You’re in the right place if the US Government or your prime contractor told you that you need to get a CMMC certification.
What is CMMC?
CMMC is an initialization for the term “Cybersecurity Maturity Model Certification”.
This term was introduced by the Department of Defense in 2019 to name a new cybersecurity program. This program would be used to validate the cybersecurity maturity of defense contractors, as a prerequisite for contract award.
What is a CMMC Certification?
A CMMC Certification, specifically a “CMMC Level 2 certification”, means that your business has a highly secure information system that meets DoD standards for the processing of Controlled Unclassified Information (CUI).
A Certified Third Party Assessment Organization (C3PAO) is authorized by the DoD to perform a cybersecurity assessment of your business. They use the security requirements found in the CMMC Level 2 Assessment Guide to evaluate whether you are meeting standards.
If your network meets requirements, then the C3PAO will issue you a CMMC Certification which can be shared with the government and your prime contractors as proof that you can handle CUI.
Follow-up note about CMMC certificate timelines
If you are reading this article before November 2024, it is highly likely that the DoD has not “turned on” CMMC certifications yet. The DoD is releasing a series of regulations which formalize the CMMC program. Until this happens, I recommend checking with a C3PAO to see what options you have.
Follow-up note: If your prime contractor is asking you if you have a CMMC certificate before they are even available, welcome to the party. It is crazy that this is happening, but it is the current state of affairs. You are 100% justified in pushing back against this question by saying that no one can be CMMC certified yet.
Follow-up to the follow-up: Remember that even if CMMC certificates don’t exist (which require an assessment by a C3PAO), almost all defense contractors are currently required to perform the 320 objectives (110 requirements) to protect CUI in their information system. Don’t be the guy saying cybersecurity isn’t required until after CMMC is formalized. I personally know a handful of defense contractor, including very small ones, who have been sued by the Federal Government for doing this in the last year.
What is a CMMC assessment?
A CMMC assessment is typically a week-long block of time where your company demonstrates how it performs cybersecurity to a third-party assessment team.
The assessment team will ask questions about each requirement in CMMC Level 2 (320 different objectives, contained in 110 requirements). For each requirement, the assessment team will review evidence that shows your company is doing the requirement. This evidence can take the form of documents, records, forms, demonstrations, attestations, or even tests.
Before the assessment, companies typically coordinate with the assessment team for a few months. They work together to ensure that both parties agree which information system will be evaluated, what the schedule will be, who needs to be present, and how evidence will be presented.
After the assessment, it can take a few weeks for the report to be finalized. If the assessment report says that the company qualifies for certification, the C3PAO will issue a certificate to the company.
How do you get a CMMC assessment?
First step: Pick a C3PAO
Well, assuming you are prepared to pass (most companies reading this article are not), you would want to talk with an authorized C3PAO.
The full list of Authorized C3PAOs can be found on the cyberab.org website here.
We recommend adding Kieri Solutions to your short list too (it is hard when your name doesn’t start with “A”!). They are the sponsor for this website and have one of the best reputations in the ecosystem for quality and reasonableness. To request a sales meeting, send an email to info@kieri.com.
As you review your options, we recommend using this C3PAO Shopping Guide which is provided by the National Defense ISAC.
Once you contact the C3PAO, the C3PAO’s sales team should request information about your information system before they issue a quote. Assessments are priced by the complexity of your environment: having physical facilities, lots of users, or development labs can increase the price significantly. The sales team will normally offer a fixed-price quote and should be able to explain timing as well as what to expect.
The best C3PAOs will spend time at this stage to check for red flags indicating your information system will fail assessment. If you get all the way to the assessment with major problems, you will lose the cost of the assessment, waste your team’s time, and possibly open yourself to repercussions with the DoD when the report is shared to them. It is much better to wait until you are ready.
What are red flags that you aren’t ready?
Here are some red flags that indicate a company is not going to pass their CMMC assessment.
Not enough cybersecurity specialists on the team
You really need a CMMC expert on your team to have a hope of passing assessment. If you have outsourced your IT, then the company you hired should have full time CMMC specialist on staff. They should have a certification like Certified CMMC Assessor or Certified CMMC Professional.
No one on the team has done it before
Book learning is way different than real life. Passing a certification test is nice, but it doesn’t compare to the experience of building and maintaining an information system that meets all 320 objectives (110 requirements). Having someone on your team who has experienced a formal assessment on either side (assessor or assess-e) is the best indication you will pass.
Your system security plan is less than 100 pages long
Your system security plan is a document that describes how your company is performing each of the 320 objectives (110 requirements) in CMMC Level 2. It is supposed to include a bunch of other information about your system too. When we see a plan that is less than 100 pages long, it almost always means that the company doesn’t realize there are 320 objectives (a really common problem).
Using the wrong clouds
In case you’re wondering, when we say clouds, we mean web services like Office 365, Box, Google Drive, and other applications you reach via web-browser.
The DoD has hard requirements regarding which cloud vendors your company can use. There are only about 200 cloud companies in the world that meet requirements. If your cloud needs to meet security requirements, but it isn’t on the list, you won’t be able to pass.
How soon can you schedule a CMMC audit or assessment?
CMMC assessments normally take at minimum 8 weeks to plan and schedule.
Most of that planning time is for your benefit – your team will need several weeks to prepare once they hear the assessment is imminent. Believe me, even if you think you’re ready, once the assessment is scheduled, your team will want time to really review everything again.
It is best to reach out for a quote at least 4 months prior to your desired assessment date. If you know that you want an assessment, go ahead and ask for a quote even if you are a full year away. It won’t hurt.
How do you prepare for CMMC assessment?
There are a few winning strategies for preparing for CMMC.
Outsource your IT to a company that has done it before
If you are a very small company, your best option is normally to engage with a CMMC-oriented Managed Services Provider. They should already have the skills in-house to get the job done.
Build your internal capabilities
If your company is more than 200 users, you should have the resources available to hire a cybersecurity specialist in-house or train some of your smarter system admins about CMMC. If you don’t have a mentor, it will probably take more than a year for your team to figure this topic out. Engaging a CMMC consultant to train your staff and sending key personnel through Certified CMMC Professional / Certified CMMA assessor training is a great way to build your internal team up quickly.
Use a CMMC reference architecture
A few companies are offering reference architectures for CMMC. These are packages of instructions that a single system admin can follow to build a highly secure information system that performs all the requirements. A good reference architecture will also include detailed instructions and training for your admin to maintain the system, and cybersecurity support from the architect. Kieri Solutions, our sponsor, offers one of these reference architectures for sale.
Easy, right?
I hope this information is helpful to you.
The best thing you can do to achieve certification is to engage the right company to prepare you. Unfortunately, CMMC has attracted a lot of solution vendors that are preying on their client’s lack of knowledge. If the price seems too good to be true, it is likely the case. If they don’t have a good reputation, run away. Peer recommendations like those found on the Cooey Center of Excellence Discord Forum are actually some of the safest bets.
Amira Armond is the founder and Quality Manager for Kieri Solutions, an Authorized C3PAO. Kieri Solutions provides CMMC preparation and Authorized C3PAO assessment services. Check their services out at https://www.kieri.com