The much-anticipated Cybersecurity Maturity Model Certification (CMMC) was published earlier this year. Compliance efforts are underway across the defense supply chain. The Department of Defense has indicated that companies can expect to see CMMC in RFIs in Q3 and in RFPs in Q4 2020 for certain programs like nuclear and missile defense, among others. CMMC requirements will be appearing in contract requirements in a phased rollout through 2026.
While the CMMC is largely based on NIST 800-171, there are some changes, including new process maturity requirements. In addition, companies will need to demonstrate CMMC certification prior to taking award of a contract. This certification must be performed by a Certified 3rd Party Assessment Organization (C3PAO). At the moment, there are no C3PAOs, however the CMMC Accreditation Body will be releasing the training and accreditation requirements for C3PAOs and their assessors over the next few months.
In the checklist below, we identify five critical steps to achieve CMMC compliance.
1. Try to anticipate your CMMC level
The CMMC framework has five levels, each corresponding to an increasingly strict security control environment with 5 being the most restrictive and designed to protect against sophisticated nation-state threats. If you are subject to DFARS 252.204-7012 today, you will likely be asked to certify to CMMC Level 3, designed to protect Controlled Unclassified Information (CUI). It may be worth having discussions with your counterparties to get a sense of whether they are targeting certain levels as they consider future work.
2. Review your NIST 800-171 implementation
If you are subject to DFARS 252.204-7012 today, you are required to implement the security requirements in NIST 800-171. Review that effort and identify any remaining items that need to be implemented.
3. Perform a gap assessment using the CMMC at your chosen level
The output of the previous step will largely inform your starting point for this activity. There is a high degree of overlap between NIST 800-171 and CMMC Level 3, which is by design. The primary difference is that you must implement all CMMC controls at your chosen level prior to seeking certification. No open items will be accepted. Review your organization’s control environment to determine what gaps may exist relative to your targeted CMMC level.
4. Clear your POAM
The plan of action & milestones (POAM) is your punch list for remediation. As you identify gaps, track them using a POAM and build roadmaps for their implementation and closure. Remember the critical fact that your POAM must be free and clear of all CMMC gaps prior to certification.
5. Find a C3PAO and get certified
While there are no C3PAOs today, it is expected that there will be by Q3 when firms will be permitted to begin the accreditation process. The DoD has also indicated they will host a marketplace where all C3PAOs are listed. Once you have implemented all the CMMC requirements, seek a C3PAO and begin the assessment process. DGC is an aspiring C3PAO firm and we will be monitoring the assessment process closely.
To watch a webinar discussing five critical steps to CMMC compliance, click here.
For additional information, please contact a member of your DGC client service team or Nick DeLena, CISSP, CISA, CRISC at 781-937-5191 / firstname.lastname@example.org. You can also visit our coronavirus web page at dgccpa.com/coronavirus which is frequently updated with new resources to help you deal with the impact of the coronavirus on you and your business.
If you would like to get alerts and insights like this sent directly to your inbox, sign up here.