New Year, Same CMMC: What Your Organization Needs to Know Now

With the start of a new year, organizations hoping to do business with the U.S. Department of Defense (DoD) need to be more aware than ever of Cybersecurity Maturity Model Certification (CMMC) requirements.

If you’re new to the world of CMMC, this blog post offers a comprehensive overview of what the standard is, what it’s intended to do, and why it’s so important. For organizations that are already versed on the basics of CMMC compliance and are working toward achieving the appropriate maturity level, the interview below with Darren Van Booven, Lead Principal Consultant at Trustwave, CMMC Registered Practitioner, and former CISO of the U.S. House of Representatives, can help you assess your CMMC readiness for 2021.

Q:    What is the current state of the CMMC framework? What should organizations be doing to be eligible for contracts?

Darren:    The official first version of the CMMC framework was released in early 2020. However, to formally implement CMMC within DoD’s procurement system, there needed to be an update to the Defense Federal Acquisition Regulation Supplement (DFARS). That DFARS update has now happened, and the interim final rule went into effect on November 30^th. With the DFARS update the DoD supply chain and CMMC Marketplace are waiting on two things. The first is the introduction of CMMC requirements inside procurement solicitations. Right now, the DoD is able to start doing that. In a December 15, 2020 news release, the DoD announced the CMMC pilot contracts on a select group of new acquisition opportunities within the U.S. Navy, U.S. Air Force, and Missile Defense Agency. Because CMMC is being phased in over a period of 5 years, not every DoD contract will contain CMMC requirements at first.

The second step, which is what the DoD is anticipating, is for the CMMC Accreditation Body to certify enough third-party assessors who can perform the actual certification reviews to the point of meeting the demand. Right now, DOD is doing provisional assessments, which do not result in real certification. Official CMMC assessments resulting in certifications will begin in the coming weeks and months.

But that process is in place – and the CMMC Accreditation Body has said that the organizations that will get priority when it comes to achieving their certifications will be those who need to respond to the initial RFPs. That’s important – there are about 300,000 members of the defense supply chain and everyone can’t be certified at once.

Q:    What advice and guidance are you offering to your clients?

Darren:    The questions I get the most are from organizations who know what CMMC is, but don’t necessarily know how it will affect them, and what they should be doing now. So, the guidance I would offer is threefold:  

1. You need to know what level you should go after. The way you do that is to understand what kind of information you are storing or generating as part of your contract, whether it’s Federal contract information or controlled unclassified information. That is what drives the level of certification you’ll need. If your organization doesn’t know the answer to that question, work with your contracting officer to understand it.
   
   
2. Once you understand what kind of data you have, you need to understand who touches that data. What contractors and subcontractors have access to it? The reason to do that is that it will help you establish your certification boundaries. Organizations might be doing a lot of federal business, but not a lot of DoD business, and it will be more beneficial for them to limit their CMMC certifications appropriately.  
   
   
3. Finally, it’s a matter of what you can prove. Your assessors will ask for evidence proving that you are following the proper practices. Evidence can include in-person interviews, documentation, or testing. You will need evidence from at least two out of the three types, and your assessor has to get that information from people who are actually doing the work. So, organizations need to be ready to for that and it will be extremely time-consuming and unfamiliar for many.

These are all things that organizations should be doing now – so they’re not rushed later on.

Q.    How can Trustwave help?

Darren:    One of our strengths, as a full-service security company, is that we can help you make implementing CMMC compliance easier. You’ll need to do your planning and assessment by looking at your practices and finding your gaps. You’ll need to identify and find your data, so you can properly protect it. You’ll need to remediate gaps like missing policies, monitoring controls that might not be in place, managed testing services, and more. Trustwave can help with the entire process.