CMMC Compliance Preparation for DoD Contractors

Why The DoD Created The CMMC

Department of Defense (DoD) contractors are now well aware of the cybersecurity mandates that have been sweeping across the defense industry over the past several years. In 2015, The U.S. Department of Defense published the Defense Acquisition Federal Regulation Supplement, known as DFARS, which mandates that private DoD Contractors adopt cybersecurity standards according to the NIST SP 800-171 cybersecurity framework. This is all part of a government-led effort to protect the U.S. defense supply chain from foreign and domestic cyber threats, and reduce the overall security risk of the sector.

Since the passing of DFARS, over 300,000 U.S. DoD contractors have been scrambling to understand DFARS and implement NIST SP 800-171 standards within their companies to become compliant with the regulation. Some have had the internal resources to become compliant themselves, while others have outsourced the task to a CMMC Registered Provider Organization (CMMC RPO), such as SysArc, who help DoD contractors comply with the cybersecurity compliance mandate. Even though the DoD has incentivized compliance by making it a “competitive advantage” within the contract awards process, many contractors have chosen to put off compliance. There are even reported cases in which DoD contractors have stated false claims, stating to be in compliance on DoD contracts, but have later been found to be non-compliant. Because of the slow adoption rate of the DFARS 252.204-7012 regulation, the Department of Defense created the Cybersecurity Maturity Model Certification (CMMC) to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) on DoD contractor systems.

Version 1.0 of CMMC was released in late January 2020, and since then many updates have been made. This guide was written for DoD contractors specifically and provides information about what we know about the CMMC, what contractors can expect as the DoD rolls out this program, and the options they have to prepare for a CMMC audit so they can become certified and continue to offer their products and services to the DoD without delay.

Note: This guide has been updated to Version 2.0 of the CMMC model and will be updated as more information is released by the Department of Defense. Because CMMC rollout is a rapidly changing topic, we also have a CMMC News page which features our executive summaries of the latest updates to the Cybersecurity Maturity Model Certification (CMMC) from the Accreditation Body, CMMC-AB. We also have a guide which details the changes from CMMC 1.0 to 2.0

The CMMC Model

About CMMC Levels

• Level 1 Foundational: Requires implementation of 17 cybersecurity controls. These controls can be found in Federal Acquisition Regulation (FAR) 52.204.21. Annual self-assessments and affirmation of compliance are required.
• Level 2 Advanced: Requires implementation of 110 cybersecurity controls from NIST SP 800-171. Third-party assessments from C3PAOs will be required for most contracts every three years, with select contracts only required to perform self-assessments annually.
• Level 3 Expert: Details are still being worked out, but it is expected that this level will require controls from NIST SP 800-172. This level is designated for highly-sensitive DoD programs.

Self-Assessments vs. Third-Party Assessments

The DoD will verify contractors’ compliance in 3 ways:

1. Annual Self-Assessment: Required for CMMC Level 1 and only select programs within Level 2.
2. Triennial 3rd-Party Assessment by C3PAO: Required for CMMC Level 2.
3. Government-Led Assessments: Required for Level 3

Each contract will specify which Level of CMMC contractors must meet before they can be awarded the contract.

How to Prepare for CMMC

As mentioned above, the various CMMC levels call for different controls outlined in FAR 52.204.21, NIST SP 800-171, and NIST SP 800-172. DoD Contractors should determine which CMMC level they wish to obtain and then implement the controls necessary. For DoD contractors that have already implemented all NIST SP 800-171 controls, they should have no issues with passing a CMMC assessment successfully up to CMMC Level 2.

For DoD contractors who have not implemented the any controls, the following options are available to prepare for a CMMC assessment:

Do it Yourself: Meet Requirements In-House

DFARS NIST SP 800-171 Self Assessment Handbook Download

DoD contractors or suppliers who have the resources and IT staff available can meet the appropriate CMMC level of cybersecurity in-house. Internal IT departments can use the “Self Assessment Handbook – NIST Handbook 162” provided by the National Institute of Standards and Technology (NIST). This handbook was created by NIST with the intention of assisting U.S. DoD contractors who provide products and services for the Department of Defense. Unfortunately, this handbook only covers NIST SP 800-171 Rev. 1 and there is currently not a Self Assessment Handbook for NIST SP 800-171 Rev. 2.

NIST has also made available a System Security Plan (SSP) template, and a template — two required documents for compliance.

