With the remote workforce resulting from the pandemic leading to increasing network attacks, the US Department of Defense (DoD) has mandated a higher level of attestation by a third party, through the Cybersecurity Maturity Model Certification (CMMC). This program requires the 300,000+ defense contractor base to not only meet new and stronger cybersecurity standards but also undergo third-party assessment and certification. Complying with CMMC will extend beyond cybersecurity teams into both compliance and supply chain risk management.
Understanding the CMMC Process
CMMC compliance is required if your organization is doing business for the DoD. Each organization must undergo a third-party audit to determine the maturity of their information security controls, which is weighted on a scale of 1 to 5. This is used to determine eligibility to respond to specific RFPs. Each one of these levels has its own set of practices and processes. Vendors must meet the practices and processes of each level, thus creating an "all or nothing" approach.
While the creation and implementation of the CMMC is a step in the right direction, there is a lot of confusion and speculation related to the CMMC accreditation. Additionally, ignoring CMMC compliance could affect a company's ability to do business with defense contractors or subcontractors. The following are three common misconceptions around the CMMC certification with clarification to help required organizations stay informed on important guidelines and procedures.
Misconception #1: If Done Early, DoD Contractors Can Be Deemed in Compliance With CMMC
For a certification to take place, an assessor must review a CMMC applicant. At this time, no assessors have been certified, so no organization can be formally assessed and considered CMMC compliant. Assessors are a critical step in this process. They must first be rigorously trained and tested to be able to provide a certified assessment. Formal CMMC Certified Assessor training is slated to begin mid-to-late summer of 2021.
There has also been confusion about CMMC Service Providers and Assessors, and misinformation about companies offering CMMC services. Currently, no company has been accredited by the CMMC Accreditation Board (CMMC-AB). It is doubtful whether any will be certified to conduct audits in 2021.
Additionally, contract holders are confused by the DoD statement that the plan is to slowly roll out CMMC compliance requirements for new contracts beginning 2021. The DoD goes on to say that every contract holder must be certified for their appropriate level by 2026. Therefore, no contractor holder needs to be certified in 2021.
Misconception #2: You Can be Audited for Potential CMMC Certification by a Company That Provides CMMC Gap Assessment and Readiness Services
As there are currently no certified assessors and therefore no compliant organizations, there can be no audit on an organization for potentially receiving CMMC Certification. This is because CMMC requires each organization to undergo a third-party audit to determine the maturity of their information security controls. An organization's maturity level is used to determine eligibility to respond to specific RFPs.
Misconception #3: A CMMC Register Provider Organization (RPO) Is a Certified CMMC Third-Party Assessor Organization (C3PAO)
A CMMC RPO cannot provide CMMC assessor services; yet as a CMMC RPO, the provider is authorized to represent the organization as familiar with the basic constructs of the CMMC Standard with a CMMC Accreditation Body (CMMC-AB) provided logo. CMMC RPOs can only offer advice, not an official assessment.
Assessors will play a critical part of the procurement ecosystem, and in implementing sweeping new cyber standards for all of DOD's 300,000+ contractors, once trained. Training for official certified assessors has not yet begun. While CMMC RPOs cannot provide assessor services, they are listed on CMMC-AB's Marketplace and have all agreed to the strict CMMC-AB Code of Professional Conduct.
Protect Your Organization, Keep Up to Date on CMMC Guidelines
How can government agencies and other contractors stay agile and not fall victim to these CMMC myths? While CMMC may be complex with numerous rules, considerations, and steps, it is critical for organizations to keep up to date with the latest news from the DoD. Achieving CMMC compliance will only help organizations prevent data breaches and other cyberattacks in the future, which will strengthen organizations overall. Despite the CMMC rule being delayed by COVID-19, it is still anticipated that CMMC will be in all DoD contracts by late 2025. DoD contractors and subcontractors must start preparing now.
The complexity around CMMC has caused confusion and rumors to circulate. However, despite its complexity, achieving CMMC certification and compliance with this cybersecurity framework will strengthen an organization's future and their ability to be resilient and prevent data breaches, and to stop unauthorized access into their networks.