Contracting with the US Department of Defense (DoD) can be lucrative, but it requires contractors and subcontractors to meet many requirements.
Cybersecurity is one of the most important DoD contracting requirements, as it’s now considered part of the foundation of DoD acquisition.
The Cybersecurity Maturity Model Certification (CMMC 2.0) framework is the most recent security requirement, and it applies to any contractor in the Defense Industrial Base (DIB).
The CMMC self-assessment is one of the first steps toward full compliance, which can be especially challenging for contractors new to the DIB sector.
Contractors must achieve “preferred contractor” status to receive consistent work from the DoD.
CMMC compliance is only one of the requirements for obtaining this status, as it demonstrates that a contractor is serious about protecting sensitive information, as defined in the Defense Federal Acquisition Regulation Supplement (DFARS) specifications.
Fortunately, the Office of the Under Secretary of Defense (OUSD) for Acquisition and Sustainment (A&S) provides CMMC 2.0 self-assessment assessment guides to assist in the CMMC process.
In particular, these guides explain the great difference between a self-assessment and a full compliance assessment, including their scoring methodologies.
Contractors seeking CMMC Certification must also understand the CMMC framework, including its domains, levels, and practices.
Detailed knowledge of these topics is essential for performing the self-assessment, passing a true 3rd party assessment, and obtaining the CMMC accreditation needed for preferred contractor status.
The CMMC consultants at cuick trac™ can help you determine your requirements for achieving CMMC with cuick trac™, the most cost-effective, virtual enclave solution for protecting controlled unclassified information (CUI).
Is there a CMMC self-assessment for CMMC 2.0 compliance?
Self-assessing is always a best practice for contractors needing CMMC compliance — from the supply chain to manufacturing.
Organizations who conduct thorough and periodic self-assessments, will often times find more success with implementing a security program and thwarting cyber-attacks.
A CMMC self-assessment serves to identify gaps between a contractor’s current security posture and what it needs to pass the full assessment by a Certified 3rd Party Assessment Organization (C3PAO).
It also increases the assurance that sensitive information is being adequately protected by the Defense Industrial Base (DIB).
In a shift away from CMMC 1.02, which required all DoD contractors to undergo third-party assessments for CMMC compliance, under the new CMMC 2.0, annual self-assessments are allowed under two specific situations.
CMMC Level 1 (“Foundational”): This level of compliance does not involve sensitive national security information, and is viewed as an "opportunity to engage its contractors in developing and strengthening their approach to cybersecurity," identifying vulnerabilities, and iterate on how to satisfy Level 1 practices
A limited subset of programs with CMMC Level 2 requirements: To qualify, the program must not involve CUI critical to national security
According to the Office of the Under Secretary of Defense (OUSD) for Acquisition and Sustainment (A&S):
A CMMC self-assessment will apply to those companies that are only required to protect the information systems on which FCI is processed, stored or transmitted; and a subset of companies that are required to protect CUI.
The CMMC self-assessment should be completed using the CMMC Assessment Guide codified in 32 CFR for the appropriate CMMC level.
But wait, there's more.
Contractors that qualify for annual self-assessments must be score their assessment against the DoD's clearly articulated cybersecurity standards, and will be required to submit an "annual affirmation from a senior company official" stating the company is meeting requirements.
Lastly, the Department of Defense also intends to require companies to register their self-assessments and affirmations in the Supplier Performance Risk System (SPRS).
CMMC 2.0 self-assessment criteria & scoring systems
When conducting a true CMMC self-assessment, it’s best practice to utilize an assessor/ advisor experienced in working with the DIB and safeguarding the confidentiality of Controlled Unclassified Information (CUI).
Having them as an independent individual or company provides many benefits.
The process of assessing a contractor’s implementation of the CMMC 2.0 framework generally involves the assessor establishing objectives for each cybersecurity practice or security control, which the assessor then tests with appropriate criteria. For example, NIST controls will use NIST protocols.
These tests include interviews with individual workers, an examination of procedures in real-time, and a review of relevant system settings.
Each practice tested receives a finding of Met, Not Met, or Not Applicable.
A finding of "Met" indicates the contractor met all the requirements for that practice as described by the CMMC framework. The assessor must provide appropriate evidence to support this finding.
A finding of "Not Met" means the contractor failed to meet at least one of the requirements for the practice as described in the CMMC framework. The assessor must describe the issues resulting in this finding.
A finding of "Not Applicable" indicates a contractor is not required to implement this practice. The assessor must provide an explanation and documentation supporting this finding.
Contractors should provide accurate findings for all applicable practices in their self-assessment, even when many of those findings are “Not Met.”
This approach ensures that contractors hold themselves accountable for the shortcomings, just as an independent assessor will. Honest assessments help the company improve its security posture so it can pass the official assessment.
The DoD recently release CMMC self-assessment guides that can be downloaded at the links below:
The CMMC Accreditation Body (CMMC-AB) is responsible for authorizing third parties (C3PAOs) to audit and assess contractors and award them the appropriate CMMC certification if warranted.
