In another show of momentum toward implementation of the Department of Defense’s CMMC framework, the Cyber Accreditation Board (Cyber AB) recently released its draft CMMC Assessment Process (aka CAP). The release of the CAP means that voluntary assessments can begin. In fact, according to Matthew Travis, CEO of the Cyber AB, several assessments are already scheduled to start this month.
Organizations queuing up for the opportunity to be assessed now understand the competitive advantage of positioning themselves to achieve CMMC Level 2 certification. They’re staying ahead of the curve by clearly demonstrating to primes that they will be in compliance when CMMC is implemented via an Interim Rule expected in March 2023. Release of the CAP keeps CMMC’s implementation schedule on pace.
The CAP—yet to be formally endorsed by DoD—provides guidance for third-party assessments of organizations seeking to achieve CMMC Level 2 certification. Note that any organization that handles Controlled Unclassified Information (CUI) will need to achieve at least CMMC Level 2, as verified by an independent third-party review.
The CAP’s purpose is ensure the highest possible accuracy and quality of third-party assessments—and, importantly, to maximize consistency across the assessments whether they’re done for a small bolt shop in California, a massive Navy ship builder in Maine, or anywhere in-between.
All CMMC Level 2 third-party assessments will be conducted by Certified Third-Party Assessment Organizations (C3PAOs), which are accredited by the Cyber AB after intense training and high-stakes testing. For the voluntary assessments that can begin now, auditors from the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will partner with and oversee the C3PAOs’ work. DIBCAC, the DoD’s ultimate authority on compliance, is lending its weight to the assessments under a Joint Surveillance Voluntary Assessments program created by the DoD for this purpose.
At this point, prior to CMMC rulemaking, the voluntary assessments will be based on NIST SP 800-171 and done in conformance with DIBCAC High methodology. According to Matthew Travis of the Cyber AB, the draft CMMC Interim Rule provides for converting these Joint Surveillance Voluntary Assessments to CMMC Level 2 certification when CMMC 2.0 goes into effect.
Release of the CAP is a significant step toward making the CMMC program a reality. Federal rulemaking action to implement the CMMC framework is expected in March 2023, with CMMC requirements appearing in DoD contracts 60 days later.
The security controls required for CMMC Level 2 certification will align with the 110 security controls of NIST SP 800-171. Notably, defense contractors that handle CUI are already required to comply with NIST SP 800-171.
This means that defense contractors need to take action now to:
The CAP’s guidelines make it clear that assessors will examine evidence of compliance not only with the NIST SP 800-171 requirements outlined above, but with additional requirements including:
Note that if an organization uses a cloud service provider (CSP), the CSP also must comply with 7012 (c)-(g). Organizations should confirm and ask for documentation that their CSP meets these requirements.
This means that contractors need to confirm that their CSP is either FedRAMP Baseline Moderate or that it can demonstrate Equivalency. The CAP specifies two criteria for the demonstration of Equivalency:
It is important to not simply accept a CSP’s self-attestation of Equivalency; instead ask for documented evidence that it meets the two CAP criteria above
Momentum is building toward implementation of CMMC 2.0. Prime contractors, who have the most to lose, fully understand the risks to their business of being unable to demonstrate compliance with DoD requirements. To protect their businesses, they also have already begun to expect their subcontractors to make progress toward requirements. Indeed, the Nov. 2020 DFARS Interim Rule requires primes to take responsibility for the security of their supply chains.
If you are a small- to mid-size company aiming to continue to do business in the DIB, you want to avoid being seen as a weak link in the supply chain. Instead, the best move you can make to safeguard the long-term viability of your business is to start now to position yourself to meet CMMC Level 2 requirements. Release of the CAP is another clear sign that CMMC 2.0 is becoming reality.
PreVeil is a state-of-the-art encrypted file sharing and email platform that offers uncompromised security for storing and sharing CUI. Organizations can easily add PreVeil to their existing IT environments (including Microsoft 365 Commercial), dramatically reducing the time and expense required to achieve compliance.
Read PreVeil’s briefs: