Contracting with the US Department of Defense (DoD) can be lucrative, but it does require contractors and subcontractors to meet many requirements. Cybersecurity is one of the most important DoD contracting requirements, as it’s now considered part of the foundation of DoD acquisition.
The Cybersecurity Maturity Model Certification (CMMC) framework is the most recent security requirement, and it applies to any contractor in the Defense Industrial Base (DIB). The CMMC self-assessment is one of the first steps towards full compliance, which can be especially challenging for contractors new to the DIB sector.
Contractors must achieve “preferred contractor” status to receive consistent work from the DoD. CMMC compliance is only one of the requirements for obtaining this status, as it demonstrates that a contractor is serious about protecting sensitive information, as defined in the Defense Federal Acquisition Regulation Supplement (DFARS) specifications.
Fortunately, the Office of the Under Secretary of Defense (OUSD) for Acquisition and Sustainment (A&S) provides CMMC assessment guides to assist in the CMMC process. In particular, these guides explain the great difference between a self-assessment and a full compliance assessment, including their scoring methodologies. Note: The official CMMC Scoping Guides have not been released, at the time this post was published.
Contractors seeking CMMC Certification, must also understand the CMMC framework, including its domains, levels, and practices. Detailed knowledge of these topics is essential for performing the self-assessment, passing a true 3rd party assessment and obtaining the CMMC accreditation needed for preferred contractor status.
The CMMC advisors at cuick trac™ can help you determine your requirements for achieving CMMC with cuick trac™, our cost-effective, virtual enclave solution for protecting controlled unclassified information (CUI).
Call us at 612-428-3008 or fill out the online form to schedule a free consultation.
Is there CMMC Self-Certification for CMMC Compliance?
Self-assessing is always a best practice for contractors needing CMMC, although it can’t grant any type of CMMC certification. It only serves to identify gaps between a contractor’s current security posture and what it needs to pass the full assessment by a Certified 3rd Party Assessment Organization (C3PAO) that determines whether a contractor will receive CMMC certification or not. A self-assessment isn’t required for CMMC, but an organization who conducts thorough and periodic self-assessments, will often times find more success with implementing a security program.
As such, contractors don’t actually self-certify/attest their CMMC compliance, which is a departure from earlier compliance frameworks like NIST SP 800-171. In that framework, contractors could simply attest to their own compliance without ever needing to demonstrate it, unless requested by DoD or the Defense Contract Management Agency (DCMA). As a result, self-assessments under NIST 800-171 provide only low confidence in the contractor’s compliance status, resulting in many contractors with significant gaps in their security.
CMMC Assessment Criteria & Scoring Systems
When conducting a true CMMC self-assessment, it’s best practice to utilize an assessor/advisor experienced in working with the DIB and safeguarding the confidentiality of Controlled Unclassified Information (CUI). Having them as an independent individual or company, provides many benefits.
The process of assessing a contractor’s implementation of the CMMC framework generally involves the assessor establishing objectives for each practice or security control, which the assessor then tests with appropriate criteria. For example, NIST controls will use NIST protocols. These tests include interviews with individual workers, an examination of procedures in real-time, and review of relevant system settings. Each practice tested receives a finding of Met, Not Met, or Not Applicable.
A finding of "Met" indicates the contractor met all the requirements for that practice as described by the CMMC framework. The assessor must provide appropriate evidence to support this finding.
A finding of" Not Met" means the contractor failed to meet at least one of the requirements for the practice as described in the CMMC framework. The assessor must describe the issues resulting in this finding.
A finding of "Not Applicable" indicates a contractor is not required to implement this practice. The assessor must provide an explanation and documentation supporting this finding.
Contractors should provide accurate findings for all applicable practices in their self-assessment, even when many of those findings are “Not Met.” This approach ensures that contractors hold themselves accountable for the shortcomings, just as an independent assessor will. Honest assessments help the company improve its security posture so it can pass the official assessment.
Who is Responsible for Full CMMC Assessments?
