If you contract for the Department of Defense (DoD) you will soon need to achieve compliance with the Cybersecurity Maturity Model Certification (CMMC – the DoD’s initiative to improve cybersecurity across the DIB. Historically, defense contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) have been allowed to demonstrate compliance with the DoD’s cybersecurity standards by conducting a self-assessment against the NIST 800-171 controls and submitting compliance scores to the Supplier Performance Risk System (SPRS) database. The lack of third party oversight resulted in a discontinuity between reported scores and on-the-ground cybersecurity realities. CMMC and its focus on assessments will close that gap.
CMMC will require all defense contractors to undergo rigorous assessment based on the type of sensitive information that they handle and the nature of the contracts and work that they would like to pursue. Most companies handling CUI will be required to undergo third-party assessment.
Under CMMC there will be three different levels of assessments for defense contractors. This blog post will explain the difference between each, as well as provide you with information to help you identify which one your organization will need to prepare for.
CMMC Assessment Overview
CMMC is designed to establish continuity in cybersecurity standards throughout the DIB. It gives teeth to NIST 800-171, doing away with casual self-assessment in favor of rigorous assessments for all organizations handling FCI & CUI. All contractors doing business with the DoD will need to achieve CMMC compliance in order to remain eligible for contracts.
There are three levels of CMMC, based on the maturity level indicated in a company’s contract. The level a contractor will need to meet will be listed in their contract
Companies handling exclusively FCI only need to meet Level 1 (Foundational). Level 1 is based on the requirements of FAR 52.204.21 and is the only level that remains fully eligible for self-assessment.
Any company handling CUI must meet at least Level 2 (Advanced). Level 2 is based on the 110 controls of NIST SP 800-171. A small subset of these companies will be allowed to perform self-assessment, but the majority will require third party assessment by a Certified Third Party Assessment Organization (C3PAO).
Companies handling the most sensitive information will need to meet Level 3 (Expert). This is based on the 110 controls of NIST SP 800-171 as well as a subset of requirements from NIST SP 800-172. To achieve Level 3, OSCs will first need to pass a level 2 assessment by a C3PAO. The OSC will then be assessed for Level 3 readiness directly by the government.
If you’re an Organization Seeking Compliance (OSC) with CMMC Level 1 or if a small subset of Level 2 OSCs handling information not deemed critical to national security, you can rely on a self-assessment to determine CMMC eligibility. This means that your assessment will be performed in-house by the team member who is your organization’s CMMC lead.
For Level 1 organizations, the assessment will evaluate how the OSC protects FCI against the 17 NIST 800-171 controls that apply to Level 1. Each control is broken down into multiple objectives. In order to achieve Level 1 compliance, all objectives in those 17 controls must be met.
Level 2 OSCs will need to assess against NIST 800-171 (A) and meet all the assessment objectives for the 110 controls. To be successful, Level 2 OSCs need to ensure that they have a System Security Plan (SSP) that explains, in detail, how their policies, procedures, and technologies meet each assessment objective.
Level 1 and 2 OSCs will be required to conduct self-assessment on an annual basis, producing an annual affirmation from a senior company official stating that the company is meeting all requirements for compliance. They will need to register these self-assessments and affirmations in the DoD’s SPRS.
Companies handling CUI must also be able to demonstrate the three following additional considerations:
- First, companies must demonstrate that they are employing FIPS validated cryptography for protection of CUI. All encryption is not created equal, so the FIPS 140-2 standard makes sure that the encryption used is secure enough to protect CUI.
- Second, companies must ensure that they’re compliant with DFARS 202.204-7012 c-g. DFARS 202.204-7012 (c)-(g) instructs defense contractors how to report cyber incidents such as theft of corporate data or ransomware attacks.
- Third, if the OSC uses a cloud service provider (CSP), they must ensure that the CSP meets FedRAMP Moderate or equivalent. The CSP must also comply with DFARS 202.204-7012 (c)-(g) for incident reporting.
Third Party CMMC Assessment
Most Level 2 OSCs and all Level 3 OSCs will be subject to third party assessment. The CMMC Accreditation Board (CMMC-AB) has authored the CMMC Assessment Process (CAP) handbook to explain the roles, responsibilities, requirements, and timeline for how Level 2 assessments will proceed and what contractors need to do to prepare.
Third party assessments will be conducted by a C3PAO. These assessments are made up of four phases.
Phase 1: Plan and prepare the assessment
This phase focuses on ensuring that the assessment will be able to meet the consistent CMMC assessment standard. In this phase the roles and responsibilities of the OSC and the C3PAO evaluating that OSC are established. Phase one also establishes the assessment scope.
