Government contractors will soon need to obtain CMMC certification, but there are currently just a few C3PAO accreditors that can confer it. Tony Bai, federal practice lead at A-LIGN, emphasizes companies shouldn’t panic due to the logistical bottleneck. They can take preliminary steps to prepare.
Following the introduction of the Cybersecurity Maturity Model Certification (CMMC) program by the U.S. Department of Defense in 2020, there has been uncertainty and anticipation among many defense contractors regarding when CMMC certification can be achieved. With only a handful of organizations currently approved as a CMMC Third-Party Assessor Organization (C3PAO) by the CMMC Accreditation Body (AB), it poses the question: Will there be enough accredited C3PAOs to keep up with the growing demand for CMMC assessments?
The highly anticipated CMMC program from the U.S. Department of Defense (DoD) has been discussed in the federal compliance space for nearly two years. But with so many moving parts associated with CMMC implementation — including changing guidelines, an evolving timeline and potential challenges — the coming months will determine if all goes according to plan.
The DoD is expected to release up to 15 pilot contract solicitations over the course of this fiscal year through a phased rollout approach. The goal is to gradually test and expand the program by increasing the number of contracts requiring CMMC certification until September 30, 2025. At that point, all DoD contracts will require CMMC certification to ensure that the proper cybersecurity controls and processes are in place to protect federal contract information (FCI) and controlled unclassified information (CUI) stored on defense industrial base (DIB) systems and networks.
How Does an Organization Obtain CMMC Certification?
The DoD recommends that defense contractors start by reviewing the public CMMC model that was released last year to identify the areas where they may need to remove, refine or replace certain processes and procedures. After that, organizations must be audited by an accredited assessor operating under a CMMC C3PAO to achieve CMMC certification.
However, defense contractors that have been keeping an eye on compliance headlines as they conduct due diligence and prepare to seek CMMC certification may have noticed something: There may not be enough authorized C3PAOs to keep up with the growing demand for CMMC certification. The process for granting C3PAO status is fittingly stringent, which means there may only be a small number of organizations approved by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and certified by the CMMC AB by the end of 2021.
Let’s examine the situation with C3PAOs, what defense contractor organizations seeking certifications should do as they await CMMC and why the rush for certification may be causing unnecessary anxiety.
C3PAOs: A Crucial Component of the CMMC Program
The CMMC program is largely based on the National Institute of Standards and Technology Special Publication 800-171 (NIST 800-171) framework, which was also designed to protect CUI across non-federal IT systems for defense contractors. However, because NIST 800-171 is a self-attestation framework that asks companies to self-assess and self-report, it’s easy for organizations to unintentionally overrate their security performance against the prescribed security controls.
Additionally, some organizations may do a good job of self-assessing against NIST 800-171 initially but neglect to keep up with the important continuous monitoring aspect of cybersecurity. Compliance is never “one and done;” it’s an ongoing responsibility.
As a result, one of the key differences between NIST 800-171 and CMMC is the introduction of an independent third party, C3PAOs, to carry out the assessment. Only a C3PAO can determine whether or not an organization meets all of the requirements for CMMC Level 1 (basic cybersecurity hygiene) up to Level 5 (highly advanced cybersecurity practices with progressive improvement). After an assessment is conducted, the results are sent to the CMMC AB for verification and, if everything checks out, the certification is issued.
Right now, more than 100 organizations are waiting for a C3PAO license, and thousands of organizations are eager to receive CMMC certification. The DoD has been very careful in inspecting and testing prospective auditors and, as of June 2021, only one organization has been granted official C3PAO status. This has caused much impatience on both sides, as many worry about the impact any delays may have on the program’s timeline.
For this reason, some federal compliance experts are predicting that the initial rollout schedule may get pushed back by up to one year. But organizations that have been diligently preparing for certification by seeking out a CMMC readiness assessment or working to improve their NIST 800-171 scores need not worry: they shouldn’t have to redo any of this work, and being ahead of the game is much, much better than being unprepared by the time CMMC takes full effect.
3 Steps Organizations Can Start Now
Despite the somewhat uncertain nature of the rollout timeline, there are ways that organizations can start preparing for CMMC certification today so they are ready for a C3PAO audit when the time comes.
I recommend organizations take the time to read all of the CMMC framework documents and appendices front to back. It’s not a light read, of course, but it will help organizations understand exactly which security controls the CMMC establishes, as well as the intent of each. Reading the official text can also help organizations estimate their current level of cybersecurity maturity and what needs to be done to meet the next level.
Because the CMMC revolves around the protection of FCI and CUI, I encourage organizations to make a concerted effort to understand their data and which information may be subject to CMMC. CUI includes many different data types, including tax-related information, patents and other intellectual property, legal records and much more.
It’s important to note the CMMC’s focus is on non-federal IT systems. This means it is intended to protect information on contractors’ IT systems that is not classified but has been deemed to be sensitive or confidential. Some organizations may already have certifications, such as FedRAMP and FISMA, that lead their systems to be classified as “federal.” However, some exceptions can result in certain data being subject to CMMC. For example, an organization that is FedRAMP authorized may produce derived CUI, or information that comes from federal data, that would fall under the scope of CMMC. This is another reason to review the official text carefully.
Self-assess against NIST 800-171. As I mentioned earlier, NIST 800-171 is an effective stepping stone to CMMC certification. The 110 controls included in NIST 800-171 cover CMMC Levels 1 and 2, and Level 3 only has 20 additional controls (Levels 4 and 5 have 156 and 171 controls, respectively). In fact, under the Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule that took effect in November 2020 as a ramp-up for CMMC, all defense contractors that handle CUI must complete a NIST 800-171 self-assessment and submit their score for approval before being awarded a contract. Again, this system isn’t enforced very strictly, but it is an excellent way to prepare for CMMC.
Be Prepared, But Don’t Panic
As many prospective C3PAOs await accreditation and some aspects of the model remain unfinalized, organizations shouldn’t be alarmed that they may not receive certification this year. While some headlines or advertisements scattered across the internet make it seem like CMMC is about to take effect next month, the reality is that we don’t know what the program’s final form will look like, and things could change quite a bit over the coming year.
To help navigate the evolution of the CMMC, it can be beneficial for organizations to seek out a strategic partner and educator. Leveraging a partner with unique experience in navigating the intricacies of regulations and assessments can help organizations understand their applicable control environment as things evolve, including performing a CMMC readiness assessment by federal compliance experts against these controls.
Ultimately, organizations that start to prepare for CMMC certification can only benefit from working to improve their cybersecurity posture.