As the Cybersecurity Maturity Model Certification (CMMC) has come online and continued to evolve, many more defense contractors have been seeking help in understanding new requirements and ensuring they gain the necessary level of compliance to bid on DoD contracts in the future.
These companies are facing increasing pressure from the U.S. government to prove they are protecting sensitive information and maturing their cybersecurity practices to meet a rapidly evolving threat. With the interim DFARS rule change now in place and CMMC requirements on the horizon, there’s an understandable sense of urgency to “get compliant now.”
Unfortunately, this urgency has made some defense contractors prey to bad actors who are using the new requirements to make false claims and a few quick bucks. Organizations seeking CMMC certification need to be wary of companies posing as certifying officials, promising unrealistic costs and timelines to get prepared, and (unwittingly or no) presenting inaccurate information.
How can you protect yourself from these predatory or misguided practices? Knowledge. Here are some things you need to know.
No one can get CMMC certified yet.
This may be the most important thing for organizations to know right now before they enlist the help of any service provider or consulting firm. The CMMC Accreditation Body (CMMC-AB) has stated that it is the sole organization that will issue certifications. If a commercial organization is telling you that they can certify you, they either misunderstand the requirement or they are outright lying. Either way, you want to avoid working with them (and report them to the CMMC-AB to help protect others as well.)
Stacy Bostjanick, the director of CMMC policy in the Office of the Under Secretary of Defense for Acquisition and Sustainment said in a Jan. 25th webinar that a simple Google search will reveal myriad examples of these fake offers. She also said the CMMC-AB, which is independent of the DoD, is considering sending “cease and desist” letters to any company saying they can get another vendor certified under CMMC. This is according to the reporting from Inside Cybersecurity and FedScoop.
To get certified, defense contractors will have to undergo an assessment by a Certified 3rd Party Assessment Organization (C3PAO), accredited by the CMMC-AB. C3PAOs maintain Certified Assessors on their staff who have undergone training and adhere to a professional Code of Conduct developed and enforced by the AB. The C3PAO will submit the assessment results to the CMMC-AB for a quality assurance review and then the AB will issue certification.
Another important point: Right now, there are no Certified Assessors yet. The CMMC-AB has only recently certified 100 Provisional Assessors, and although several of those Provisional Assessors’ companies have received certification as C3PAOs, none are authorized to conduct assessments until after they have received their CMMC Level 3 assessment from the government and then only for approved pilot contracts. (The DoD currently has only 15 pilot contracts planned for 2021.) If a commercial organization is telling you now that they can conduct your official CMMC assessment, again they either don’t understand or they’re lying. The CMMC-AB marketplace is the official source to find Certified Assessors that work for a C3PAO. Neither the CMMC-AB nor the DoD will recognize an assessment from a party outside of this group.
You can still get help.
Even though you can’t yet get certified yet, you can get help preparing your cyber program for assessment later, and in fact, the CMMC-AB encourages contractors to get started as soon as possible. The AB has designated (and continues to designate) Registered Provider Organizations (RPOs). RPOs can provide consulting services that help companies get ready for the official assessments once they become available.
Ardalyst, for example, is an RPO. This designation formally recognizes companies who have trained Registered Practitioners on their staff who are bound by the CMMC-AB Code of Conduct.
“Please be careful and wary of how you bring these contractors and consultants in,” said Bostjanick. “Understand that if you’re bringing somebody in to consult with you, to help you prepare for CMMC, it really should have gone through some of the CMMC-AB training.”
A full list of current RPOs can be found in the CMMC-AB marketplace. This is a helpful resource for finding consulting assistance in preparing for CMMC and confirming an organization’s claims.
Understand current and future requirements.
Understanding what you need to do now and what you need to do in the future will help you to not be swayed by false information.
CMMC requirements continue to evolve. The DoD has planned a phased roll out of the program to allow contractors time to fully adopt the required practices and processes. As DoD acquisitions CISO Katie Arrington has said numerous times, they’ve designed the program to encourage a “crawl, walk, run” approach. That’s what the new interim DFARS rule that went into effect in December outlines.
