Cyber Self-Defense has been receiving a large number of calls regarding the CMMC process for Government (especially DOD related contracts). Many of the questions involve the following:
- Do I need to get certified?
- Starting in 2021 the DOD will phase in RFI’s that require companies to achieve a level of CMMC certification.
- How do I get certified?
- Assessments will be performed by Licensed Certified Assessors who work for licenses CMMC Third Party Assessment Organizations (C3PAOs). These C3PAOs will be listed on the CMMC AB website when available.
- How hard is it to build a program?
- The CMMC is based on NIST 800-171, and most of the practices have been available for years. Depending on level it could be fairly simple (level 1) or more complicated (level 3+). “Hard” is dependent on current state.
- Who can get us certified?
- A Licensed C3PAO will manage the entire process
- What is the cost?
- It’s dependent on size and complexity. A level 1 for a small company is estimated at 1 day, but size, number of networks, level of complexity, whether a company handles CUI, etc. all require more time to assess.
If you are doing government contracting, you likely have a ton of questions and need them answered. The reality is that there are still many unknowns. Cyber Self-Defense has done a considerable amount of research and we are following the CMMC process VERY closely, as we hope to be one of the first companies to become certified in this process. It is something we highly support and believe in. We have believed in such a process since well before CMMC was officially established!
Here are our interpretations, based on our research, of some key aspects of the CMMC process.
- Currently, there are NO COMPANIES OR AUDITORS who can certify you! We know that the CMMC board is working hard to get companies and auditors trained, but this is a time-consuming process and one that will not happen overnight.
- We have received MANY claims from MANY companies saying that they can get you certified; this is FALSE! While we are working towards certification, we (nor anyone else!) can claim the ability to certify anyone.
- There are Provisional Assessors; they have a defined scope and our understanding is that they will NOT be able to immediately conduct audits outside of their current scope. We have heard that this is still being negotiated, but currently, nobody and no person cam conduct these audits for anyone outside the current scope.
- The DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices.
- Initially, the CMMC pertains only to DoD contracts. We have heard rumors that many other government entities are looking to adopt this process.
- We KNOW that the CMMC WILL be based on 48 CFR 52.204-21, NIST SP 800-171 (the framework says revision one, we believe it will be version 2), and the Draft of NIST SP 800-171B (the framework says NIST SP 800-171B, we believe it will be version NIST SP 800-172).
- This means that you CAN and SHOULD begin building your program. We recommend that you begin now; when we build programs for companies, it takes time. Training must be done, policies written, risk assessment completed, identity and access reviews completed, etc. There is a great deal of work that goes into this and waiting until the last minute will not be to your advantage.
- Another point we would like to make is that these requirements are based on good business practices; we recommend these preparations to ensure the success of your business. What is being asked (at least in the first three stages) is the minimum that ANY company should achieve. Many have talked about the high cost of CMMC. It’s really the potential for costs related to basic cyber security that are at issue.
If you or your executives would like a one-on-one presentation of what we KNOW or can reasonably assume, we would be happy to discuss this with you. This would not be a sales presentation and would be free, simply a way to help you started in the right direction. Please send an E-Mail to firstname.lastname@example.org