This 18m video features Kyle and I talking with our good friend and collaborative partner James Quilty of SofiaITC! James is a cybersecurity expert and CMMC-AB Registered Practitioner and Provisional Assessor. We discuss how to plan your CMMC Certification for DFARS compliance timeline. Please note the timelines below as relates to CMMC level 3
What’s the full DFARS compliance timeline people should expect to achieve CMMC compliance?
You need to calculate the CMMC and DFARS compliance timeline based on the size of your organization. Look to your DoD contract requirements about whether you handle FCI or CUI. That’s the first step. Your migration strategy into an O365 environment or the AWS environment will depend on the size of your organization. Perform a gap analysis to ensure correct implementation and preparedness for the CMMC certification assessment. Next, engage a C3PAO, or RPO to fine-tune your practices and processes before moving forward with the assessment.
Three ways to accomplish the implementation and assessment:
- Do it internally from within your organization
- Hire a third-party, non-certified CMMC professional to perform the gap analysis and prepare you for the assessment
- Bring in a certified CMMC-AB approved third party consultant team
Engage an RPO to perform a Gap Analysis
The third step in your CMMC and DFARS compliance timeline is to engage an RPO (registered practitioner organization) to bring in their RP (registered practitioner) to do the gap analysis. You would need to bring in a separate individual to do the actual implementation. They cannot do both (deemed a conflict of interest). They will make sure you’re prepped with the objective evidence, as there will be two objective pieces of evidence per practice. They’ll provide that back to the C3PAO who will then engage a CP, a certified practitioner or a certified assessor.
They cannot guarantee that you will pass, but they will first approve of the package before handing it off to the C3PAO to review it. Once they have confirmed that the package is ready, they’ll submit it to the CMMC-AB and they’ll review it.
The CMMC Certification Timeline ultimately depends on the size of your organization and the requirement within the contract and your Prime (especially CMMC level 3 and higher). The process of performing the gap analysis, the implementation, the assessment, the submission, the review, and finally the certification could take between six months for a smaller organization to a year/year and a half for a larger organization.
You mentioned collecting two pieces of evidence for each of the 130 practices. If I just put in a practice, control, process, or policy yesterday, will I be able to pass?
It’s possible that you can pass, especially if you’re a newer organization. I just want to reiterate that for CMMC level 3, there are 130 practices and processes. We have to make sure that there are two objective evidences for each 130, so that’s 260 in total for that package. Additionally, there is the requirement of the on-site component to gather the evidence. There’s some time and travel involved, as well as bringing folks to your organization to get the extra components for the physical security of your package.
Is there any way to minimize bringing in a consultant to assess physical security practices during the COVID-19 pandemic?
The answer to that question differs on a case-by-case basis and based on the CMMC and DFARS compliance timeline. Fiscal year 2021 is when CMMC requirements begin for both prime and subcontracting companies. 15 contracts means there’s 15 primes plus 100 subcontractors, total of about 1500 organizations (both Prime and Subcontractors) who will be required to be compliant.
Is this COVID-19 virus going to be almost gone or are we still going to be in the current state that we are in today? It’s possible an employee of the OSC (organization seeking certification ) could walk the premises with a video camera to pan around and show that we have a special digital code to gain access into the data center, for example, or swipe a card reader; and you can screenshot that for objective evidence.
This pandemic has definitely changed the way we do things. The CMMC-AB board of directors are working through that on a case-by-case basis. There’s going to be bigger organizations that may not want you to have a video in there for reasons of security and confidentiality, versus someone going on the premise to perform an assessment.
How does the CMMC level requirement affect length of CMMC Certification Timeline to achieve compliance? Is it safe to say that it would be a quicker process to become certified for level one or two, compared to level three and beyond?
Definitely. The reason for that is because there are less practices required for level one. There’s only 17 required practices for level 1, versus 130 for CMMC level 3.
There is a small mediation strategy that we can implement as long as the prime is okay with it and it is approved within CMMC-AB. Your contract may require you to be CMMC and DFARS compliance timeline and have a containerized environment. The prime is absolutely required to have that containerized environment. For the subcontractor, however, it depends on the prime and their strategy. The prime may require the subcontractors to comply and be ready at level one or level three. The primes can bring the subcontractors into their environment that they’ve already containerized and provide the username, password, and VPN access.
This allows the subcontractor to traverse into the Prime’s environment to access the contract information or CUI information. Within that environment, it is the responsibility of the prime to lock it down to the point where they cannot take screenshots, send an email, or print that information within the subcontractor’s environment.
Who set up the CMMC ecosystem?
The CMMC-AB is receiving their direction directly from the DOD and signed a contract in order to perform the CMMC implementation and the assessments. The DOD is holding them responsible for certifying each of the organizations that require the FCI or CUI within their contract. I was able to personally take the registered practitioner exam along with the provisional assessors exam. In the first quarter into the second quarter, they’ll have additional training for the certified assessors one and three. I’m looking forward to getting certified in that area as well.
If the C3PAO fails an OSC (organization seeking certification) is there a dispute process? How does it affect CMMC and DFARS compliance timeline?
Yes. However, there are some steps prior to those disputes. The C3PAO and RPO are responsible to ensure an OSC is prepared and ready to submit that package. If they’re not, there’s some strategies that must take place. If you need a gap analysis or an actual implementation of the environment, you’re going to reach out to the CMMC-AB and request an RPO who is responsible for all of the RP’s. The CMMC-AB assigns an RP to your organization to implement the practices required within your organization at that specific level (especially CMMC level 3 and higher).
Your C3PAO will provide some CA’s to go into your environment and validate what the RPO has assisted your organization in accomplishing. Again, it comes down to the objective evidences. The requirement and responsibility is to make sure you are truly prepped and ready. If you’re not, they’re going to let you know where you failed. It’s on you to decide what to do next. Whether or not you submit the package is all on the discretion of the CA (the certified assessor). If it’s a good certified assessor, he’s not going to just submit your package knowing there’s three components that don’t meet the requirements.
Waiting period for failed second submission
The C3PAO reviews the submitted package and submits to the CMMC-AB. If you don’t pass they’ll tell you why. The OSC has 14 days to dispute it with the CMMC-AB who in turn has 90 days to review it. The process includes an interview with the CA: Why was this overlooked? Why was the package submitted as is? CMMC-AB interviews the OSC to understand how the review was conducted. Finally, there’s a whole Q&A component to validate that the package was either good or bad. If the company doesn’t agree with the decision and decides to resubmit, it goes through the whole process again. The problem is a three year waiting period if reapply and fail resubmission.
Distinction between NIST 800-171 and CMMC
NIST 800-171 allows for a POAM (a corrective period) but with CMMC there is no POAM. You either pass or fail. If you fail and feel you’ve been falsely assessed, the dispute process is another 90 days to your CMMC Certification Timeline. This may impact the contract that you’re on or going after. The best thing to do is have the resources ready to work with those CA’s that are doing the assessment.
As a provisional assessor, can you conduct CMMC assessments?
Yes you can. However, it has to go through the CMMC-AB chain of command or chain of custody. They’re responsible in providing to the C3PAO who will then engage those provisional assessors.
Have there been any CMMC assessments conducted today by any C3PAO’s?
No. If you hear about any assessments being completed with any organization, it’s not legitimate and it’s not through the CMMC-AB.
Please visit our YouTube channel for other free resources and cybersecurity discussion topics. LIKE and SUBSCRIBE!
And please visit us on LinkedIn. Thank you!