The Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) recently posted a video of their Standards Committee Chair, Regan Edens, with a discussion of their standards framework, stakeholders and some of the big takeaways as CMMC continues to roll out over the next 6-18 months.
CMMC is coming. As the Accreditation Body continues to mature its processes, companies should be preparing for their mandated certification in order to bid on and receive DoD contracts in the future.
Edens stressed multiple points in the video, but what we think companies most need to know is the following:
- Start now. It’s going to take time to implement solutions for your company’s accreditation. With CMMC only 6-18 months away, don’t wait. The CMMC Standard is not a static checklist. It is going to evolve. CMMC-AB understands the standard needs to (a) evolve with the adversary and (b) apply differently to different industries, thus this isn’t a “one and done” checklist. Most companies will need help from partners to understand what to do and how to achieve and sustain compliance.
- Everyone knows they need to do this, but many aren’t sure how. Getting CMMC Level 1 or Level 2 Accreditation is essentially basic cyber hygiene. Achieving that takes planning and effort, but it does NOT need to be very expensive. Get the right partner to help you now. Not 18 months from now.
The Standards Management Committee is taking the CMMC model, operationalizing it and making it the standard. When it comes to “the standard,” though, they have some clear goals:
- Make the standard clear. What are the qualities and capabilities desired?
- Ensure the stakeholders understand the requirements.
- Ensure the assessment standard criteria is:
- Consistent with the requirements.
- Reinforces the CMMC model’s desired capabilities.
- Ensure the assessors are trained and certified properly.
We break down more information about these goals here:
Edens makes clear here that a vast majority of the Defense Industrial Base (DIB) consists of small businesses, and they don’t have the resources they need in order to move forward with CMMC. They often don’t have indigenous IT and cyber personnel on staff. This issue translates into a conversation about how CMMC-AB trains their assessors. The assessors play a critical role in making sure accreditation criteria is met. And these assessors need to know the standard and forge critical relationships with DIB companies who need the certification. Assessors need to know that a different standard is applied for a small company looking for Level 1 certification as compared to a large defense contractor requiring Level 5. Assessors need to help with that distinction, but also make clear the criticality of action.
“I’ve yet to meet any company who says they don’t want to do this or need to do this. They know there are foreign adversaries who are putting them at risk. This is why we need to secure this data and defend the DIB,” Edens said.
Edens said that this is about more than just the DoD and CMMC-AB. The interdependence between all the stakeholders – the CMMC-AB, the DoD, organizations seeking certification (OSC), third party assessors, etc. – is critical.
In this section of the video, Edens mentioned that Levels 4 and 5 of CMMC Certification really only apply to 1-4% of the affected companies. If you are a small business owner who only needs to protect federal contract information (FCI), you should focus on Levels 1 and 2. If you deal with controlled unclassified information (CUI), you will need to focus on Level 3.
Things Stakeholders/OSCs Need to Consider:
- DFARS requirements: Until CMMC is more mature and better codified, use the current DFARS requirements while conducting self-assessment.
- Scope of your enterprise: What hardware do you have that needs certification? You should localize and consolidate your data as much as you can. Proper organizational discipline” as you are posturing your enterprise will better prepare you for seamless accreditation.
- NOW is the time to prepare your organization for certification. Don’t wait.
Assessors and Assessment Standard
This standard is critical. It is one bookend. The other bookend is the initial source documents. New versions of these model source documents will come from CMMC-AB in the future. As stated before, it’s not a static certification.
To reinforce the CMMC model, the CMMC-AB and Assessors will evaluate your company’s Capabilities, Processes and Practices against the model based on what level of certification your organization is pursuing. And if your company is more manufacturing based, the model, assessment and certification will be morphed to adapt to what your company does. The model needs to be agile and mindful of the fact that the cyber landscape is changing every day. The model needs to be resilient.
A lot of organizations are still unfamiliar with the terms and vernacular in the model. Edens mentioned trying to build a bridge from where they are now (under DFARS and NIST 800-171) and where they will need to be in the future (under CMMC). The CMMC-AB will continue to try to educate businesses about the newness of CMMC and how it will specifically impact them based on what level of certification they need.
Companies need to know CMMC focuses on data and the protection of the types of data that exist out there – FCI and CUI. There are 15 requirements outlined in the model for protecting FCI. This is a new thing for people who need Level 1 and Level 2 cert. Small businesses out there need to start looking right now about treating FCI like it is CUI.
Implementation of fixes/compliance requirements is going to be a challenge. Edens encouraged people to seek outside counsel and consulting to prep them for self-assessment, certification and implementation of solutions to comply with certification needs. They don’t have to have a CISO…or a robust cyber staff…but they should find partners out there to assist them to find and maintain this hygiene and these fundamentals.
Getting Started Now
As Edens states in this last slide in the video, companies need to be ready now. Get started NOW. Employ the fundamentals and address your basic cyber hygiene. If you need help … get it.
Ardalyst can be that partner. We can help. We assess your business operations and infrastructure and help you build a plan for achieving the level of maturity you need to continue working with the government. Our combined expertise in business platforms and threat-informed cybersecurity allows us to develop solutions that defend your business from cyber threats and increase organizational efficiency.
Additionally, if you decide to implement our recommendations, we’re offering a program for the month of June with payment options that fit your needs as you navigate your business through CMMC, Covid and beyond. Options include:
- No upfront implementation cost
- Flexible invoicing
- Up to a 25% discount for customers who pay in full
We’re here to help. This offer expires June 30. Schedule a free planning session now.