The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework for Department of Defense (DoD) contractors that combines various requirements and standards to determine the defense supply chain’s cybersecurity maturity. This United States DoD program has been implemented throughout the Defense Industrial Base (DIB) sector which is made up of more than 300,000 organizations. The CMMC was created by the DoD in response to substantial compromises of confidential defense-related information stored on defense contractors’ IT systems.
Version 1 of the CMMC standard was released by the Department of Defense on January 31, 2020. The standard includes five certification levels which indicate the reliability and maturity of a company’s cybersecurity infrastructure. Each level builds upon the previous level’s technical requirements. This means that companies that reach higher levels must also comply with the requirements of each lower level.
The DoD is implementing rolling deadlines for contractor CMMC certification. This process began with a self-audit for existing contractors which took effect in January 2021. All new defense contracts are expected to contain CMMC certification requirements by fiscal year 2026. By this time, every vendor in the defense supply chain must become CMMC certified. For many businesses, becoming CMMC-certified may mean the need for significant changes and updates to their cybersecurity programs.
Businesses whose revenue relies partially or fully on government contracts have recently encountered mandatory regulations that align closely to NIST SP 800-171. Any organization working with the DoD or federal government must be audited against CMMC requirements by a certified third-party CMMC assessor and go through the necessary steps in order to reach CMMC compliance.
What Is A CMMC Audit?
A CMMC audit is an assessment of a company’s cybersecurity, performed by an accredited CMMC Third-Party Assessment Organization (C3PAO). Since CMMC is still in its development stages, the Accreditation Body currently consists of volunteers who work independently of the DoD. Assessors are being trained and most C3PAOs are pending their assessment, meaning it will take time before third-party assessments are available. Although CMMC compliance does not become mandatory until 2026, businesses should begin the process of preparing for a CMMC audit now as assessors are likely to be in high demand when they do become available.
What Does The CMMC Audit Process Consist Of?
Contractors who wish to bid on future DoD contracts must first become certified to one of the five CMMC levels by a C3PAO. The CMMC audit process consists of several steps, including the following:
Review Of The Existing Cybersecurity Program
The audit will generally begin when a C3PAO reaches out to the person responsible for the company’s cybersecurity. This may be a network administrator, third party or dedicated CISO. Next, the C3PAO will review the existing cybersecurity program to gain a better understanding of the environment. Information must also be provided to explain what controlled unclassified information (CUI) is stored and transmitted by the business and how this is achieved.
Assessment Of Currently Used Controls
Once the C3PAO becomes familiar with the cybersecurity program, the currently used controls are reviewed. These controls refer to countermeasures that the company has implemented to prevent, detect or reduce security threats. The C3PAO will perform an in-depth assessment of the program to ensure that all controls that are supposed to be in place are available.
Verification Of Control Implementation
The next step in the audit program involves looking at individual controls to verify that they have been successfully implemented. The auditor may ask the person responsible for the company’s cybersecurity to explain various processes or demonstrate how certain controls work.
Delivery Of An Official CMMC Audit Report
The last step in the CMMC audit process involves issuance of an official audit report by the C3PAO. The audit report should detail how the audited business performed and whether the business meets the necessary requirements to reach the target CMMC compliance. Specific details regarding the C3PAO’s findings are typically kept confidential to prevent damage to the company’s reputation.
What Expenses Are Associated With CMMC Audit Preparation?
CMMC audit preparation also means being prepared financially. What many companies overlook are the various costs associated with a CMMC audit, including both soft costs and hard costs. Audit preparation costs are referred to as soft costs and include the expense of preparation and external consultancy. Audit preparation costs can range from $15,000 to more than $100,000, depending on factors such as the scope and target CMMC level.
There are also some hard costs associated with the audit preparation process. Hard costs refer to the investments made prior to the audit to ensure that audit requirements are met. These investments can quickly accumulate, resulting in a price tag of $20,000 to up to $60,000 or more. Hard costs may include the costs of implementing authentication mechanisms, log monitoring and endpoint security. Individual hard costs for completing a CMMC audit can range from $10,000 to $40,000.