In phase one the C3PAO will check if the OSC is using any external CSPs and, if so, that they meet the requirements established in DFARS 252.204-7012. It checks that the OSC has evidence to meet a substantial number of assessment objectives. The OSC will need to provide the results of a self-assessment along with a list of evidence, a robust SSP, a list of all the personnel involved in the procedures evaluated, and any other relevant documentation.
If the OSC has not adequately prepared for assessment, then conducting the remaining three phases is not feasible. The process will pause until the OSC can provide the above assurances of readiness. The OSC will need to do this independently; the C3PAO evaluating the OSC cannot offer any advice, implementation assistance, or recommendations on how the OSC can improve or enhance their preparedness.
Phase 2: Conduct the assessment
If an OSC demonstrates sufficient readiness for assessment, the next step is to conduct the actual assessment. In this phase, the C3PAO assesses how well the organization meets the CMMC model.
In the assessment, the C3PAO will check the OSC’s fulfillment of every single compliance objective and control is NIST 800-171A. The C3PAO will collect, examine, and analyze the evidence provided by the OSC, as well as conduct interviews with OSC personnel in order to determine whether the practices in place meet the required standards. The assessment team will record any gaps between the OSC’s practices and CMMC model practices.
Once the C3PAO has thoroughly familiarized themselves with the OSC’s system, the C3PAO will generate and validate preliminary recommended findings and determine the final CMMC results on a binary scale of met / not met.
If the OSC passes assessment by earning a ‘met’ score, the C3PAO will allow the use of Plans of Actions and Milestones (POA&Ms) as temporary stopgap measures for any eligible controls that are not yet fully satisfied. To be eligible for POA&Ms, the organization must meet at least 80% of all CMMC Level 2 practices, or 88 out of 110 NIST 800-171 controls. Further, eligibility for POA&Ms depends on which specific controls are unmet.
The 110 controls of NIST 800-171 are each weighted either 1, 3, or 5 points. Only select 1 point controls are eligible for POA&Ms. If any of the 3 or 5 point controls are not completely satisfied at the time of assessment, the OSC will not achieve CMMC compliance and will be graded ‘not met.’
Phase 3: Report recommended assessment results
In this phase the Lead Assessor from the C3PAO will deliver the recommended assessment results to the OSC and give their verdict of met / not met. If the OSC achieves ‘met’ through the use of POA&Ms, the Lead Assessor will list those POA&Ms at this time.
The C3PAO will review any listed POA&Ms to ensure that the OSC meets the 80% ‘met’ minimum requirement to proceed to the POA&M Close-Out Assessment option. If the POA&Ms cannot be closed out, the OSC will not be recommended for certification. If POA&Ms are needed for any 3 or 5 point controls the OSC will likewise not be recommended for certification.
Phase 4: Close out POA&Ms and assessment
If the OSC received a conditional CMMC Level 2 certification during phase 3, then the final step is to close any open POA&Ms within 180 days. In order to receive CMMC Level 2 certification by the end of that 180 day period, the OSC must close all open POA&Ms and have a C3PAO verify that the POA&Ms are closed out.
Level 3 Government Assessments
The OSCs handling the most sensitive CUI must first meet Level 2 CMMC in order to become eligible for Level 3 review. The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) itself will conduct level 3 assessments, which will include all 110 NIST 800-171 controls plus an additional subset of NIST 800-172 controls.
The DoD has not yet published an assessment guide for Level 3 assessments. According to the DoD assessment requirements are currently under development. Level 3 OSCs should prepare to meet Level 2 compliance at this time, and remain ready to undertake additional preparations when further information is released.
Getting Ready for CMMC
Irrespective of the level of compliance you are seeking, it is important to get ready for assessment now. Achieving readiness for assessment can take upwards of a year and you won’t want to become ineligible for government contracts if CMMC goes into effect and you can’t finish your preparations in time.
Begin by familiarizing yourself with the CMMC framework. Determine which CMMC level your organization needs to achieve and scope your compliance boundary. The more you can limit your boundary, the more economically you’ll be able to achieve compliance, in terms of both money and time.
Once you know your scope and your target level, prepare for and complete a self-assessment to see where you stand. Most OSCs will find that they are not yet ready for C3PAO assessment after self-assessment. A managed service provider (MSP) or registered practitioner (RP) can assist your team in achieving readiness.
For a more detailed step-by-step overview of how to prepare for CMMC assessment, see our CMMC Compliance Checklist.
How PreVeil can help
If you’re a defense contractor that handles CUI and needs to meet Level 2, PreVeil can significantly help in your compliance journey.
PreVeil’s end-to-end encrypted email and file sharing platform secures your CUI and further saves you time and money by providing documentation along with a rich partner network.