Guide to CMMC
CMMC Buyer’s Guide
Why CMMC?
CMMC is a DoD-mandated set of cybersecurity standards that will be required by all defense industrial base (DIB) companies starting for some once Congressional ruling-making is completed (currently estimated as spring 2023) and required for all DIB by 2026. CMMC is based on the existing NIST-800-171 standard, something that DIB companies have been self-attesting they meet for years now, so the practices required under CMMC are not new. What CMMC brings to the table are new self-attestation and third-party assessment requirements against NIST-800-171.
DoD found that previously, while DIB companies were required to self-attest that they had implemented all of the practices in NIST-800-171, many did not despite a positive attestation. This led to weak cybersecurity at many DIB companies, resulting in ongoing theft of intellectual property and government unclassified materials.
For companies only handling Federal Contract Information (FCI), self-attestation is all that will continue to be required. However, with the implementation of CMMC, this self-attestation will need to come from a company official with legal ramifications in place for both the attesting company official and the company itself if the self–attestation is false that the company is meeting the 17 required NIST-800-171 practices.
For companies handling Controlled Unclassified Information (CUI), a CMMC third-party assessment will now be required. A third-party assessor is known as a “C3PAO”, which stands for CMMC Third Party Assessment Organization. C3PAO are certified by the Cyber AB, the US DoD-sponsored accreditation body (see www.cyberab.org). There are not a lot of C3PAO’s or provisional assessors (individuals allowed to conduct the assessments) approved to conduct assessments at this time, so if your organization wants or needs to have a CMMC third-party assessment sooner rather than later, we advise contacting a C3PAO to get on the schedule.
What is CUI?
From the CMMC glossary, CUI is “Information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.”.
From DCSA, “CUI is a government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government-wide policies. CUI is not classified information. It is not corporate intellectual property unless created for or included in requirements related to a government contract. “
So, CUI is government-furnished material or developed for the government material that requires safeguarding and dissemination control. An example of CUI is technical documentation including requirements, designs, and specifications that describe a widget being developed for the federal government.
Who needs CMMC?
In short, if you do business with DoD, CMMC will be in the near future for your company. For most DoD contracts, CMMC will be implemented as new contracts are solicited and awarded after Congressional rule making is completed. CMMC will be required for all prime and subcontractors, so if you are a sub you will need to work with your prime to understand who is responsible for what.
If you have a contract that is currently in place but is up for recompete in, for example, 2025, that is when CMMC will come into scope for your organization. When you submit your proposal, you will also submit proof of your compliance with CMMC. That means if your organization is not already meeting the standard, you need to begin preparing for implementation now. As the contract re-compete gets closer, you will need to schedule a CMMC third-party assessment—If you are handling CUI, more on that in a bit. Keep in mind that if your organization fails its CMMC third-party assessment, then you will not be able to bid on the work, so be sure to schedule your assessment far enough in advance that you have recovery time if you need to have a second CMMC third-party assessment or you have CMMC-related minor fixes, called “Plans of Action and Milestones” or POAMs.
There is no rule on when CMMC will be required for new contracts. This will be determined during the Congressional rulemaking process. Will CMMC be on all new contracts all at once or will there be a slower rollout? Unfortunately, no one knows! Our advice is that if you are expecting a new contract to come out, then your organization should be prepared to have CMMC requirements—since being prepared is better than being surprised and not being able to bid on the work.
What CMMC Level do I need?
There are three levels in CMMC: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert).
For CMMC Level 1, the requirement is that if you handle FCI and not CUI, you will require a CMMC Level 1 self-assessment. Remember that FCI is any Federal Contract Information, so if you have a contract with DoD or are a subcontractor to a DoD prime contractor, you are in-scope for CMMC and will need to complete a CMMC Level 1 self-attestation that you meet the 17 NIST-800-171 practices that makeup CMMC Level 1.
For companies that have a low risk of ever encountering CUI, for example, companies doing landscaping or serving food at a DoD facility, CMMC Level 1 will be all you should ever have to implement. However, If your organization does ever receive CUI, then you will need CMMC Level 2.
CMMC Level 2 is for any DoD contractor or subcontractor that handles CUI. Level 2 brings all 110 NIST-800-171 practices into scope. This also requires a CMMC Level 2 C3PAO Assessment, which means an accredited outside organization must assess your CMMC Level 2 implementation.
The requirements for CMMC Level 3 have not been finalized yet, although DoD has officially stated that it will include NIST-800-171 and NIST-800-172 requirements. The DoD has also said that only a small subset of DIB companies will require it, but that those that do will need a CMMC Level 2 third-party assessment for the NIST-800-171 practices and a direct Federal Government assessment for the NIST-800-172 practices.