Tips To Prepare For A CMMC Audit
There are several things that businesses can do for CMMC audit preparation and improve their chances of a successful outcome.
1. Start Preparing Early On
One of the biggest mistakes that a business can make when aiming for CMMC compliance is waiting until the last minute to prepare for an audit. Ideally, businesses that have not already begun to prepare should start as soon as possible. CMMC is considered to be much more stringent than other cybersecurity frameworks in the past and building a mature cybersecurity program that meets compliance requirements will take considerable time. DoD contractors should start preparing for an audit at least six months in advance, or earlier if the company does not yet have a robust security program in place.
2. Determine The Target CMMC Level
Defense contractors must determine what CMMC level they want to achieve when preparing for an audit. A target CMMC level can be determined by inventorying data in their network and by assessing a contractor’s use of CUI and Federal Contract Information (FCI). If a contractor does not have the capabilities needed to handle a preliminary data assessment, a managed service provider (MSP) can help conduct a breakdown. Only suppliers who seek CMMC levels two through five are required to go through an audit.
3. Identify The CUI Environment
The next step in CMMC audit preparation involves determining what systems and assets are in scope. Consider any assets that come into contact with CUI, whether directly or indirectly. These assets are what form the CUI environment. In most cases, a CUI environment is established by the contracting official at the DoD. In the case of subcontractors, the CUI environment is set by the prime contractor. When preparing for an audit, aim to identify the scope of the environment through internal assessments in advance.
4. Complete The NIST 800-171 Self-Assessment
NIST 800-171 plays a pivotal role in CMMC audits. This standard consists of a set of guidelines that businesses must follow when storing, transmitting or processing CUI in security systems. A CMMC-compliant applicant is responsible for submitting a cybersecurity self-assessment that is based on NIST 800-171. There are current DFARS mandates (7012, 7019, and 7020) that require DoD contractors to perform the self-assessments for compliance based on the NIST 800-171 standard. If you do have questions regarding the DFARS mandates, Vaultes services can assist you.
5. Perform A Gap Analysis
It is important for businesses to determine where they currently stand when preparing for a CMMC audit. A gap analysis can help companies determine which aspects of their current cybersecurity program needs attention. When performing a gap analysis, pay close attention to how CUI is stored, transmitted and processed, and ensure that all processes and systems have an ‘owner’ to maintain the necessary CMMC controls.
6. Develop A Plan For Compliance
For many businesses, the road to CMMC compliance is a long one. However, it is important to have a plan in place nonetheless to ensure that the company stays on track. A remediation roadmap should be created based on the calculated costs and priorities determined during previous phases. Ensure that the roadmap has some wiggle room to accommodate possible delays to ensure that the company is fully prepared prior to the audit date.
7. Implement A Monitoring Process
It is important to remember that a CMMC assessment only views a business in its current state. Do not make the mistake of allowing the compliance to lapse, forcing the business to reestablish compliance before the next audit. Failure to maintain compliance can lead to lost DoD contracts in the event of a breach. Implement a monitoring process to ensure that any changes to systems, processes or controls are made quickly and efficiently to prevent compliance issues. The DoD also requires contractors to continually monitor their systems and report incidents.
Speak With An Experienced CMMC Third-Party Assessor
CMMC audits are an essential process in safeguarding national cybersecurity. Today, contractors and subcontractors must meet higher security standards than ever before to achieve compliance and successfully win bids on government contracts. Partnering with an experienced CMMC Third-Party Assessment Organization can help ensure that your business is prepared to meet the strict requirements of a CMMC audit. If you have received a compliance request from the DoD or are unsure whether CMMC applies to your organization, the experts at Vaultes can help. Contact us today online or at 202-816-6658 to learn more or to get started.