As part of the Cybersecurity Maturity Model Certification’s (CMMC) Version 2.0, the Department of Defense (DoD) is requiring all contractors to perform self-assessments to verify that they meet compliance. These must be submitted annually, both from those that have currently achieved CMMC status, as well as those that intend to apply. Why should your organization be concerned about the DoD’s CMMC assessment, if it’s something your team will manage internally?
Loss of Contracts
All self-assessments are submitted to the DoD’s Supplier Performance Risk System (SPRS) before being audited by the Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”). FutureFeed notes that nearly three-fourths of defense contractors that submitted perfect scores were later found to have “multiple deficiencies” in their programs. This puts them at risk for being barred from contractor status with the government — and current projects terminated — until those scores are improved.
If you haven’t met the requirements for CMMC yet, negative assessment results could further delay your certification. While this may not be as detrimental to your operations as those that are halted mid-contract, it can still disrupt any future contracts you had intended to perform based on your revised timeline for meeting compliance.
Data Privacy Concerns
Even if delayed certification is only a mild annoyance based on the services you provide, it could still create a negative impression of your organization. At the very least, your network and its data will be more vulnerable to an attack. Other entities besides the government that already partner with you or contract your services may start to question how reliable your data privacy was prior to the DoD’s audit, potentially souring those relationships and leading to lost business.
Now that you understand the risks for noncompliance, what are steps you can take to protect your status and meet the requirements for CMMC? Below are suggestions to coordinate with those who oversee your information technology, whether that’s an internal IT team or a managed service provider (MSP).
One of the Defense Federal Acquisition Regulations Supplements (DFARS) that you’ll want to pay special attention to is 252.204-7008: Compliance with Safeguarding Covered Defense Information Controls. It states that you must have a plan of action that lays out “an alternate but equally effective security measure” for every requirement you aren’t able to meet. This will be taken into consideration when the DoD audits your self-assessment.
Managed Service Provider (MSP)
If you outsource your IT management to a third-party provider, we strongly recommend asking them the following CMMC-related questions. These are adapted from our 10 Questions to Properly Vet Your Managed Service Provider, which you can read in full here.
What is the MSP’s experience implementing NIST SP 800-171 in organizations your size?
A provider should have references for this kind of implementation because you will want to understand the flow and user access of your data. For example, healthcare organizations need to know who can access their medical records, and why.
Because the 110 security controls for NIST SP 800-171 have been the law for at least five years, your provider shouldn’t have any questions about what it takes to implement them.
What are the MSP’s CMMC certifications?
Providers should have certifications that prove they are cybersecurity professionals, including CISSP, CISA, and CEH. But keep in mind that some certifications are only entry level, like Security+, CSX, and MTA. You can confirm at the CMMC-AB Marketplace website that your provider has received the appropriate training and certification to be competent in their role.
What is your MSP going to do if your organization is the victim of hacking?
They must be transparent on their scope boundaries. You should establish a Service Level Agreement (SLA) that includes protocols for this kind of incident response. Your provider should have logs that document how they will respond to your systems, networks, and devices during an attack. You should be able to request logs that capture activities on endpoints, routers, application events, proxies, and Internet-of-Things (IoT) devices.
What is your MSP going to do when you get audited?
Will your provider be present or available during an audit, and will they assist with any documentation requests? Both would be ideal. Confirm whether remediation efforts are included in your initial contract’s costs, or come with an additional fee.
How will your MSP test the cybersecurity they implement for your organization?
Testing protocols should be clearly documented in a Statement of Work (SOW). These should be discussed during the Intake and Planning process, and approved by both the Organization Seeking Certification (OSC) and vendor of choice.
What is your MSP’s timeline for implementing NIST SP 800-171?
The Lead Assessor and OSC should determine jointly what the scope, boundaries, staffing, dates, duration, scheduling dependencies, and pricing should be. All parties will need to agree and sign the official Work Plan.
Registered Provider Organization (RPO)
Registered provider organizations are able to review your current level of cybersecurity and make recommendations on what changes you should make. While RPOs cannot grant certification or provide audits, they can provide you with a full understanding of what CMMC requirements you may be lacking so that there is no confusion during your self-assessment and subsequent reporting to the DoD.
As a Cyber AB-certified RPO, HCRS can help you in these areas, as well as work with you to develop your CMMC Master Plan. In turn, you’ll understand the cybersecurity requirements for CMMC and its assessments, develop a budget based on vetted vendors and products, execute and maintain CMMC controls and practices, know what deliverables auditors will expect, and implement a coordinated strategy with your IT for business process improvement.
Looking for additional information on CMMC 2.0’s release schedule? Read about the phased approach planned for 2023, then let us know when you’re ready to talk about a program.