If the contractor does not have the expertise to meet the requirements of NIST SP 800-171, DoD contractors have the option of outsourcing the requirements to a third-party CMMC consultant, like SysArc, who offers CMMC compliance services. There are many qualified and experienced Managed Security Service Providers (MSSP) in the U.S. who specialize in compliance services and monitored cyber security for DoD contractors who need to implement NIST cybersecurity controls. A qualified MSSP will be able to perform this assessment and perform any remediation work necessary to pass a CMMC Audit. Look for MSSPs who have obtained CMMC RPO status. An updated list of verified RPOs by the CMMC Accreditation Body can be found here.

Outsource: Work with a CMMC Consultant

For many DoD contractors, the most effective way to meet the CMMC cybersecurity requirements is to outsource the task to a CMMC RPO that specializes in CMMC Consulting. Remember that DoD contractors remain ultimately responsible for ensuring that their company meets the appropriate cybersecurity requirements, so it is essential to choose an RPO that they can trust.

By outsourcing the NIST cybersecurity work to a qualified provider, DoD contractors should save a lot of time and money getting and staying compliant with CMMC. An outsourced provider will have all of the required knowledge and experience for the Readiness Assessment, System Security Plan (SSP), and Plan-of-Action & Milestones (POA&M), as well as the advanced tools required to monitor and respond to security incidents. They will also have the resources required to perform the remediation steps required to become compliant and the legal documentation to prove compliance has been reached and is being maintained when the time comes for a CMMC Audit.

The CMMC Readiness Assessment

The first step towards certification is for the DoD contractor to get a third-party Readiness Assessment completed to see how close, or how far away, the DoD contractor is from meeting the minimum requirements outlined in the appropriate CMMC Level. The Readiness Assessment is designed to discover inadequate system setups and processes that may not meet all of the required controls. Taking a close look at a company’s network and procedures is the first step to ensuring compliance.

The results of the CMMC Readiness Assessment may reveal issues such as:

• How access to information systems is controlled
• How managers and information system administrators are trained
• How data records are stored
• How security controls and measures are implemented
• How incident response plans developed and implemented

Without a gap analysis, it’s impossible to know what changes an organization needs to make before it meets the required CMMC Level. The professionals at an MSSP use their findings to create remediation plans that will correct any problems and keep our clients in line with CMMC requirements.

The gap analysis will either aid a DoD contractor in performing their own remediation plan, or they may opt to have a third-party, such as an MSSP, perform the remediation for them.

The Remediation Plan

A CMMC Consultant should develop a remediation plan based on the findings outlined in the Readiness Assessment. A remediation plan may involve small, relatively inexpensive fixes to a network and/or its processes, or it may involve more extensive, from the ground up, development of compliant networks and processes that meet today’s cybersecurity standards.

Remediation plans provide detailed documentation of processes that don’t meet today’s standards. Having a well-researched plan also makes it easier for DoD Contractors to make necessary changes to their systems.

Ongoing Cyber Security Monitoring and Reporting

Once the remediation plan is complete and a DoD Contractor’s systems and procedures are compliant with the appropriate CMMC Level, an MSSP will have the tools and processes in place to monitor, detect, and report on cybersecurity breaches within the DoD Contractor’s systems. If the DoD Contractor is not outsourcing compliance to an MSSP, they have the option to report cyber incidents themselves, given they have tools to monitor and detect such incidents.

The Importance of Passing the First Third-Party Assessment

For many companies, DoD contracts make up a substantial percentage of their revenue, and because CMMC certification will now be a requirement for contract awards, it’s extremely important that contractors get prepared to pass the CMMC assessment as soon as possible. If you are not prepared to pass your desired CMMC Level you run the risk of being unable to offer products and services to the DoD for an extended period due to:

1. The time it takes to implement all of the security controls required for the Program you desire to bid on if you have waited until the last minute
2. The potential backlog of audits could affect the time it takes to get an audit done.

Therefore, it is highly recommended that a contractor consult with an experienced CMMC Consultant who can ensure that the contractor meets the requirements of their specified CMMC Level and can pass a CMMC Audit on the first try.

Frequently Asked Questions

Click on each question below to reveal the answer:

• What is the difference between DFARS and CMMC?

  To understand the difference between DFARS and CMMC, it is helpful to know why the Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC) in the first place.

  The DoD created CMMC as a “verification component” of the Defense Federal Acquisition Regulation Supplement (DFARS) law. What does “verification component” mean? When DFARS 7012 was originally passed, DoD contractors only needed to state that they implemented the cybersecurity controls of DFARS. Basically, implementation was based on trust. This resulted in a poor adoption rate within the Defense Industrial Base, which pushed the DoD to clamp down and create a verification mechanism to ensure DoD suppliers were in fact compliant with DFARS. While CMMC is still being rolled out, this verification mechanism will come in the form of 3rd party audits from CMMC Third-Party Assessor Organizations (C3PAOs).

