As the CMMC Final Rule is about to be published and organizations are planning for CMMC requirements to roll into their DFARS clauses starting in 2025, companies are now signing up and preparing for their CMMC assessments as a JSVA (pre-published final rule) or a scheduled C3PAO (post-published final rule).
You may have seen companies celebrating perfect 110/110 scores on their Joint Surveillance Voluntary Assessments (JSVAs) on LinkedIn.
The JSVA program provides DIB contractors with the opportunity to participate in voluntary assessments, which are collaboratively carried out by a CMMC 3rd Party Assessment Organization (C3PAO) and the DOD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). JSVAs are expected to translate directly into a CMMC L2 Certification once the ruling is finalized.
With your coming JSVA or C3PAO assessment, you may be asking yourself: "How can we prepare ourselves to face a CMMC assessment with confidence?" Well, who better to ask than the C3PAOs themselves?
At CS2 Denver, a panel of C3PAOs shared insights for the Defense Industrial Base (DIB) companies seeking CMMC compliance. According to their advice, there are three crucial takeaways for a successful CMMC assessment.
Watch the full C3PAO panel discussion from CS2 Denver here:
Panelists: Carly Logan CMMC Assessor/Security Analyst, Summit 7, Amy Williams Vice President of CMMC, Coalfire Federal, Tony Buenger Vice President of Cybersecurity Advisory Services, SecureStrux
With the requirement for CMMC coming fast down the pipeline, most organizations are turning to MSPs because they do not have the right resources (time, knowledge, skillset, experience, training, technical expertise) to implement and manage controls to meet all the 110 requirements and 320 assessment objectives of NIST SP 800-171 that CMMC is measuring them against. As Jacob Horne reminds us, "CMMC isn't making you do the requirements; it's making sure you did the requirements."
We heard from Jacob Hill at CS2 as well, the one-man show who took on CMMC requirements and lived to tell the tale, who shared the time and cost involved in an in-house undertaking for a small business. Jacob says it took at least a year’s worth of 100% dedicated full-time employee man hours (appr. 2080 hours).
Amy Williams, one of the panelists and Vice President of CMMC at Coalfire, said small businesses often believe they can’t afford a certified MSP, but the reality is: they can’t afford a breach. The panel emphasized that small businesses are the weakest link in the supply chain and are being increasingly targeted by bad actors.
As Microsoft's Digital Defense Report noted, there has been a significant increase in cyberattacks aimed at critical infrastructure, with nation-state attacks on critical infrastructure rising from 20% to 40% from 2020-2022.
The good news is, CMMC is not just the way to protect your company from a costly data breach; it’s also your entry point into more contracts with the DoD. Working with an MSP, you can display the security level of a larger company, providing your small business with a competitive edge.
As Matt Travis, Cyber AB CEO, stated plainly at CS2 Denver: “You have to have a CMMC certification if you want to win more contracts.”
If you decide to go with an MSP, Amy Williams recommends weighing three providers against key criterion. The panel provided information and questions to help organizations assess the viability of a potential MSP. Here are the top five:
1. Are you intimately familiar with NIST 800-171, DFARS 7012, and CMMC?
2. Can you provide a tailored Shared Responsibility Matrix (SRM)?
3. Are you able to support us in a Join Surveillance Voluntary Assessment (JSVA) Program?
4. Are all your employees U.S. persons? Will all data that you store for us be geolocated in the U.S.?
5. Are You Compliant?
Consider the following questions:
Prepping for your assessment is on you, not your MSP. Your MSP should provide you with a tailored Shared Responsibility Matrix that delineates who is responsible for implementing controls and meeting the NIST SP 800-171 objectives. The MSP is there to carry their weight and support you, but you aren’t handing over the keys for them to drive your organization to CMMC, get it certified, and bring it back ready to go. When it comes to preparing for your DIBCAC or CMMC assessment, your organization is in the driver’s seat.
C3PAO panel members provided organizations preparing for a CMMC Certification one major piece of advice: tell a good story.
NIST SP 800-171 is descriptive, not prescriptive in presenting the measures required for CMMC. In other words, if NIST SP 800-171 is a cookbook, each of the 320 assessment objective shows you a photo of the finished product, not the recipe. They tell you WHAT you must do, but not HOW to do it.
This makes preparing for your assessment especially difficult, because what the DIBCAC and C3PAOs are looking for is precisely HOW you did it. Your C3PAO is going to grade you on the recipe, not just the taste-test.
What does this mean, practically?
You need to show your evidence for how you implemented the controls. A C3PAO is going to be thrilled if you hand them a novel full of things like CUI data flow, responsible persons, and a control matrix that doesn’t just enumerate the controls you met, but the PPT (People, Processes, and Technology) involved in meeting those controls. Don’t just show your policies - show HOW your policies are fulfilled by corresponding procedures.
While it's great that you get to write the recipe, its worth a reminder that once written, you must follow it.
In other words, say what you are going to do (your organizationally defined variables, policies, procedures) but then make sure you DO the things you say. You have to cook from your recipes, because the DoD is coming back - hungry.
According to the CMMC Proposed Rule, you will need to be re-assessed by a C3PAO every three years, and every year a senior official at your company will have to sign a formal affirmation that you are using the recipes you submitted when certified.
If the DoD comes for a taste test and don't like what they find, a False Claim Act may be coming your way.
Summit 7 is the #1 MSP for the DIB. If you're curious what our answers to the five MSP questions above would be, reach out in the form below.