Introduction
In a recent webinar, Kyle Lai CCA, the President and CISO of KLC Consulting, sat down with Kevin Hancock, the Director of Solutions at Exostar. During this engaging presentation and Q&A, Kyle and Kevin answer burning questions from DoD contractors and subcontractors. This post distills insights from Exostar’s “Lessons Learned on Certification Assessments – Insights from a C3PAO” webinar, highlighting valuable lessons learned from the CMMC Level 2 Certification Assessment Process.
Current CMMC Rulemaking Process
The CMMC program officially launched on December 16, 2024, with the implementation of 32 CFR. This means that organizations can now schedule assessments with a C3PAO. However, 48 CFR, which will include the actual clauses requiring CMMC in DoD contracts, is still pending.
Key Differences in CMMC
CMMC moves away from the self-attestation model, requiring third-party assessments for CMMC Level 2 and Level 3 compliance. It also defines external and cloud service providers. Cloud service providers must meet FedRAMP Moderate or equivalent standards. External service providers are not required to obtain CMMC certification, but their services are assessed as part of the overall CMMC assessment.
CMMC Levels
- Level 1: For organizations handling Federal Contract Information (FCI). Requires annual self-assessment and affirmation.
- Level 2: Requires a third-party assessment of NIST 800-171 controls. Some organizations may be able to self-assess at Level 2 at the discretion of the contracting officer.
- Level 3: Introduces additional controls beyond NIST 800-171. Requires a DICAC assessment every three years.
CMMC Implementation Timeline
The DoD expects a phased implementation of CMMC, outlined as follows:
- Phase 1 (1 year): Level 1 and Level 2 self-assessments.
- Phase 2 (2 years): Level 2 certification required.
- Phase 3 (3 years): Level 3 certification required.
- Phase 4: Full implementation of the program.
The DoD reserves the right to implement CMMC requirements at any point along this timeline, depending on the contract.
Current Requirements
Even before CMMC is fully implemented, organizations with DoD contracts must comply with existing DFAR clauses. The first is 252.204-7012, which requires meeting NIST 800-171 requirements if CUI is received. Additionally, the 252.204-7019 clause requires self-assessment and entry of the score into the Supplier Performance Risk System (SPRS).
Lessons Learned and Best Practices from C3PAO Assessments
Pre-Assessment Phase
Organizations preparing for a CMMC assessment must provide key documents, including the System Security Plan (SSP), network diagram, CMMC scoping diagram, and asset inventory. It is crucial to ensure these documents are comprehensive and thoroughly prepared to facilitate a smooth assessment process.
Scoping
Accurate scoping is essential, requiring detailed information on all hardware and software assets, clearly categorized. All relevant CAGE codes for the assessment must be defined before it commences. Furthermore, organizations must identify any cloud service providers (CSPs) and managed service providers (MSPs) involved. For CSPs that handle Controlled Unclassified Information (CUI), obtaining the FedRAMP body of evidence and the customer responsibility matrix is necessary.
Documentation
Maintaining accurate and consistent documentation is vital. Ensure that dates on all documents align with the authorization date and the version history. If Governance, Risk, and Compliance (GRC) tools are utilized, the underlying artifacts should also be provided as individual files. To guarantee data integrity and non-repudiation, organizations must hash these artifacts.
Assessment Participation
Successful CMMC assessments require the participation of all team members responsible for managing CMMC security requirements, which may include personnel from HR and facility management. If a Managed Service Provider (MSP) is utilized, it is imperative to ensure their personnel are available during the assessment to address any relevant inquiries.
Mock Assessments
Organizations should consider conducting a mock CMMC assessment to become familiar with the official process and proactively identify any potential gaps in their compliance efforts. It is important to note that C3PAOs are prohibited from providing consulting or remediation recommendations during or after a mock assessment.
Common Mistakes
Several recurring mistakes can hinder a CMMC assessment. These include inadequate preparation for physical security assessments, failure to adhere to documented frequencies for security practices, lacking or outdated FIPS validation for encryption, time synchronization discrepancies across systems, absence of multi-factor authentication for SFTP, insufficient documentation of specialized assets, poorly documented control inheritance from service providers, unavailability of MSP staff during the assessment, and incomplete network diagrams, particularly concerning software development environments.
Cost and Scheduling
The cost of a CMMC assessment depends on the size and complexity of the organization. It is recommended to reserve a time with a C3PAO as soon as possible, as demand is expected to increase.
Start Your CMMC Level 2 Certification Assessment!
The CMMC Level 2 Certification assessment requires a thorough understanding of the process, diligent preparation, and access to reliable information. C3PAOs like KLC Consulting, Inc. are partners in this process, committed to helping organizations protect sensitive information and meet their contractual obligations. Download our free CMMC Level 2 Readiness Checklist to prepare for your assessment. Contact us to schedule your assessment and ensure your organization is prepared for the evolving cybersecurity landscape.
Would you like to know “How much will my CMMC Level 2 Certification Assessment cost?” You can get an INSTANT price quote here:
