How to Prepare for Cybersecurity Maturity Model Certification (CMMC)?
Any CMMC consultant who sells to the Department of Defense must have a CMMC certification for Cybersecurity Maturity Model Certification.
To qualify for RFPs and vendor selection, the DoD sets a range of security maturity standards that must be reached.
Much while federal contractors have long been concerned about IT security, the latest shift by the Department of Defense has raised the stakes even higher.
Contractors that don’t fulfill CMMC criteria may be barred from doing business with the Department of Defense once the program is fully implemented.
The CMMC 2.0 framework was released in November 2021 and can be found on the DoD CMMC website. CMMC 2.0 was initially released in January 2020.
There was an MOU signed between the Department of Defense and the CMMC Accreditation body that specified standards for assessors; however delays in the program’s formal pilot phase and go-live continue to bring about modifications in the program and its requirements.
It’s possible that CMMC requirements in RFPs won’t be implemented until at least 2022 since the regulatory procedure to revise the DFARS -7012 requirements is still ongoing.
More than 300,000 DoD contractors will be able to complete parts of their CMMC standards in-house, but many will not be capable of doing so.
Ntiva, a managed cloud security consulting service provider, is developing specialist systems to assist assess contractors’ present skills, build repair plans where necessary, and undertake continued cybersecurity monitoring and reporting for those in the second camp.
No matter how careful they were in protecting their employees’ information, the Pentagon disclosed a data breach in late 2018 that exposed the private information of 35,000 DoD personnel.
Due to growing tensions in the Middle East, Homeland Security issued a warning that cyberattacks on government networks might escalate in 2020.
A never-ending struggle that is just going to grow worse!
However, if we go back to the Defense Federal Acquisition Regulation Supplement (DFARS) of 2015, the DoD defined specific cyber requirements (252.204–7008 and 252.204.7012).
To comply with the DFARS, DoD contractors were obliged to implement NIST-developed cybersecurity processes and standards (NIST). As of December 2017, all federal contractors must show that they have met the NIST SP 800–171 criteria.
To secure the Department of Defense’s supply chain from cyber attacks and other security hazards, NIST SP 800–171 was used as a framework.
Despite the Department of Defense’s attempts to encourage suppliers to adhere to the framework, acceptance has been gradual. The Department of Military is concerned that most contractors in the defense industry only follow minimum standards of security hygiene.
The Department of Defense (DoD) has implemented CMMC to guarantee that contractor systems are adequately protected against cyberattacks that pose an unacceptable risk to Controlled Unclassified Information (CUI).
To conduct business with the Defense Department, CMMC will replace the current self-declaration approach with third-party certification. The audit and certification procedure will demonstrate compliance.
Additionally, contractors learned that the “all or nothing” or “pass/fail” audit process was changing to include the introduction of a Plan Of Actions and Milestones (POA&Ms). Still, no one knows how many POA&Ms an organization may submit, if a severity level will be assigned, or if multiple POA&Ms combine for higher severity findings.
The Department of Defense issued several announcements in late January and early February 2022 indicating that the CMMC program’s governance and control will be transferred to the Office of the Chief Information Officer. For Levels 2 and 3, self-attestation was no longer permitted, and therefore the need for third-party audit and certification was reintroduced into the CMMC 2.0 framework.
It seemed reasonable to demand 3rd party audits for all contractors working at various levels of the CMMC model, based on the rationale that any information outside of FCI would be deemed CUI and that all contractors would need access to some CUI.
No one knows for sure, but many people believe that eliminating the necessity for a third-party audit had reverted the program to its pre-CMMC status when contractors were obligated to self-certify by the DFARS clause 252.204–7012. The DoD will not gain more safeguards by returning to the former group, akin to an honor system.
RPOs and C3PAOS have expressed further worries about the resources and finances expended to position themselves to assist the DoD with audit needs and future questions about whether there would be a role for them moving forward.
To satisfy CMMC 2.0 Levels 2 or 3, we presume that any organization wishing to do so must pass a third-party audit. In addition, if the DoD reverts to its previous criteria, we urge you to attempt to pass the exam without using any POA&Ms.
For example, in situations where a POA&M is ineligible, the contractor may not be given the contract if they cannot pass an audit before contract award because of a lack of time, resources, or cash to complete the audit.
With no way of knowing how many third-party auditors will be available, how long an audit will take, and how long it may take to re-assess for failing practices, depending on a POA&M to pass the audit may be too great for most firms.