  In short, DFARS 7012 is the legal text for the cybersecurity requirements that all DoD suppliers must follow, and CMMC will be the verification mechanism for ensuring that it’s actually being implemented.

  With the new CMMC 2.0 model, not all DoD Contractors will be subject to a 3rd party assessment — only ones that are working on what the DoD calls “prioritized acquisitions.” Some will only be required to perform a self-assessment and affirm their compliance annually. The DoD has not yet announced how it will prioritize acquisitions.

  Still, with the Department of Justice (DOJ) announcement that it will start pursuing government contractors who falsify cybersecurity affirmations, it is imperative that contractors have the documentation and evidence to back up their affirmation of compliance, even if they will not be assessed by a C3PAO.

• Who provides CMMC certification?

  The CMMC Accreditation Body (CMMC-AB) is the only authorized entity to choose third-party assessors (C3PAOs) who can give certification for CMMC.

  Registered Provider Organizations (RPOs), like SysArc, can provide excellent tools and services to help the organization reach compliance standards, but they do not generally provide official assessments or certifications.

  How the CMMC-AB Chooses Third-Party Assessors

  The CMMC-AB is responsible for role alignment between the CMMC, the CMMC Assessment Body (CMMC-AB), and the CMMC Certification Body (CMMC-CB). The role alignment identifies which companies are performing what tasks within the CMMC process.

  The assessment body evaluates all organizations that want to provide certification to ensure they are following the appropriate standards and there is no conflict of interest. The certification body then audits organizations that provide CMMC assessments and ensures they are correctly following assessment process guidelines.

  Any person or organization wishing to provide CMMC certification must be approved by the CMMC-AB through this application process.

  How to Schedule an Official Certification Assessment

  The CMMC certification process is divided into two phases: the self-assessment or an assessment by a third-party consultant, and the official assessment. The self-assessment can be completed at any time, while organizations must wait until sometime in 2022 for their official assessment appointment since assessors are still in training.

  One of the key steps in becoming a CMMC certified organization involves preparing for your official assessment during this period. Organizations Seeking Certification (OSCs) can prepare by working with a reliable CMMC Consultant to work towards compliance now.

• Who needs to be CMMC compliant?

  Every organization within the Department of Defense (DoD) supply chain—including prime contractors and subcontractors—will be required to achieve at least one of the levels of CMMC compliance.

  According to the DoD, the CMMC compliance regulations will impact over 300,000 organizations.

  Does My Organization Need CMMC Compliance?

  If your organization is one of the following, you will need to achieve CMMC compliance in order to hold and be awarded contracts by the DoD:

  • DoD prime contractors
  • DoD subcontractors
  • Any supplier within the DoD supply chain

  Levels of Compliance

  Depending on the amount and type of sensitive information your organization transmits, you’ll have to achieve one of 3 levels of CMMC compliance.

  The DoD contract specifies which level of compliance an individual contractor must meet. For example, prime contractors may have to achieve Level 3 compliance while subcontractors may only be required to achieve Level 1.

  Using the CMMC standards, organizations will be issued a score indicating the organization’s level of compliance. Each level requires you to comply with the previous level’s standards as well. The three levels are:

  • Level 1 Foundational: Basic Cyber Hygiene. Level 1 focuses on basic cyber hygiene requirements. There are 17 practices that need to be implemented from FAR 52.204.21.
  • Level 2 Advanced: DIB companies who send, receive and store controlled unclassified information fall into this category. There are 110 controls that must be implemented from NIST SP 800-171.
  • Level 3 Expert: This level is for DIB companies who send, receive and store information from the Defense Industry’s high-risk programs. While details are still being worked out, it is expected that this level will include controls from NIST SP 800-172.

  The CMMC Accreditation Body (CMMC-AB) is working to ensure that third-party assessments are available for contractors, subcontractors, and suppliers at each of the CMMC levels. In the meantime, organizations should consider working with a CMMC compliance consultant to prepare for their official audits because RPOs have gone through formal training, signed a code of ethics, and are more qualified and experienced than consultants that have not.

• What is a CMMC assessment?