Technical Qualifications: How to find and select a CMMC Consultant
Before finding a consultant, determine how comfortable your organization is in meeting Federal cyber security requirements as documented in NIST-800-171. Does your organization currently have a Facility Clearance (FCL) and possesses classified materials? If so, then someone in your organization is probably familiar with implementing NIST-800-171 (or something similar) and you are well on your way. If your organization has never operated a Sensitive Compartmented Information Facility (SCIF), is a “non-possessing” facility, or doesn’t have an FCL, then you may want assistance in understanding and implementing CMMC or NIST-800-171. Remember, CUI is not classified information but all of the controls and protections associated with CUI are similar to those used with classified information.
Tips for Determining Between Good and Bad Consulting Organizations
How might you determine who is a good consulting organization and who isn’t?
- As always, but especially in cyber security, buyer beware! Be cautious of internet advertisements and listings for consultants on Cyber AB’s marketplace. Although the simplest answer to finding assistance with the CMMC might appear to be checking the Marketplace on the Cyber AB website. Unfortunately, being listed as a consultant on the Cyber AB website only means that the listed company (1) is authorized to work in the US and (2) paid Cyber AB a $5,000 listing fee. Unlike the other two organization-level associated with CMMC—the C3PAO discussed earlier or a Licensed Training Provider (LTP)—being a Registered Practitioner Organization (RPO) requires minimal training and no objective evaluation of skill. There are, of course, many knowledgeable RPOs available, but the listings on the Cyber AB Marketplace do not provide a way of distinguishing between companies that can deliver versus those that just invested $5,000 in a listing.
- Start by picking a C3PAO that you want to work with and ask them about consultants. Since C3PAOs assess the results of a consultant’s work as demonstrated through the implementation of CMMC in an organization, most C3PAOs know who does good work and who falls short. And C3PAOs are forbidden to have a financial interest or relationship with CMMC consultants by Cyber AB’s licensing agreement.
- Ask the consultant about their experience in setting up computing environments using Linux, Windows, both, or iOS. Most systems containing CUI are built using Linux, Windows, or a combination. If the consultant is convincingly comfortable in your organization’s preferred operating system, check on their partnership status or familiarity with different cloud service providers. For example, using Microsoft’s Azure Government Cloud Computing (GCC) -High or -Medium are common paths towards fulfilling CMMC requirements. Finding a consultant who is a Microsoft partner or who has set up systems in Azure would be a good indicator that the consultant can help your organization, too.
- Look for consultants that work for an organization for a FCL or who have set up computing environments for a SCIF. (An organization with a FCL should have an alphanumeric CAGE code, which can be verified with the US government) Once again, although CUI is not classified information, the skills and background needed to manage information with a FCL and, in particular, a SCIF are directly transferrable to protecting CUI under CMMC. Anyone who knows how to make a secure computing system that handles classified information is well-equipped to establish a system for CUI. (We’ve been ironically amused by the protests among some “highly-regarded” CMMC experts who have struggled to complete DoD’s basic background investigation process, indicating that they may be people who know how to secure CUI, but they wouldn’t actually be trusted with CUI.)
- Look for organizations that employ Certified CMMC Professionals (CCPs). Unlike Registered Practitioners, who have minimal requirements, CCPs are required to be trained as CMMC assessors. (Some CCPs may have already participated in a CMMC assessment, although those are still rare since the US Government has conducted most CMMC assessments to this point). Being a CCP is the first step in becoming a certified CMMC Assessor. Please note that if a CCP consults with your organization, they will not be on the CMMC assessment team since there are conflict-of-interest rules in place that strictly forbid that.
- Look for a Provisional Assessor who is interested in consulting. Provisional assessors are the first wave of assessors for CMMC and along with extensive training, most have years of experience assessing against frameworks closely related to CMMC. Provisional assessors will become Certified Assessors once they pass the Certified CMMC Assessor exam discussed below. Again, remember that a provisional assessor who consults with you cannot be your assessor due to the conflict-of-interest rules.
- Now that the Certified CMMC Assessor course and exam have been released and folks can take the exam, you can look for a certified CMMC Assessor interested in consulting. Certified CMMC assessors will have progressed up from a CCP and must have participated in three CMMC Level 2 assessments by assessing the CMMC Level 1 practices (Congressional rulemaking is delaying the ability to conduct formal CMMC assessments so CCPs may not have had the chance to do this yet). Everyone in chorus, now—yes, the Cyber AB is serious about this—a certified CMMC assessor who consults with you cannot be your assessor due to the conflict-of-interest rules.
Non-Technical Qualifications: How to find and select a CMMC Consultant
As you can see, different consultants may come in different forms with different levels of experience and expertise. You need to determine where your needs lie as you begin to select your CMMC consultant. The first thing to consider is if you handle classified materials, do you need a cleared consultant? We would say yes. If your unclassified system that handles CUI supports classified work, as you may know, a vulnerability found in the CUI system may become classified based on its relation to the classified system. Better to have a cleared consultant than have to report to your government customer that a classified vulnerability has been exposed to an uncleared consultant.
Next, if your organization is strong on the technical side but weak on the policy/process side, you will want to find a consultant with lots of policy and process definition and implementation experience. If you are strong on the policy and process side but weak on the technical side, you will want a CMMC Consultant who is strong on the technical side. If you need help with both, like many organizations, you need to find an individual or a company that can provide both. It can be difficult to be an expert at everything, so do not be concerned if a CMMC consulting organization recommends a small composite team with different skills to work with you.
