The information in the article below has been superseded by CMMC 2.0 in mid-November 2021.
The Cybersecurity Maturity Model Certification (CMMC) was created to enhance the cybersecurity posture of the Defense Industrial Base (DIB) sector and is intended to ensure that all companies in this ecosphere implement appropriate cybersecurity practices to protect the information they access and hold. In April, we provided an overview of the CMMC process and gave some thoughts on why it is relevant and important for a company within the DIB sector to move forward now on CMMC initiatives.
The pace of authorization of certification of CMMC Third-Party Assessment Organizations (C3PAOs) coupled with lack of clarity on the final form of the certification process may leave you unsure of when to start your internal efforts, or what to focus on while you wait for further guidance. It is possible that the original rollout schedule for the CMMC requirement may be delayed, and many are speculating as such. Even if that is the case, we recommend that you continue to move forward on your CMMC journey on the assumption that the original timeline remains intact. There is much you can and should do now to lay the foundation for certification, and none of it will be in vain as you wait for further clarity on the certification process and timeline.
Here are a few things for you to consider now as a participant in the DIB sector.
First – you should assess your internal environment against NIST 800-171. As mentioned in the M&A article referenced above, CMMC is largely based on existing standards including NIST 800-171, making this a great place to start. CMMC Levels 1 and 2 require 110 controls to be present. Level 3, 4 and 5 have additional controls that are required, so you will need to know where in the CMMC Hierarchy your organization falls. At a minimum, though, begin by self-assessing against the 110 controls required for Level 1 and 2, and build a plan to remediate any identified gaps in advance of compliance being required for certification. Remember – not only do you need to have the controls in place, but you also need to be able to provide evidence of them to your assessor. Focus on documentation, not just the control!
Second – begin to build relationships within the CMMC provider database. There are two particular areas to consider. First, consider identifying a Registered Provider Organization (RPO) or a Registered Practitioner (RP) to help you through your journey. RPOs and RPs provide advice, consulting, and recommendations to their clients, but do not conduct Certified CMMC Assessments. Partnering with a strong RP or RPO in advance of your Certification is a great way to ensure you have considered all your variables and are ready for assessment. Second, consider identifying a C3PAO in advance, so that when your time for assessment comes, you’ve already built a working relationship with the organization that will perform the assessment. As McKonly & Asbury LLP awaits our approval as a C3PAO (Level 3), we’d be pleased to have a conversation with you regarding our services.
Finally – don’t lose sight of what this is all about. CMMC is chiefly focused on the protection of Controlled Unclassified Information (CUI) and ensuring that organizations across the DIB sector have implemented cybersecurity protocols to protect such information. Thinking more broadly and stepping outside of CUI, it is in the best interest of ALL organizations to have strong, validated cybersecurity protocols in place not only to protect national security but to also ensure the longevity and success of the organization itself. Even if CMMC requirements appear to be far away on your horizon, taking steps now towards compliance will only serve to also protect your organization and all of your information. Looking at it in context of organizational health, it seems clear that you should be ensuring compliance with NIST 800-171 now, and not waiting until CMMC requires it.
If you have further questions on CMMC, Cybersecurity or how to move forward with a self-evaluation of your compliance with the NIST 800-171 framework, please reach out to David Hammarberg, Partner and leader of McKonly & Asbury’s CMMC and Cybersecurity practices, at email@example.com.