It’s a question you’ve likely begun asking yourself more frequently in recent months - how do I ensure my organization is prepared for a Cybersecurity Maturity Model Certification (CMMC) assessment?
Fortunately, we’ve been exploring the very same question with a number of our clients for quite some time. Below, we discuss several considerations that your organization should keep at the forefront of your readiness planning, including a recent rulemaking update, basic scoping questions, controlled unclassified information (CUI) data flows, practices for gathering and sharing information and much, much more.
CMMC rule update and timing of when CMMC will be required: Proposed CFR Title 48 rule
On Aug. 15, 2024, the Department of Defense (DOD) released the proposed Code of Federal Regulations (CFR) Title 48 rule that includes updates to Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021 and will add the following new provision:
“This proposed rule includes a new DFARS provision, 252.204-7YYY, Notice of Cybersecurity Maturity Model Certification Level Requirements, to provide notice to offerors of the CMMC level required by the solicitation and of the CMMC certificate or self-assessment results that are required to have been posted in SPRS by the apparently successful offeror prior to award, unless electronically posted.”
This proposed rule is for the clause that likely will appear in your contracts and require you to obtain a CMMC. The current timeline suggests the CMMC program is on track to be finalized by the end of fiscal year 2024, and to begin appearing in contracts by early-to-mid 2025.
The previous rule, which came out around the end of 2023, focused extensively on the program itself—How will CMMC operate? Who does what? What defines a CMMC third-party assessment organization (C3PAO)? What will you be assessed against? How do the levels work?
This recent rule is much simpler, in relative terms, by effectively stating that clause 7021 will be modified and supplemented by a second clause—with one clause providing notice and the other functioning as the instrument in the contract that stipulates and requires that you will need to be certified, or self-assessed or otherwise proven to meet the pertinent requirements for your specific contract.
So, where do we go from here?
The rulemaking process stipulates there will be 60 days of public comments - a timeline which we’re currently in the middle of. So, if you have strong opinions about the recent update, we highly recommend adding your comments by the approaching deadline.
Once the public comment window closes, the DOD will respond to those comments and then submit their final proposal to the Office of Management and Budget (OMB) for their review. The OMB would then have 90 days (with a possible extension to 120 days) to complete their review. The rule would then be available to issue as final.
Given the above, many are speculating that the program pieces of CMMC - the rule that came out in proposal at the end of 2023 - will release in September or October of this year. Then, potentially, the newer rule would be released in December of 2024 or early 2025.
Regardless of specific timing, the DOD is moving forward, pushing the rule through the above process, and we anticipate we will begin to see these clauses in contracts (thereby requiring the need to become CMMC certified) as early as 2025. The million-dollar question, then, becomes - how do you prepare?
What to consider as you prepare for your CMMC assessment
It all begins with scoping. In a recent webinar, we dove deep into the scoping aspect of CMMC readiness.
We encourage you to consider four basic scoping questions:
- Have you documented your entire scope of systems?
- Have you labeled all systems by asset type?
- Is your entire scope of systems included in your system security plan (SSP)?
- Have you documented and approved all controlled unclassified information (CUI) data flow diagrams?
To the above, there are four distinct categories of in-scope asset categories (five, if you include “out of scope assets” as a distinct category).
Fully document your SSP
In addition to properly identifying, organizing, assessing and controlling each of the above asset categories, you’ll need to determine if your SSP:
- Describes and documents the system boundary
- Describes and documents the system environment of operation
- Identifies the security requirements approved by the designated authority as non-applicable
- Describes and documents the method of security requirement implementation
- Describes and documents the relationship with or connection to other systems
- Defines the frequency to update the SSP and is updated with the defined frequency
During an assessment, you’re going to share plenty of documents and artifacts, and it’s very likely the SSP will be the very first one. Knowing how important first impressions can be, presenting a strong SSP helps demonstrate that you understand the material at hand, have properly considered all requirements and can articulate how you’re satisfying those requirements in the SSP document.
CUI data flows
The question here is - have you documented and approved all CUI data flows?
