The CMMC Compliance Guide: Prepping, Paying and Implementing It
By Jeremy Louise | November 14th, 2019
Believe it or not, the day that many of us thought would never arrive is finally here: the Department of Defense is actually going to start enforcing the DFARS/NIST 800-171 compliance requirements. If the conversations that I’ve been having with a lot of my managed IT services clients are of any indication, there’s certainly a lot of surprise- and dread- to go around.
As a direct result of this action and in an attempt to properly secure the Defense Industrial Base (DIB), the DoD has introduced the Cybersecurity Maturity Model Certification, otherwise called the CMMC. At its core, the CMMC is designed to be an assessment model and certification program intended to clarify the degree in which contractors safeguard both their own and customers’ CUI. As always, and as with anything related to IT or compliance, it’s a recent progression that will require you to keep a few key things in mind.
What is CMMC?
Maybe the most important factor to understand about all of this is that, unlike in previous years, the various contracting authorities that you’re working with will NOT accept a SSP (System Security Plan) and/or POA&M (Plan of Action and Milestones) as evidence of intent to eventually adhere with DFARS compliance or as an unofficial, long term compliance deferment strategy.
Instead, under the CMMC, contractors will begin being audited and evaluated based upon their implementation of the requirements’ technical controls – 110 to be exact. This can include but is not limited to formulating detailed IT policies, generating comprehensive network documentation and soon to come with Revision B, performing annual penetration tests to validate adherence to compliance and verify their CUI’s security posture.
It is our understanding that following a CMMC audit, you will be designated a certification level ranked on a scale of 1 to 5, with 5 being the most secure. Most organizations will likely be required to adhere to the 3rd tier, but regardless of the CMMC level you are required to attain, your certification level and adherence to it, will determine the types of contracts you will be applicable to acquire.
It’s also essential to reiterate that this CMMC level requirement will flow down to ALL subcontractors, prime and subcontractors alike, that are a part of the DoD supply chain. According to Katie Arrington, CISO for Acquisition under the Office of the Under-Secretary of Defense of Acquisition and Sustainment, only about 5% of contractors that will require CMMC are currently compliant, meaning that there is certainly a lot of work to be done to that end. As the Secretary of Defense has also stated, future RFPs will require a CMMC designation if you handle Controlled Unclassified Information (CUI)- period. All of this means that the CMMC is something you need to start thinking about as it is evident that this will become the standard framework for working with the DoD and any other government or federal agencies in the near future. The Department of Defense will begin finalizing the CMMC certifier accreditation program as soon as January 2020, with the accreditation process itself expected to begin by June 2020. Based on this timeline, it’s likely that we will see the first accreditations go out in the second half of 2020 with contractor evaluations -meaning the ones you have to care about- beginning shortly thereafter.
A dedicated team of auditors will be conducting these CMMC audits, but it is unclear how they will select the contractors that will be reviewed. If the costs of implementing these controls has you concerned, one important change moving forward will be the opportunity to recover, from the prime contractor, the expense of these solutions as an ‘allowable cost’;
If the IT compliance changes in Europe as well as New York or California are of any indication as to what will become the new norm, and regardless if you are currently required to adhere to the CMMC, your compliance posture will soon become a core element of your best value proposals and marketability. This presents an interesting opportunity to not only introduce increased rates, but new bidding strategies that leverage your CMMS posture as a true competitive advantage over your historical competitors that delayed to implement these similar compliance measures.
Because these numerous compliance controls present a considerable cost to any organization, we encourage that you weigh the benefits of attaining CMMC vs. their associated costs to determine if any missed contract opportunities are worth the trouble of implementing these compliance requirements. If the costs outweigh the potential benefit or if you don’t have the financials to hire additional IT security/compliance professionals, you may want to consider cutting your losses or outsourcing your compliance needs to a reputable managed services provider or managed security services provider.
Preparing to Implement CMMC Controls- Cost Effectively
The good news is that getting ready for CMMC certification isn’t necessarily difficult IF there is a precise, regimented plan in place addressing your strategic gaps alongside a solid understanding of how to minimize the exposure of CUI throughout your organization. At the very least, you can accomplish this by making sure that the parts of your network that are accessing CUI are segregated from the broader network. Minimizing your ‘exposure’ to CUI is one of the most critical ways that can significantly minimize your costs and achieve compliance in a way that is both complete and cost-effective. If implementing all 110 controls at once isn’t an option, focusing on the most heavily weighted compliance controls is another avenue that can be pursued. Certain requirements will be weighed differently based on their criticality, and during the CMMC auditing and certification process, you will have a chance to indicate your intention to implement the remaining controls that are relevant to you; This is another part of the Plan of Action and Milestones (POA&M) process.
Once you arrive to this point, you can begin the assessment phase where you a baseline for recommendations is created that address any gaps that may impact your CMMC/compliance posture. Based on the actionable insight you from this assessment, you can start formulating a strategic roadmap addressing these gaps and ultimately move onto the implementation of those controls in preparation of any audit or vendor driven compliance verification request.
This assessment should clearly determine your compliance posture alongside all the steps required to address them. Because you have to create one of these documents anyway-as part of your annual security assessment requirement- you should do so to help guide your efforts to make sure you’re paying the appropriate amount of attention to the most heavily weighted compliance requirements of CMMC. In a way, it’s your best chance to kill two birds with one proverbial stone and benefit from a deferment of the implementation costs.
Of course, you could also dramatically minimize your larger implementation costs by choosing to partner with a managed services provider that is well oriented with these compliance requirements – something that I referenced above but that is absolutely worth repeating. Note that about 95%+ of all CMMC certification requirements are information technology security-related and working with an MSP or MSSP will provide the resources and expertise required for a successful compliance strategy. In addition to the ongoing management of your compliance strategy, your MSP/MSSP can also work with your auditors or clients to verify you adherence and ensure you’re positioned for long term success, rather than investing in additional internal resources to accommodate to these new IT requirements.
If partnering with an MSP/MSSP is your likely route, keep in mind that you need to give your provider considerable time to get you to the point where you need to be. Generally speaking, it takes several months- at a minimum- to get everything into place and requires the ongoing testing and configurations of these solutions to complement your existing security tools, daily CUI management processes and today’s ever evolving cyber threats. To say that CMMC certification is a huge undertaking is a bit of an understatement, especially considering that you’ll be required to constantly verify the security posture of the greater network and your end user environment accessing CUI. There is a high degree of expertise required to successfully implement these controls and relying on a small IT team or network administrator is both unfair to them and your organization as a whole- even if they’re insistent that they can accomplish this!
If nothing else, remember that CMMC certification is NOT something you want to wait until the last minute to do. At the very least, you should perform an assessment as soon as you’re able, to help forecast your expenses as well as provide the chance to identify the who/what/when/where’s of the process to clarify exactly what you need to do to become compliant so that it isn’t a complete surprise to your company.
Preparing for CMMC Certification, Together
At TSI Support International, we understand how important CMMC certification is - and we're also aware that this is one road you're not necessarily eager to travel down alone. But the good news is that we’ve been addressing these and similar compliance requirements for over 20 years, and confident we can help you as well. To learn more about how we can help your organization, feel free to contact either myself or a colleague at TSI to schedule your introductory phone call. That way, we can make sure you’re best positioned to address these requirements and can focus on growing your business.