Try to find a CMMC consultant that has experience with organizations of your size and the technologies you have implemented. A consultant that has only worked with large companies may not be able to make quality recommendations for a very small company and vice versa. The processes and tool implementations can be very different for different-sized organizations. Also look for a technical CMMC consultant with technical experience with the platform and tools you are looking to implement, or expertise in the tools the CMMC Consultant is recommending. For example, if you are looking for Microsoft Azure implementation, make sure your technical consultant has experience in implementing Azure.
Finally, when interviewing potential CMMC consultants, look for someone you are comfortable with and can see yourself working with. While the CMMC consultant will be working for you, you will probably be spending some long hours with them so make sure they fit from a personality perspective with you or the team you will have them working with. Also, remember time zone differences if it’s someone who will be working remotely and any language barriers. If your organization is not very technical, make sure your CMMC Consultant can explain things to you and your team in terms that you can understand. You will be the ones interviewed in a CMMC Assessment, not the consultant. While you will need to learn the jargon and technology, having someone who can help you understand and learn is very important.
How to find a CMMC Assessor
Th authoritative listing of all Cyber AB approved CMMC assessors is on the Cyber AB Marketplace, if someone claiming to be a CMMC Assessor is not listed on the marketplace as either a Provisional Assessor or a Certified CMMC Assessor (CCA), they are not an approved CMMC Assessor. Please verify that anyone you talk to is listed on the Marketplace since there have been reports of non-Cyber AB approved assessors selling their services. If you are “Assessed” by a non-Cyber AB approved assessor, that assessment will not be official, it will not be listed by the US Government as an authentic credential, and it cannot be used for proposals or bids for DoD work.
How to select a CMMC Assessor
Selecting a CMMC assessor is similar to selecting a CMMC consultant. Try to select an assessor you are comfortable with, has experience assessing an organization of your size and is familiar with the technologies you are using. They do not need the technical expertise your CMMC consultant may require, but they should at least understand the technology at a high level.
As with selecting a consultant, you need to consider that if you handle classified materials, do you need a cleared assessor? We would again say yes. If your unclassified system that handles CUI supports classified work, as you may know, a vulnerability found in the CUI system may become classified based on its relation to the classified system. Better to have a cleared assessor than have to report to your government customer that a classified vulnerability has been exposed to an uncleared consultant.
While all provisional and certified assessors will require a DoD Suitability Determination, at this time that is equivalent to a non-adjudicated Secret clearance. So, unless an individual already holds a security clearance, they will not be cleared. CCPs participating in an assessment need only be US citizens. So, the same risk is present with the entire assessment team if your CUI system is wrapping a classified system, vulnerabilities found by the assessment team could lead to a classified vulnerability being exposed to uncleared persons.
A difference between engaging with a CMMC consultant and with a CMMC Assessor is that you engage with a CMMC Assessor will be done through a C3PAO. Individual assessors cannot do business directly with a company, it must be done through the C3PAO. If you have concerns with related classified systems as mentioned above, look for a C3PAO with an FCL. Even if you initially talk to an individual assessor, they will eventually need to direct you to the C3PAO they are working with for scoping and formal business agreements. Depending on the size of your organization, a team of assessors may be required to assess your organization and the C3PAO is responsible for putting the team together. If you first engage with a C3PAO, hopefully, they will have a pool of assessors from which they and you can select the best fit for you and your organization.
Unfortunately, once assessments are allowed to begin and companies determine they need a CMMC assessment for their DoD work, the availability of an assessor may be your only deciding factor. DoD acknowledges that there are not enough assessors to conduct all the assessments that will be required until a large number of individuals are trained and certified as assessors. Another reason to get in line early if you believe you are going to require a CMMC Assessment right out of the gate.
Do not let price be the only factor. As we have witnessed through 25+ years of consulting and assessing other frameworks, you get what you pay for. The lowest bidder might not be the best assessor for your organization. We have been brought in many times to clean up after a poor experience with another consultant or assessor. Any consulting/assessment engagement is going to have a cost associated with it, better to pay a little to get one done right than paying for a poor one and then having to pay for a second one to clean up after the first.
Our experiences have also shown that you will want an assessor with lots of assessment experience. Interfacing with companies, company executives, and different levels of staff successfully requires years of experience. Talking to your ISSE about their security implementation is very different than our briefing a CEO and an assessor needs to be able to do both. Managing assessments, especially those of large organizations takes project management experience, so just having a strong technical background is not enough. Good assessors need a wide breadth of experience, not just a deep understanding of security practices.
We have conducted highly technical assessments for other frameworks requiring multiple teams conducting on site visits to locations across the country with the assessment spanning months. An ISSE that has just begun performing CMMC assessments will probably not have the experience to manage such an assessment. The C3PAO will hopefully put you will an assessor who meets your needs but, in the end, that responsibility is on you to select the best assessor for your organization.