  A CMMC assessment is the process in which a company’s IT network is assessed against the cybersecurity controls required for each specific level of CMMC compliance. The control frameworks for each level are as follows:

  • Level 1 Foundational: FAR 52.204.21
  • Level 2 Advanced: NIST SP 800-171
  • Level 3 Expert: NIST SP 800-172

  When it comes to the subject of CMMC, the word “assessment” gets thrown around a lot. There are a few different versions of the CMMC assessment and it’s important to understand what each one is and the purpose it serves:

  1. Self-Assessment: These are assessments that are performed in-house by employees within the organization.
  2. Assessment by a Registered Provider Organization (RPO): These RPOs are third-party consultants that conduct their own assessments of a company’s network so that they can help prepare the organization for an official assessment by a C3PAO. Technically, any Managed Service Provider (MSP) can perform CMMC assessments, however, we recommend that you choose an RPO since they’ve been audited by the CMMC-AB and are qualified to perform the task.
  3. Assessment by a Certified Third-Party Assessor Organization (C3PAO): These are the official assessments that are conducted during the certification process.
• How do I become CMMC Compliant?

  Step 1: Assess Your Infrastructure

  Typically the first thing you’ll need to do is conduct an assessment of your current IT infrastructure against the control framework that aligns with your desired CMMC Level. This is also called a gap analysis and is the basis for understanding what controls, processes and procedures need to be implemented to achieve compliance. Companies with the right resources will be able to conduct their own self-assessment, while some will need to outsource the assessment to a third-party, such as an CMMC Registered Provider Organization (CMMC RPO). Self-assessment resources can be found here and templates for System Security Plans (SSP) and Plan-of-action and Milestones can be found here and here, respectively.

  Step 2: Remediate

  The next step is remediation which involves the actual work to implement the controls, processes and procedures that are called out in the assessment. Again, companies with the resources may be able to perform the remediation work themselves, while others might consider utilizing an RPO. Even if a company does have the resources, an RPO will likely be able to do it faster and more efficiently.

  Step 3: Get assessed by a C3PAO

  For companies that need to meet CMMC Level 2 and 3, the last step to become CMMC compliant is to get an official assessment from a Certified Third-Party Assessor Organization (C3PAO). However, no assessments are currently being performed as the Assessors are being trained. The first assessments are expected to start in 2022.

• What’s the difference between CMMC 1.0 and 2.0?

  Summary of Key Updates from CMMC 1.0 to 2.0

  1. Only 3 CMMC Levels: CMMC Levels 2 and 4 from the original CMMC framework have been eliminated, leaving only 3 current CMMC Levels. These Levels are detailed below.
  2. Level 1: Now only requires an annual self-assessment and affirmation by company leadership. No changes to the 17 basic cyber hygiene practices required.
  3. Level 2: The “old” CMMC Level 3 now becomes Level 2. 20 controls have been eliminated from the original framework’s Level 3 requirements, leaving contractors only having to implement the 110 controls from NIST 800-171. The DoD will identify “prioritized acquisitions” that must undergo an independent third-party assessment against the new Level 2 requirements. All other organizations will only need to perform a self-assessment and affirmation by company leadership.
  4. Level 3: This level will replace CMMC Levels 4 and 5 from the original framework. While details are still being worked out, it is expected that this level will include controls from NIST SP 800-172 and assessments will be government-led.

  For an in-depth guide into CMMC 2.0 changes, see here.

• What is a CMMC RPO?

  According the CMMC Accreditation Body, Registered Provider Organizations (RPOs) in the CMMC ecosystem provide advice, consulting, and recommendations to their clients. They are the “implementers” and consultants, but do not conduct Certified CMMC Assessments. Any references to “non-certified” services are only referring to the fact that an RPO is not authorized to conduct a certified CMMC assessment.¹

  For example, SysArc is an RPO. We help DoD contractors prepare for CMMC. We’ve helped over 1,000 DoD contractors throughout the U.S. navigate the complexities of DFARS, NIST 800-171, and now CMMC.

• What is a CMMC C3PAO?
  A CMMC Third-Party Assessor Organization (C3PAO) is an organization that is authorized by the CMMC Accreditation Body to conduct official assessments for CMMC certification.
• What Level of CMMC do I need to meet?
  If you are processing Controlled Unclassified Information (CUI), than you will need to be Level 2. If you are not processing CUI, you will need to be Level 1. Also, it is likely in the future that the Level of CMMC that you will need to meet will be stipulated within the requirements of your DoD contract. It is estimated that most contractors will need to be at least Level 2 Advanced. If you are currently compliant with DFARS 7012, then you are compliant up to Level 2.

CMMC Audit Preparation & Assessment Services

SysArc has helped over 1000 DoD contractors throughout the U.S. navigate the complexities and financial hurdles of the NIST SP 800-171 requirements. We have worked closely with our customers to ensure they are compliant with DFARS 7012 and now we are working with them to achieve the CMMC certification level they need to continue providing their products and services to the DoD. For more information, please see our CMMC Preparation Solution. If you’d like to speak with someone about preparing for a CMMC audit now, feel free to give us a call at (240) 453-4146 or schedule a CMMC consultation now.