CMMC compliance process: What to expect and five steps to take
Version 2.0 of the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) stipulates that Defense Industrial Base (DIB) contractors can no longer self-report cybersecurity assessments. Instead, they are required to earn certification from a CMMC Third-Party Assessor Organization (C3PAO). To help DIB contractors meet CMMC Level 2 requirements, the CohnReznick cybersecurity team committed to becoming a C3PAO assessor when the inaugural version of CMMC was published in January 2020.
Becoming a C3PAO required that we undergo an assessment from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), a unit of the Defense Contract Management Agency (DCMA), which manages all DoD contracts. We’re sharing our accreditation journey to offer DoD contractors insight into what to expect and five actionable steps to start now on your CMMC compliance journey.
When planning for an assessment by the DIBCAC (if you are applying for C3PAO) or by a C3PAO assessor, don’t underestimate the timeframe – particularly the preparation phase. The CohnReznick CMMC team first discussed the C3PAO accreditation with our executives and board early in the process to help eliminate any surprises to the timeframe. DoD prime contractors that have Level 2 controls in place may have a shorter lead time while organizations that are in the middle to end of the Defense Supply Chain (DSC) may not. It all depends on the company’s exposure to DoD contracts and their level of operational maturity.
Our experience of the assessment process was well organized and straightforward. DIBCAC assessors kicked off the certification process by scheduling several meetings with CohnReznick CMMC stakeholders to explain the procedure, gain an understanding of our technical environment, and finalize the assessment timeline. The assessment was scheduled to be completed within five business days with the assessors requesting a tranche of documents that included:
- System Security Plan (SSP), with documented policies and procedures covering the 110 Level 2 controls of CMMC.
- Network diagram
- Controlled Unclassified Information (CUI) flow diagram
- System boundary diagram
- Asset list
There is also a requirement to create an expanded asset list which can be unexpectedly demanding; in part because the list comprises five comprehensive categories:
- Controlled unclassified information (CUI) assets
- Security protection assets
- Contractor risk managed assets
- Specialized assets
- Out-of-scope assets
Be aware that you can – and should – make changes to your environment. During the assessment, the assessors may allow businesses to modify their environment and update documentation to meet requirements if the change can be completed and reviewed by the assessors during the agreed upon assessment period. When doing so, be sure to follow your documented procedures to the letter. Making modifications without following your organization’s procedures may result in the assessors penalizing you resulting in a “not met” status.
While it’s important to know what to expect, it’s also important to know what steps contractors can take now to better prepare for the accreditation process.
Here are five actionable steps to get you started:
- Perform a readiness assessment: Get ready for the CMMC audit by performing a readiness assessment against the CMMC controls. The preparatory assessment will help make sure that any overlooked gaps are identified and remediated before the audit is under way.
- Observe the objectives: The assessors will test your company’s control objectives against each of the CMMC controls to determine if they are “met”. To prepare, review the objectives control by control, ensure that you have two pieces of evidence for each objective, and be sure that experts who can address each objective participate in the assessment sessions.
- Coach your service providers: Assessors will dig into third-party managed services. It’s essential that provider representatives are present during the assessment to answer any questions. It’s important to rehearse potential responses and issues with major managed services and Security Operations Center (SOC) providers before the assessment sessions. Also consider rehearsing with stakeholders from IT and human resources.
- Test incident response: Make sure to have a tested incident-response plan that specifies the tools and procedures to identify, eliminate, and recover from cybersecurity incidents. Ensure to include respective CMMC stakeholders and program owners in the testing. If applicable, managed service providers should be present during testing. The test plan, narrative, and lessons-learned need to be documented and presented to the assessors.
- Update documentation: Be sure your documented System Security Plan is accurate, up-to-date, and that it’s documented to strictly adhere to your security processes.
- Government Contracting
- Accredited Cybersecurity Maturity Model Certification (CMMC) assessment and consulting services
Access Our Government Contracting Topic Page for Key Insights & Powerful Tools
InsightInfrastructure Act awards: The benefits and potential pitfallsRich Meene, Chase ClarkThere are many benefits for manufacturing government contractors winning government grants via the Infrastructure Act awards; however, there are pitfalls too. Learn how to avoid the pitfalls and gain the benefits.
On-demandThe Service Contract Act - A basic primer for contract successThe Service Contract Act (SCA), also known as Service Contract Labor Standards (SCLS), can be an administrative and compliance burden for companies if they don’t understand the basics of SCA. Designed for GovCon executives, accounting and finance departments, human resources, and project managers.
InsightFive steps state and local governments should take to speed recovery this hurricane seasonAbby Rollins, Frank Banda, Amanda CampenBest practices to help state and local governments speed response and recovery efforts during hurricane season. Learn more.
InsightFive key factors for evaluating infrastructure opportunities against requirementsChase Clark, Rich MeeneFive key factors to help your company evaluate the opportunities that come with the infrastructure awards. Learn more.
On-demandPreparing for GovCon infrastructure opportunitiesThe Infrastructure Investment and Jobs Act of 2021 represents a massive opportunity for companies seeking to enter the federal market or augment their existing government contracting business. To do so, your business needs to determine what opportunities to pursue, how to effectively bid on them, and how to successfully perform on those contracts.