and processes to determine if your organization meets the relevant standards.
Step 2. Remediate identified gaps
This is arguably the hardest part of the process. Unlike the prior NIST 800-171 self-assessment guidelines, CMMC is a pass or fail test – you either demonstrate all the required practices and process maturity or you do not obtain a certification. There are also no options to tailor the framework by picking and choosing which practices apply to your organization. Or to have a Plan of Action & Milestone (POA&M) designating future remediation plans for identified gaps.
You will need to develop or update security plans, policies and procedures. You may also need to implement new controls and/or enhance existing controls in your environment to address required security practices.
Step 3. Get Ready for a Formal Assessment
This step has two purposes. It allows you to validate that you have actually addressed all security practices and processes required by the CMMC framework. It also provides your organization the opportunity to review & collect objective evidence in preparation for formal CMMC assessment. If there is no evidence a practice is in place and consistently followed, you will likely not pass the assessment. For example, simply saying your organization patches systems regularly won’t suffice. Instead, you will likely have to keep and provide records indicating what systems were patched; when they were last patched; the policies that spell out your patch management program, resources assigned to manage the activity, etc.
Step 4. Contract with a C3PAO for a formal assessment
You’ve made it this far. Congratulations! Visit the CMMC-AB Marketplace and select a handful of Authorized C3PAOs to negotiate with. They will conduct the assessment and recommend issuance of a CMMC certificate if your organization passes. Once you successfully obtain a CMMC certificate, your organization will be able to bid on contracts and task orders (at or below your assessed CMMC level).
If you don’t pass the assessment, you will have to repeat the steps above resulting in more time, resources, and costs for your organization.
Take the necessary time up front to prepare for the assessment, and not only have peace of mind that your organization is well positioned to pass a CMMC assessment, but that required cybersecurity controls are in place to protect your organization’s and clients data.
How Can Aronson Help?
Aronson LLC is a Registered Provider Organization (RPO) with the CMMC-AB, the accreditation body responsible for managing the CMMC program. We partner with government contractors (and their IT/cybersecurity vendors) to enable you to achieve the maturity required to successfully demonstrate CMMC compliance and obtain desired certification.
Our team of CMMC-AB Registered Practitioners (RP) can assist your organization with conducting a security pre-assessment, supporting remediation activities, and conducting a pre-assessment readiness review prior to a formal C3PAO conducted assessment.