The Defense Supply Chain (DSC) is exposed to increasingly sophisticated cyber threats coming from nation-states and non-state actors alike.
To better protect it, The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) developed the Cybersecurity Maturity Model Certification (CMMC), unifying various cybersecurity practices into a single standard and creating a new audit process to ensure compliance with it.
For DoD contractors and subcontractors, the requirement to pass a CMMC audit may seem daunting, but the road to compliance is not that difficult to navigate, especially not for those who currently comply with the NIST 800-171.
What Is a CMMC Audit?
The CMMC is largely based on the NIST 800-171 standard, an cybersecurity standard that codifies the requirements for storing, processing, and transmitting Controlled Unclassified Information (CUI).
When the NIST 800-171 was first published, the DoD presented it as a competitive advantage in the tender process, encouraging contractors to strengthen their cyber defenses to better protect sensitive information. However, contractors were not required to pass an official audit to demonstrate compliance.
The CMMC puts an end to self-assessments by requiring contractors to pass an official audit conducted by an official assessment organization, a CMMC 3rd Party Assessment Organization (C3PAO). The requirements for becoming a C3PAO are defined by the CMMC Accreditation Body (CMMC-AB), an independent organization responsible for the management of the CMMC ecosystem.
During a CMMC audit, the assessment organization verifies whether the contractor meets the requirements of the target CMMC level:
- CMMC level 1: Includes 17 controls based on FAR 52.204-21.
- CMMC level 2: Includes a major subset of the security requirements specified in the NIST 800-171.
- CMMC level 3: Encompasses all requirements specified in NIST 800-171 and additional CMMC specific controls
- CMMC level 4: Includes 156 controls to demonstrate proactive protection against Advanced Persistent Threats (APTs).
- CMMC level 5: Includes 171 controls to demonstrate a standardized and highly optimized cybersecurity strategy.
Because the five CMMC maturity levels are cumulative, any contractor will have to comply with the requirements at the level they wish to attain, and all lower levels . After an audit is successfully completed, the Assessor reports its findings to the C3PAO, who performs a QA check, and reports its recommendations to the CMMC-AB, which issues a certification to the contractor. This certification is then valid for three years or until a change is made to the certified environment.
How to Prepare for a CMMC Audit?
According to the CMMC-AB, contractors should begin preparing for a CMMC audit at least six months to a year in advance to meet Practice and Process maturity requirements. Of course, an organization that already complies with the NIST 800-171 and has plenty of resources to quickly meet additional security requirements based on the target CMMC level will need considerably less time than an organization that hasn’t been paying much attention to cybersecurity.
Regardless of the target CMMC level, audit preparations should include the following steps:
- Start with a gap analysis: The goal of a gap analysis when it comes to CMMC audit preparation is to find cybersecurity gaps that need to be filled in order to meet a specific cybersecurity maturity level. The good news is that most contractors won’t need to do much work to achieve one of the lower CMMC levels as they are considered basic cyber hygiene that businesses are doing today.
- Resolve cybersecurity gaps: The outcome of the gap analysis should be used to create a remediation plan, which is essentially a list that details the issues that need to be fixed, the order in which they should be fixed, and the steps to take. When resolving cybersecurity gaps, it’s always a good idea to set a clear timeline and budget to stay on track.
- Conduct a pre-assessment readiness review: Before beginning a formal assessment with a CMMC Assessor, contractors should conduct a pre-assessment readiness review to demonstrate sufficient adoption of the requirements associated with the target CMMC level. Contractors can complete this review on their own or engage a consultant.
Because cybersecurity threats are constantly evolving, contractors must practice ongoing monitoring and reporting to stay on top of the latest threats and maintain compliance to pass future CMMC audits.
Smaller contractors with limited resources can outsource monitoring and reporting to a Managed Security Service Provider (MSSP) in order to avoid stretching themselves too thin and wasting valuable resources on non-core business activities.
Prepare for Your CMMC Audit with Aligned Technology Solutions
The Cybersecurity Maturity Model Certification is the future (and to a large extent the present) of contracting for the Department of Defense, so it’s in the best interest of all contractors and subcontractors to start preparing for their first CMMC audit as soon as possible.
At Aligned Technology Solutions, we can make it easy for your organization to improve your cybersecurity maturity so that you can engage a CMMC Third-Party Assessment Organization with confidence. Contact us today to begin their journey to compliance without losing focus on your core business activities.