By: Derek Kernus, DTS
If the thought of the impending Cybersecurity Maturity Model Certification (CMMC) leaves you feeling like there’s a shark in the water, you’re not alone. Many contractors in the Defense Industrial Base (DIB) fear losing out on valuable contracts yet feel helplessly afloat.
The DoD formally announced the CMMC in June 2019, citing a MITRE report from late 2018 that found an overwhelming majority of government contractors were not meeting the requirements of DFARS 7012, and that less than one percent of companies were compliant with NIST SP 800-171 self-certification.
The DoD has worked with private industry to create a 5-level cybersecurity maturity model that will require nearly all DoD contractors to be certified within the next five years. Implementing the practices and achieving maturity levels is especially worrisome for small and mid-sized businesses (SMB) in the DIB.
The CMMC was designed so that an SMB could implement the controls independently, however, in practice, many lack the expertise internally. Our team has talked directly with DoD representatives about CMMC implementation and is ready to clear up the myths:
Myth #1: You can prepare for a CMMC Audit by comparing cybersecurity posture to NIST SP 800-171 controls.
The facts: Beware of ads and case studies citing CMMC experience based on NIST SP 800-171 readiness assessments. Conducting NIST SP 800-171 assessments is not the same as conducting CMMC readiness assessments.
The CMMC Accreditation Body (AB) has announced that assessors should be using the most current version of the CMMC in their readiness assessments. Additionally, no company is currently authorized to provide an official Maturity Level Assessment. Authorized assessors will be designated by a Certified 3rd Party Assessor Organization (C3PAO) badge.
Myth #2: DoD Contractors need to be certified by an Accredited Assessor to bid on an RFP.
The facts: Maturity Level Certification is not required until award notice. At that time, the awardee will need to present their CMMC Maturity Level Certification required by the proposal. The CMMC-AB suggests that contractors give themselves six months to get compliant with their desired Maturity Level.
Myth #3: Organizations using the CMMC logo on their website to suggest they are already aligned with the CMMC Accreditation Body (CMMC-AB) for pre-assessment purposes.
The facts: While the CMMC-AB does encourage readiness assessments, the best practice for contractors is to have the work completed by an organization that is a Registered Practitioner Organization (RPO) with Registered Practitioners (RP).
As of this writing, the CMMC-AB has not approved any RPO or RP applications. Therefore, using the CMMC logo currently does not indicate any skill level or certification.
Once approved, practitioners will need to complete training to validate their understanding of CMMC practices and sign the CMMC-AB Code of Professional Conduct before officially becoming registered. They will be listed in the CMMC-AB marketplace and will utilize the official RPO badge similar to the C3PAO’s in their marketing material and communications.
Myth #4: CMMC certification expenses are an “allowable cost” and can be billed back to the DoD.
The facts: DoD has stated that the government will cover an allowable amount of the cost of the CMMC audit only and can be included in pricing. The official audit costs – and not any readiness assessment costs or remediation – will be reimbursed when a company is awarded a contract that requires a CMMC Maturity Level.
The DoD will also cover what it costs to maintain the CMMC level during the contract performance.
Myth #5: The DoD requires CMMC certification starting in FY2021.
The facts: If you aren’t bidding on a new contract, your CMMC certification isn’t imperative. The DoD has said the highest level required by any contract in Year 1 would be ML-3. Higher maturity levels are not yet finalized. At least 15 IDIQs/GWACs are scheduled to be released in FY2021 with CMMC requirements. The DoD is very conscious and cautious of how the CMMC ecosystem will function and hopes to avoid bottlenecks.
Companies who believe they will need to be certified in 2021 should start the pre-assessment process now, allowing ample time for remediation and reassessments before their official C3PAO audit.