The CMMC Accreditation Body (CMMC-AB) is responsible for authorizing third parties (C3PAOs) to audit and assess contractors and award them the appropriate CMMC certification, if warranted. The CMMC-AB has built an ecosystem of Licensed Training Providers (LTPs), and Licensed Partner Publishers (LPPs) to train and authorize individuals to conduct CMMC certification audits, referred to as Certified CMMC Assessors (CCA’s) and Certified CMMC Professionals (CCP's) to help support the audits.
CCA’s will be affiliated with C3PAO’s and will be the only authorized parties who can perform the actual CMMC certification audits, once Organizations Seeking Certification (OSCs) are ready to demonstrate and prove their cybersecurity posture is at the required level. The CMMC-AB also partners with the C3PAOs to list them in the geographic areas they service and match them with contractors needing CMMC. C3PAOs are allowed to work with their clients throughout all stages of the CMMC accreditation process, not just the actual assessment itself.
These steps include both architectural planning and the implementation of practices and controls. Contractors do not have to work with C3PAO’s as they prepare for CMMC, as it’s encouraged that they work with experts who they trust, but also have experience providing cybersecurity support to the DIB.
The CMMC-AB must authorize and accredit C3PAOs to conduct CMMC assessments of DoD contractors. This process requires C3PAOs to meet DoD requirements as described in ISO/IEC 17020, which deals with conformity assessment. This section describes the requirements for organizations that perform various types of inspections, not just CMMC.
However, the CMMC-AB can authorize C3PAOs to conduct CMMC assessments before they have received their formal accreditation. However, C3PAOs must receive accreditation from the CMMC-AB within 27 months after registering for the C3PAO accreditation program. C3PAOs must meet all DoD requirements to receive this accreditation as described in ISO/IEC 17020.
In addition to receiving authorization or accreditation from the CMMC-AB, C3PAOs must be listed on the CMMC-AB Marketplace website before they can conduct CMMC assessments. Furthermore, the individual assessors that the C3PAOs use to conduct CMMC assessments must also be authorized or certified by the CMMC-AB.
Organizations in the DIB must select and authorize or accredit C3PAOs listed on the CMMC-AB Marketplace website. The selected C3PAO and its client must then coordinate their plans for planning and conducting the CMMC assessment as described in a contract between the two parties.
Once the assessor completes the CMMC assessment, the C3PAO provides a report on the results. Assuming the assessment shows no deficiencies, the C3PAO then issues the certificate appropriate to the CMMC level requested by the contractor. In addition, the C3PAO must submit a copy of its assessment report and the CMMC certificate to the DOD.
CMMC Maturity Levels, Focuses & Process Goals
Contractors seeking DoD contracts must eventually implement the CMMC requirements at the level to which the contractor is aiming to achieve certification, except for the practices it’s exempt from. This process occurs in a succession of five distinct steps known as Maturity Levels, each of which includes all of the requirements of the level below it.
In addition, each level introduces new requirements and has a focus that may be quite different from that of the previous level.
Each level also has its own Process Maturity goal indicating the extent to which the organization has institutionalized required security practices across all of its departments and individual personnel. Process Maturity is a comprehensive measure, so it can complicate the assignment of findings from the assessment.
The following list describes the focuses and goals of each Maturity Level:
Maturity Level 1 – This level provides basic cyber hygiene. It has 17 practices that focus on protecting Federal Contract Information (FCI), and its Process Maturity goal is performance.
Maturity Level 2 – This level provides intermediate cyber hygiene. It introduces 55 new practices that focus on transitioning the contractor to full FCI protection, and its Process Maturity goal requires documentation of its practices.
Maturity Level 3 – This level provides good cyber hygiene. It implements 58 new practices that focus on the complete implementation of NIST SP 800-171 and other frameworks. The Process Maturity goal for this level is managing its practices.
Maturity Level 4 – This level provides proactive cyber security. It implements 26 new practices that focus on protecting CUI against Advanced Persistent Threats (APTs), and its Process Maturity goal is regularly reviewing its practices.
Maturity Level 5 – This level provides optimized cyber security. It implements 15 new practices that focus on complex FCI and APT protection. The Process Maturity goal for this level is optimizing security protections.
