Defense industry suppliers know — or should know — that the time has come to achieve Cybersecurity Maturity Model Certification (CMMC) compliance. Deadlines set by the Department of Defense (DoD) and enforced by prime contractors are real. As of Nov. 10, CMMC can appear in contracts.
Getting right with CMMC is a time-consuming, paperwork-driven, and (red alert!) competitive process. Most defense suppliers handling controlled unclassified information (CUI) must pass an official CMMC Level 2 assessment conducted by a Certified Third-Party Assessor Organization (C3PAO). There are an estimated 118,000 defense contractors that need to achieve CMMC Level 2 C3PAO compliance, but as of mid-November there were just 83 C3PAOs to choose from, according to Cyber AB, the accreditation body for third-party assessors.
This means booking a C3PAO may not be easy. During a recent MxD webinar discussion about navigating the CMMC certification journey, experts reported a six-to-eight-month wait for an assessment after a company has signed up. The delays are significant because companies run the risk of losing out on business while they wait. Though there is a phased roll-out process for CMMC, prime contractors are pushing their suppliers to get going now. This explains the growing backlog.
“You have suppliers … telling their entire supply chain, ‘We strongly recommend you get a CMMC Level 2 third-party assessment if you want to continue doing business with us,’” Fernando Machado, managing principal and chief information security officer for Cybersec Investments, a C3PAO, said in an interview. Machado said prime contractors must get their supply chains in compliance with CMMC ”because ultimately the government is going to hold them accountable.” During MxD’s webinar, Brett R. Cox, Boeing’s DFARS/CMMC Cybersecurity Program Management Office Principal, agreed the message from the Pentagon and prime contractors is clear: “Get into the assessment pipeline. Engage with your C3PAO early.”
How to proceed? We spoke to Machado, Cox, and MxD Senior Project Engineer Scott Kruse about becoming CMMC-certified and choosing a C3PAO.
Here are six tips:
1. Understand CMMC rules and requirements: CMMC is a new defense contract requirement, but it doesn’t introduce a new set of operational procedures. In effect, CMMC is third-party validation of the existing NIST 800-171 standards, which provide a set of 110 cybersecurity requirements a defense contractor must follow if it handles CUI. “The only thing that the DoD added on top of that was the CMMC Level 2 scoping guide,” said Machado. The Level 2 scoping guide helps organizations recognize what parts of their businesses come under CMMC auspices. DoD instituted CMMC because it determined too many companies were coming up short on meeting NIST standards. Now a third-party assessor will certify whether a supplier is handling CUI responsibly. “In NIST 800-171, about 60% of the assessment objectives are about paperwork,” said Cox. “They’re about your policies and procedures. So, it is largely about how you operate as a business.” An organization’s controls, safeguards, and countermeasures must be backed by strong administrative controls to protect CUI.
2. Do a gap assessment: The road to achieving CMMC certification involves hiring the C3PAO, but to make sure you are ready, companies should work their way through the NIST 800-171 to make sure they are prepared to face official scrutiny. Find the gaps, in other words, and consider hiring a consultant for the gap assessment. Or at least use an outside professional to check your in-house experts’ work. Think of the gap assessment as a low-cost trial run for the real thing, said MxD’s Kruse. “They’re going to make sure your documentation is right,” he said. “They’re going to ask you a bunch of questions about your environment, about your access control, and make sure everything is lined up the way it’s supposed to be. So, when you do go through your assessment, you’re set.”
Machado, from the C3PAO, agreed that getting outside support early is common. And wise. “Most of the folks we work with have either worked with a consultant or a managed service provider that has helped them bridge the gap and actually implement the requirements,” he said. Sure, some companies do their own gap assessment, Machado added, but “when companies take them on themselves, they usually miss the mark.”
3. Shop early for an assessor: CMMC assessors are accredited by Cyber AB, a nonprofit that works on behalf of the DoD to help implement and oversee the CMMC program. Cyber AB operates a marketplace that lists all accredited assessors, so that’s the place to start looking. With 83 to choose from, experts recommend having discussions with numerous C3PAOs. “The first step is going to be interviewing someone who matches and has the technical knowledge of your organization,” said Boeing’s Cox. “We’re very complex so we needed a C3PAO who can handle a more complex environment. Not everybody needs that, so it’s about saying, ‘Here’s my environment. How would you assess me?’” C3PAO costs vary, depending on the size and complexity of an organization, and whether the assessment can be done via paperwork and virtual inspection or requires on-site visits. Experts said small to mid-size manufacturers (SMMs) can anticipate costs in the low tens of thousands of dollars to $100,000 or more.
4. Stay on target: Scheduling an assessment isn’t like booking a beach vacation. C3PAOs won’t confirm a booking until it seems certain the supplier will be ready to pass. It does neither party any good for a company to get to the big moment and fail. Suppliers can expect to have a detailed meeting with the C3PAO to check signals and peruse documentation well in advance. C3PAOs don’t want companies to go through an assessment and fail it. They want to claim a high success rate among clients, while suppliers that need to reschedule because they aren’t ready can anticipate a cancellation fee. Bottom line: Connect early with a C3PAO and work together closely to avoid pitfalls.
5. Avoid the pitfalls: Machado identified several specific reasons suppliers fail their CMMC assessment. The biggest risk, he said, is not understanding there are two sets of documents that detail the requirements. There is NIST 800-171 and there is NIST 800-171A. “On paper, it looks like you have 110 controls, but in reality, you have 320 different assessment objectives you have to meet,” he said. This is why suppliers need to communicate with their C3PAO in detail. Other reasons for failure include a company not having a System Security Plan or lacking government-approved FIPS-validated cryptography. Another reason is not establishing multi-factor authentication across all systems and components. “It’s not just the laptops,” Machado said. “If it protects CUI, or contains CUI, you have to implement the requirements across the board.”
6. Understand that it’s about national security. In effect, the CMMC journey is continual. Bad actors and foreign states will never stop trying to infiltrate the defense industrial base, so cybersecurity requires a 24/7/365 commitment. Suppliers need CMMC certification every three years and must reaffirm annually that they meet the requirements. “You can’t just do it and forget about it,” Cox said. This means there is an ongoing cost to maintain an organization’s security posture. “Hopefully, you’re going to be winning more than that in contracts,” he said. And by fulfilling CMMC’s requirements, he added, suppliers are doing their duty to protect national security. “If our adversaries get the CUI, they may find ways to defeat our war fighters,” he said.
MxD Learn’s CAPITAL program offers free, virtual training that equips workers with the skills to ensure compliance — and to protect manufacturers and the systems that power the U.S. economy. To learn more and enroll, visit MxD’s Virtual Training Center.