You likely already have network diagrams that display and define your network, its boundaries, its firewalls, security protections and so on … but the CMMC assessment - specifically control 3.1.3-requests both that you have approval mechanisms and control the flow of CUI throughout your environment.
CUI data flows help to show where your CUI lives, where it goes, why it goes there and how the entire process unfolds. It’s a visual representation that demonstrates your maturity and represents that you know where your CUI is stored, where it’s allowed to go and how/why such approval is granted.
How to prepare to share information and anticipate questions from your assessment team
While much lengthier when practically worked out, this is, essentially, a three-step process:
- Review your Level’s assessment guide
- Attain evidence for every practice at the objective level
- Review evidence to ensure it satisfies each objective
Throughout your assessment process, the assessor will need to gather evidence to prove that you are performing the activities outlined in your SSP and satisfying every one of the requirements.
As a reminder, there are 110 practices, and each has its own collection of assessment objects (320 objects in total). An assessor has to effectively answer yes, no, or N/A to every single assessment object.
Essentially, you’re facing a test with 320 distinct questions on it. That’s the difficult news. The good news, however, is that assessment guides are readily available so there should be no surprise as to which questions will be on your proverbial test.
Given the breadth and depth of the above, and the ability to prepare and assemble the necessary information and documentation beforehand, it’s crucial that you don’t wait until during your official assessment to begin looking for, compiling and correcting these documents.
Instead, in the weeks and months leading up to your assessment, we recommend ensuring the entirety of the CMMC’s 110 controls (320 assessment objectives) are implemented for all systems in scope by conducting:
- Internal assessments
- External assessments
- Mock assessments
Such practices will help you prepare well in advance and provide ample opportunity for course correction as needed.
A quick note on FIPS 140-2 certificates
Various controls, such as 3.13.11, require Federal Information Processing Standard (FIPS)-validated encryption. Consequently, you need to ensure, for the technology you employ, that you are finding those certificates and making it easy for the assessor (so they don’t have to do the homework themselves).
To evidence FIPS-validated encryption, you should:
- Go to the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP) website
- Search for all the cryptographic modules used across your assessment scope
- Find the modules by searching certificate number, vendor or module name
- Assemble and document a list of all modules in use and their associated certificate number for your assessor
Have you trained your personnel?
Beyond preparing for what an assessor may be looking at/for, it’s wise to consider who they will speak with (i.e., which personnel will be interacting directly with said assessor). Have you defined who the assessor will speak with for each practice? Has that person been prepared on how to talk to an assessor (e.g., answering questions as accurately as possible without addressing additional items)? Are they able to demonstrate how a control artifact works in real-time rather than just explaining? These items will help tangibly reinforce the information being presented.
Policies and procedures
Are your policies and procedures created, documented and approved?
Your organization should have policies and procedures that describe and implement practices for each control family. Examples include:
- Access control: Access control policy and procedures, acceptable use policy
- Media protection: Media protection policy and procedures, CUI handling guide
- Incident response: Incident response policy, procedures and plan
Policy and procedures should be reviewed by policy owners on a defined frequency (e.g. annually).
Third-party service providers (generally falling into one of two buckets: ESPs (or external service providers) and CSPs (or cloud service providers) require a lot of documentation. Your organization should document and inventory all its third-party service providers used to process, store or transmit CUI.
If you utilize third-party service providers—such as external service providers (ESPs) or cloud service providers (CSPs), each requires its own depth of documentation. ESPs will need to be CMMC certified at the same level you are, while CSPs do not. Instead, CSPs need to be FedRAMP certified or FedRAMP equivalent.
The final question: Am I ready to be assessed?
Though all the above can be rather complex and contain a host of caveats and nuances, asking and answering the simplified, six-question summary below is a great first step on your journey to CMMC assessment preparedness:
- Have I completed my SSP, CUI data flows and associated policies and procedures?
- Have I completed a self-assessment?
- Have I collected evidence for each of the assessment objects?
- Have I assessed my third-party providers?
- Have I trained my control owners on what to expect?
- Have I identified my CMMC assessor?
Do you need help addressing any of the above questions or considerations? Are you confused by CUI asset categories, data flows or SSPs? Are you curious about conducting a gap assessment?