Contractors can download the current version of the CMMC guide published in March 2020 from the CMMC Models and Assessment Guides page. The CMMC Level 1 Assessment Guide Volume 1.10 and CMMC Level 3 Assessment Guide Volume 1.10 are also available for download, both of which were published in November 2020.
Contractors who only need Level 1 can still use the Level 3 guide, even though it includes processes that Level 1 doesn’t measure. Level 2 doesn’t have a guide at this time, since this level serves only as a transition to Level 3. Levels 4 and 5 don’t have guides publicly available because the DoD doesn’t expect contractors to implement these controls yet, as CMMC Level 3 will be the major focus.
DoD Assessment Methodology: Understanding Domains, Capabilities & Practices
The CMMC framework consists of 17 security domains, which are generally equivalent to the NIST 800-171’s Requirement Families. These domains include 43 capabilities covering 171 practices, resulting in an interlocking matrix of domains, capabilities and practices. The 17 security domains in CMMC are as follows:
- Access Control (AC) – Four Capabilities and 26 Practices that limit access to sensitive information.
- Asset Management (AM) – Two Capabilities and two Practices that identify and monitor assets.
- Audit and Accountability (AU) – Four Capabilities and 14 Practices to conduct audits that ensure accountability.
- Awareness and Training (AT) – Two Capabilities and five Practices to conduct training programs that ensure staff awareness.
- Configuration Management (CM) – Two Capabilities and 11 Practices that replace vendor-supplied security settings with more robust solutions.
- Identification and Authentication (IA) – One Capability and 11 Practices focus to develop an identity and access management program that optimizes access control.
- Incident Response (IR) – Five Capabilities and 13 Practices that respond to all cybersecurity incidents in real-time.
- Maintenance (MA) – One Capability and six Practices for performing maintenance on hardware and software.
- Media Protection (MP) – Four Capabilities and eight Practices that protect storage media and delete sensitive data from them.
- Personnel Security (PS) – Two Capabilities and two Practices related to staff.
- Physical Protection (PE) – One Capability and six Practices for the physical protection of devices and workspaces that handle sensitive data.
- Recovery (RE) – Two Capabilities and four Practices to mitigate the damage from attacks and recover data.
- Risk Management (RM) – Three Capabilities and 12 Practices to measure the efficacy of risk mitigation strategies.
- Security Assessment (CA) – Three Capabilities and eight Practices to perform regular threat assessments.
- Situational Awareness (SA) – One Capability and three Practices for awareness thresholds specific to the company.
- Systems and Communications Protection (SC) – Two Capabilities and 27 Practices that protect communication points in all networks.
- System and Information Integrity (SI) – Four Capabilities and 13 Practices that remove known flaws from security architecture.
Implementation of the 171 practices described above is a challenging process for contractors to do by themselves unless they have their own well-funded IT department. As is the case with self-assessments, a third party like cuick trac™ can help ensure these practices are implemented correctly.
How the CMMC Self-Assessment Advisors at cuick trac™ Can Help
Cuick trac™’s team of cybersecurity experts & advisors, help contractors understand what they need today, while also helping interpret and strategically plan for the future. Some contractors need a guided self-assessment to get started, while more mature organizations need help reviewing their remediation efforts, in order to plan for CMMC readiness. Regardless of your situation, cuick trac™ can help you get on the right path to CMMC success.
Speak with a CMMC Compliance Advisor Today
It’s critical for contractors to understand that the CMMC self-assessment is only a small step in the process of obtaining the CMMC level your contract requires. Although CMMC doesn’t require a self-assessment, DFARS 252.204-7019 and 7020 do, which is based on the DoD’s Assessment Methodology and NIST SP 800-171. A basic self-assessment tool like Future Feed can be extremely useful for identifying the controls you need to implement before a C3PAO performs the full assessment.
Our suite of CMMC-related services includes cuick trac™, advisory and guidance, and strategic planning for managed IT and security solutions.
Cuick trac™’s advisors can also help you implement a plan of action and perform assessments that meet many other security standards in addition to CMMC. We also offer free consultations to help you implement the CMMC controls needed to avoid fines or the loss of contract opportunities.
Contact us or call 612-428-3008 today to schedule your consultation.