In addition to establishing the official clause for CMMC (i.e., running), the interim rule introduces another clause and a provision that together make two changes to the original requirements of DFARS 252.204-7012. The provision and new clauses are:
- DFARS Provision 252.204-7019, “Notice of NIST SP 800-171 DoD Assessment Requirements,” requires companies who handle CUI to have at least a NIST SP 800-171 Basic Assessment on record with the DoD to be considered for award. To be clear, a self-assessment still meets this requirement, but now the summary score has to be submitted to an online DoD database. Also, the requirement to maintain a System Security Plan (SSP) and Plan of Action & Milestones (POAM) for mitigating any gaps in your program remains. (This is “crawl.”)
- DFARS Clause 252.204-7020 will require contractors to grant access to their facilities, systems, and personnel for the government to conduct Medium or High Assessments of their cybersecurity programs. These assessments will be run by the Defense Contract Management Agency’s (DCMA) DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). (This is “walk.”)
- DFARS Clause 252.204-7021 establishes the requirements for CMMC, which will not be fully implemented until the end of fiscal year 2025. (This is “run.”)
There are two main points we want you to take away from this:
1. This is a process – a marathon, not a sprint. Start with crawl – the current requirements – which will help you prepare for “walk,” – the near-term requirements – which will set you up for success with CMMC in the future.
2. You have time. Take that time to find a reputable source of information and help developing your program.
That said, don’t wait to start. The earlier you start, the more time you have to build a relationship with a provider, mature your program in a methodical and cost-effective way, and develop evidence of that maturity over time which will be important when the time comes to submit to an official CMMC assessment.
Be wary of unrealistic timelines.
Depending on the maturity of your current cybersecurity program, we anticipate, in general, it will take anywhere from 6 to 18 months to get your practices, process, and documentation mature enough beyond initial control implementation, to be ready for an official CMMC Level 3 assessment.
The more you are already adhering to the controls in NIST 800-171, the faster and easier the transition is likely to be, but our experience has been that contractors are not as prepared from a cultural perspective as they think they are, particularly in the internalization of what CUI is and how they should have been handling it. It is normal to require a series of senior level policy decisions to get such a effectively in place enough to be demonstrable to a third party. So don’t assume you can have a fully mature program in 6 months. Getting started now will give you the peace of mind to deliberately plan your approach. A last-minute scramble can leave you susceptible to deceptive or merely incompetent actors who promise more than they can deliver and will cause you to either lose work or a contract bid.
An important thing to note about CMMC is that, unlike the Basic, Medium and High Assessments required in DFARS 7019 and 7020, you can’t rely on a POAM to cover gaps in your program. With CMMC, you are either compliant with every control at the level of certification you’re seeking or you’re not compliant at all.
Think of it this way: The Basic, Medium and High Assessments reveal the gaps you need to fill. By the time you’re undergoing a CMMC assessment, you need to have all of the controls not only implemented, but also properly performed, documented, and managed. This means having the people, processes and technologies in place and demonstrating that they’ve been in place and have been maturing over time. Allow yourself that time.
Summary
There is still a lot of confusion surrounding CMMC and the new interim DFARS rule change that went into effect in December. That confusion can make organizations seeking NIST SP 800-171 and CMMC compliance vulnerable to false claims. But a little research and knowledge can help you find a provider you can trust.
1. Know that the CMMC-AB is the only entity that will issue CMMC certification, and at the time of this writing, that organization has not yet trained and certified assessors who can perform official assessments. Anyone who says otherwise is suspect.
2. You can and are encouraged to seek help from CMMC-AB designated RPOs. These organizations can help you understand the requirements better, evaluate your current program and future needs and – in the case of Ardalyst – help you build a comprehensive and cost-effective program that supports your compliance and business needs. Validate an organization by looking them up in the CMMC-AB marketplace.
3. Be wary of unrealistic timelines and quick cheap fixes. If you’re seeking help from a provider, the sooner you start, the sooner you can develop a realistic plan for establishing and maturing your cyber program. Just remember that maturity requires time and there is no technology that will make you 100% compliant by buying it. If you are just starting, plan to take your time.
Ardalyst is dedicated to helping defense contractors replace uncertainty around new and evolving DoD compliance requirements with understanding. With help from our partners, Microsoft, FireEye and Carahsoft, as well as the CMMC-AB, Ardalyst hosted a one-day virtual event February 3rd that brought together representatives from industry, government, and academia – including OUSD(A&S) CISO Katie Arrington – to discuss this issue and other advances with CMMC. We’ll be hosting many other events throughout the year to help educate the DIB on the DoD’s evolving cyber compliance requirements. For more information or to sign up for our newsletter for regular updates, please visit www.ardalyst.com/events.
