Making Sense of the CMMC Assessment Process (CAP)
If your organization falls under CMMC compliance requirements, you may have heard the grumbles amongst the Defense Industrial Base (DIB) populous concerning the newly released CMMC Assessment Process (CAP). The Cyber AB (formerly known as the CMMC Accreditation Body) recently published a draft version of the CAP that has sparked controversy amongst some in the community resulting in many concerns.
From the document's structure to the content within, many comments have been made in the hope that the Cyber AB will make some much-needed changes.
Reasons Behind the CAP
The purpose of the CAP is to provide procedures and guidance to Certified Third Party Assessment Organizations (C3PAOs) on properly performing the assessment required for CMMC Level 2 compliance. With the assistance of the DoD's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), defense contractors can now complete voluntary assessments of their organization.
The draft's release aims to ease the tension of companies that have already begun implementing NIST SP 800-171 since the initial update of CMMC. While awaiting the endorsement of the DoD and its official rule (set to be released by March 2023), organizations can stay ahead, complete their assessment, and capitalize on their hard work and investments.
The CAP Explained
Once the final rule is established, all defense contractors must achieve at least a foundational Level 1 certification, focusing on protecting Federal Contract Information (FCI). This level consists of 17 security controls and an annual self-assessment. Level 2 certification (the advanced level), aimed at protecting Controlled Unclassified Information (CUI), consists of the 110 security controls aligned with NIST SP 800-171 and a third-party assessment conducted every three years.
There are four phases to the CMMC third-party assessment:
Plan and Prepare the Assessment
Conduct the Assessment
Report Assessment Results
Close Out Plan of Action and Milestones (POA&M) and Assessment
Phase 1 – Plan and Prepare the Assessment
The planning phase establishes the foundation of the assessment and the relationship between the OSC and C3PAO. During this phase, both parties will complete a contractual agreement and a pre-assessment form, and the OSC will provide background information and evidence of their IT environment.
Phase 2 – Conduct the Assessment
During this phase, the assessment team will verify the adequacy and sufficiency of evidence provided by the OSC and determine whether the practices have met the required standard. The C3PAO will utilize the CMMC Assessment Guide as the basis for meeting the objectives for each control.
Phase 3 – Report Assessment Results
During the final findings briefing, the lead assessor will deliver the recommended results to the OSC. Once the recommended results are finalized, the assessment packet will be submitted to the CQAP and C3PAO, who will verify completeness and accuracy before uploading the results into eMASS.
Phase 4 – Closeout POA&M and Assessment
After the assessment is completed, the OSC should correct any deficiencies found during the assessment or documented prior. The OSC has 180 days from the final findings briefing to select a C3PAO to conduct the POA&M Close-Out assessment.
Initial Concerns with the CAP
The main goal of the CAP has been addressed, but there are significant issues within the document itself. Reviewing the PDF, you will find numerous errors, including leftover information from previous versions that have not been removed.
Several individuals and groups, including the Cooey COE, have submitted comments and suggestions to the Cyber AB. Of note, US Army Major and cybersecurity consultant with Deloitte, Leslie Weinstein, has made several comments on LinkedIn (here and here) regarding the uncertainties with the assessment process.
In addition to the apprehension concerning the overall process, the CAP has general errors and duplicate sentences, which indicates a possible rush of the release and neglect of a proper QA check. Thankfully, both DoD and Cyber AB are still accepting comments via the DoD website or The Cyber AB.
What does this mean for you?
Ready or not, CMMC 2.0 is quickly becoming a reality. As a prime contractor, it is essential to begin implementing the requirements for CMMC now for many reasons.
Compliance takes time. Starting now will ensure your organization has mature cybersecurity procedures before mandatory assessments begin.
Financial savings. Avoid unnecessary financial strain by spreading out implementation measures over a period of time to find out what works best for your organization.
Get a leg up on your competitors. Showing the DoD that you are serious and voluntarily complying with the upcoming requirements can put you ahead of your competitors regarding contract awards.
CMMC isn't going anywhere, and your organization must take advantage of this time to plan and budget for compliance efforts before it's too late.
How GSec LLC can help
GSec LLC creates customized cybersecurity solutions to help small and medium businesses become compliant with industry regulations. Since 2015, GSec LLC has helped hundreds of satisfied customers find the right security solution for their business needs by bringing together the right service provider and solution.
Take advantage of GSec LLC's ability to streamline your efforts while minimizing the stress of any big project. Find out how GSec LLC can help your organization by contacting us today.