The CMMC-AB has built an ecosystem of Licensed Training Providers (LTPs), and Licensed Partner Publishers (LPPs) to train and authorize individuals to conduct CMMC certification audits, referred to as Certified CMMC Assessors (CCA’s) and Certified CMMC Professionals (CCPs) to help support the audits.
CCAs will be affiliated with C3PAOs and will be the only authorized parties who can perform the actual CMMC certification audits, once Organizations Seeking Certification (OSCs) are ready to demonstrate and prove their cybersecurity posture is at the required level.
The CMMC-AB also partners with the C3PAOs to list them in the geographic areas they service and match them with contractors needing CMMC. C3PAOs are allowed to work with their clients throughout all stages of the CMMC accreditation process, not just the actual assessment itself.
These steps include both architectural planning and the implementation of practices and controls. Contractors do not have to work with C3PAOs as they prepare for CMMC, as it’s encouraged that they work with experts who they trust, but also have experience providing cybersecurity support to the DIB.
The CMMC-AB must authorize and accredit C3PAOs to conduct CMMC assessments of DoD contractors. This process requires C3PAOs to meet DoD requirements as described in ISO/IEC 17020, which deals with conformity assessment.
This section describes the requirements for organizations that perform various types of inspections, not just CMMC.
However, the CMMC-AB can authorize C3PAOs to conduct CMMC assessments before they have received their formal accreditation. However, C3PAOs must receive accreditation from the CMMC-AB within 27 months after registering for the C3PAO accreditation program.
C3PAOs must meet all DoD requirements to receive this accreditation as described in ISO/IEC 17020.
In addition to receiving authorization or accreditation from the CMMC-AB, C3PAOs must be listed on the CMMC-AB Marketplace website before they can conduct CMMC assessments.
Furthermore, the individual assessors that the C3PAOs use to conduct CMMC assessments must also be authorized or certified by the CMMC-AB.
Organizations in the DIB must select and authorize or accredit C3PAOs listed on the CMMC-AB Marketplace website.
The selected C3PAO and its client must then coordinate their plans for planning and conducting the CMMC assessment as described in a contract between the two parties.
Once the assessor completes the CMMC assessment, the C3PAO provides a report on the results. Assuming the assessment shows no deficiencies, the C3PAO then issues the certificate appropriate to the CMMC level requested by the contractor.
In addition, the C3PAO must submit a copy of its assessment report and the CMMC certificate to the DOD.
CMMC 2.0 maturity levels, focuses & process goals
The CMMC model provides a comprehensive approach to managing risks from different types of threats, starting with basic safeguarding at Level 1 and moving up through broad protection for CUI at Level 2, until we reach expert-level protection against advanced persistent threats (APTs) actors at Level 3.
Contractors seeking DoD contracts must eventually implement the CMMC practices and requirements at the level to which the contractor is aiming to achieve certification, except for the practices it’s exempt from.
Cybersecurity maturity model certification occurs in a succession of three distinct milestones known as Maturity Levels, each of which includes all of the requirements of the level below it.
In addition, each level introduces new requirements and has a focus that may be quite different from that of the previous level.
Each level also has its own Process Maturity goal indicating the extent to which the organization has institutionalized required security practices across all of its departments and individual personnel.
Process Maturity is a comprehensive measure, so it can complicate the assignment of findings from the assessment.
The following list describes the focuses and goals of each Maturity Level:
Level 1: Foundational
CMMC 2.0 Level 1 establishes a security foundation (17 practices) for the higher levels of the model and must be completed by all certified organizations.
Level 1 is intended to protect contractor information systems and limit access to authorized users, so it's required for any contractor that provides products that aren't Commercial Off the Shelf (COTS).
CMMC Level 1 requires annual self-assessments.
Level 2: Advanced
CMMC 2.0 Level 2 provides advanced cybersecurity requirements for organizations that handle prioritized and non-prioritized acquisitions that handle CUI, rather than just FCI and is most comparable to the previous version of CMMC 1.02, Level 3.
Level 2 mirrors NIST SP 800-171, with 110 security practices developed by the National Institute of Technology and Standards (NIST) to protect CUI.
This CMMC level has two thresholds for conducting assessments and the frequency at which they need to be completed, depending on the type of CUI they handle.
Companies that handle prioritized acquisitions with CUI data critical to national security will require Third-party assessments (C3PAOs) every three years.
Companies that handle non-prioritized acquisitions with CUI data not critical to national security will only require an annual self-assessment.
Level 3: Expert
The main focus of CMMC 2.0 Level 3 is to provide robust, optimized cybersecurity standards to reduce risk from Advanced Persistent Threats (APTs) for members of the Defense Industrial Base that handle data that is critical to national security.
Until rulemaking occurs (between July 2022 to December 2023), it’s difficult to know what practices will be included in CMMC Level 3, however, the DoD has indicated that its requirements will be based on NIST SP 800-171’s 110 controls and a subset of NIST SP 800-172 controls.
If your long-term plan is to achieve this level of security and compliance we would recommend treating NIST SP 800-172 as the complete framework for implementation.
Get DFARS/NIST 800-171 Compliant With cuick trac™ — a private hosted, virtual enclave