What are we hearing from the CMMC Voluntary Assessment Program?
In August 2022, the Cyber Accreditation Body (AB) announced that Voluntary Assessments of Organizations Seeking Certification (OSCs) would begin under the authority of the DoD’s Joint Surveillance Program. Under this program, an approved CMMC Third-Party Assessment Organization (C3PAO) conducts the assessment in coordination with the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). As of this writing, three of these assessments have been conducted (although not finalized) and information on how the assessments have been going is making its way into the CMMC ecosystem.
Some of the particulars that we have been hearing from the voluntary assessments are:
- The C3PAO is performing the CMMC assessment following NIST SP 800-171, while the DIBCAC is performing its assessment following DFARS requirements. The C3PAO takes the lead in the assessment meetings (e.g., asking questions, requesting live demos, etc.). The DIBCAC attends the assessment meetings and will ask any necessary questions for their assessment. The DIBCAC conducts separate meetings with the OSC that the C3PAO does not attend that are focused on DFARs 252.204.7012 (e.g., security, incident reporting, media preservation, and flow downs to subcontracts).
- While policy maturity is not required under CMMC 2.0, OSCs still need to have documented and implemented policies and procedures. With the maturity requirement gone, the C3PAO focuses on assessing whether an OSC is doing what it is saying now versus assessing controls over a long period of time. During an assessment, the C3PAO can allow the OSC to make/implement small corrections rather than having to go on a POA&M. This is made possible because maturity is no longer required.
- To complete the assessment, the C3PAO first reviewed the policies and procedures and supporting artifacts that are requested as part of the planning process. During the assessment fieldwork, the C3PAO will ask the OSC to demonstrate the controls being performed.
OSCs Need to Ensure Employees Understand CMMC Policies and Procedures
Because the OSC has been asked to demonstrate the controls it is very important to have all the necessary individuals available during the assessment process. Additionally, these employees will need to be able to demonstrate that they “live” the policies and procedures. The C3PAO and DIBCAC will be assessing their familiarity with the control and how quickly they can demonstrate their knowledge of the control. If the employee cannot quickly demonstrate the control, it could call into question the effectiveness of the control.
- There has been much discussion of whether NIST SP 800-171 Appendix E Non-Federal Organization (NFO) controls are required under CMMC. C3PAOs have indicated that the NFOs in Appendix E are required and in many cases embedded within the 110 practices within NIST SP 800-171.
- The timeline for an OSC to get ready for a CMMC assessment can take six to 18 months. The largest lifts for an OSC can be getting the technologies in place that meet CMMC requirements. OSCs need to make sure they are using multi-factor authentication on all appropriate systems, using FIPS 140-2 validated encryption to protect CUI, using SIEM tools, and using cloud service providers that meet the FedRAMP moderate baseline.
The CMMC ecosystem continues to work toward the CMMC Final Rule going into effect in May 2022. As the voluntary assessments are showing, there is much work that OSCs need to perform to get ready for an assessment. OSCs needs to ensure they have the right technologies in place and their employees have a strong understanding of the policies and procedures and can demonstrate their understanding. OSCs cannot afford to wait for the Final Rule to come out to start this process or otherwise risk the possibility of not being able to bid on future DoD contracts.
Keiter’s Cybersecurity team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors. Questions? Contact us: Email | 804.747.0000
About the Author
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.