Every year, the Department of Defense spends over 8.5 billion dollars on cybersecurity funding. For many of us, DoD contracts make up a sustainable part of our organization. The new CMMC (Cybersecurity Maturity Model Certification) is coming, and preparing yourself with a self-assessment or a professional cybersecurity organization that specializes in compliance can help you feel confident and ready for the required audit by a C3PAO.
Why should you have a self-assessment before having a 3rd party do the real assessment?
1. CMMC is New
Many contractors have very little or no documentation showing their cybersecurity controls. Those that have a good foundation are typically NIST SP 800-171 compliant. Since June 2016, contractors have been accustomed to this system. Although some changes were made along the way, the general procedures have remained the same. A lot of information has been provided about what is required at each level of CMMC, yet there are still many unknowns. The CMMC Accreditation Board has not decided how the audits will be conducted or what order they will start conducting audits. Doing a self-assessment can help find gaps in your protection plan; however, it is essential to be realistic and know if you can do a self-assessment well. For companies with a smaller bandwidth, it may be in your best interest to have a professional compliance organization do your self-assessment and gap analysis.
2. No defense contractor is certified for CMMC
Until a contractor coordinates directly with a Certified Third-Party Assessment Organization (C3PAO) to request, schedule their CMMC audit, and pass the audit, they are not compliant. The C3PAO will review the contractor's security processes and practices. Based on the security controls in place and the contractor's ability to demonstrate organizational and operational maturity, the contractor will be awarded the appropriate level CMMC certification. The CMMC Certification levels are one to five (one being the most basic security controls, five being the most stringent and complex security requirements).
3. There is NOT a self-attestation
NIST SP 800-171 allowed DoD contractors to do a self-attestation when they implemented the required controls for CUI. Although contractors could have experienced a random audit, it left room for potential gaps in standards. To become CMMC compliant, you must schedule a full CMMC Audit with an accredited 3rd party. The audits are conducted on a pass or fail rating; organizations must be able to prove that they have taken the proper steps to reach their desired CMMC compliance level (1-5). Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment, has made it very clear that there will be no trade-offs or fines associated with non-compliance. However, to win a contract or successfully rebid on a contract, you will need to match the level required on the solicitation before being awarded the contract.
4. It's too important to leave to chance
Your CMMC assessment is essential to your organization. It could take months to schedule your CMMC assessment and even longer if you do not pass the first time. For the best chance at a pass rating, we encourage you to reach out to a professional compliance organization with the skills and resources to get you to the CMMC level you need to reach.
5. Your contract prime may require you to meet their standards
Many organizations outsource part of their contracts. When you are a sub-prime on a contract, your prime may require you to achieve the same level of compliance that they are required to meet. No matter where you are in the supply chain, this will still affect your organization, and you need to prepare. Now is the time to start implementing CUI controls required at your desired CMMC Level.
What can a professional cybersecurity organization that focuses on compliance do for you?
An experienced cybersecurity compliance organization will be able to conduct an assessment and provide a gap analysis. It should include a full CMMC assessment. This consists of a traditional CUI assessment with all 110 controls in NIST SP 800-171 with the additional 20 practices required in CMMC Level 3 (130 in total). The assessment could also include aspects of physical security that would need to be completed on-site. Then, the company will provide a detailed report and action plan. At SecureStrux, we refer to this as the Path to Success Framework.
Your CMMC audit is important, and you want a trusted and professional team on the job. At SecureStrux, our veteran team has years of experience and is ready to lead the charge by implementing the practices your organization needs. We work professionally, efficiently, and our seasoned team is ready to serve you. Contact our CMMC expert, Mark, to learn about our CMMC product offerings.