January 25, 2021
Good afternoon, everyone!
Fellow CMMC-RP Amira Armond recently published an interview with Jeff Dalton, member of the CMMC Accreditation Body (CMMC-AB) Board of Directors and Chairman of the Accreditation and Credentialing Committee, on the subject of the CMMC process. You can watch the entire interview and read a partial transcript on Amira’s website. I’m going to touch on a few key points today.
The CMMC Assessment Process
There are potentially four phases in the official CMMC assessment process:
- The pre-assessment readiness review The CMMC Third-Party Assessor Organization (C3PAO) you have engaged for your official assessment will help you make certain you are prepared: Is the schedule locked down? Have you confirmed everyone’s availability? Is the data prepared and accessible? The Assessment Plan will detail everyone the Certified Assessor (CA) wants to talk to, every thing they will want to see. The more complete the plan is, the more efficient the assessment as a whole, especially the onsite piece, will go.
- The assessment This will probably include some advance work, interviews by phone, and will conclude with an onsite visit. Every official assessment requires an onsite visit, even for Maturity Level One (ML1).
- Reporting This is the time that the C3PAO will review the results of the assessment and prepare its official report.
- Remediation If the C3PAO determines that you have not fully met all the practices and processes of the ML for which you are seeking certification, and if the C3PAO and you both agree that you can correct deficiencies in 90 days, you may request a remediation period :
"It must be performed by the same assessment team. It must be within a 90 day window. The request for a remediation window must be submitted within 7 days. The CMMC-AB needs to be notified. But there is a 90 day window to make corrections and have the assessor come back and perform a delta [assessment] against those practices."
Once the C3PAO determines that you have met all required practices and processes, it will submit a report to the CMMC-AB. The CMMC-AB will conduct a quality review of the assessment, and if it passes, will issue a 3-year certification.
The Path to CMMC Certification
So, where do you begin?
First, if you haven’t already, perform your DoD Self Assessment and record your score in the SPRS database. (Read about this in my November 18 newsletter.) This initial self-assessment identifies your baseline compliance posture.
Second, seriously consider hiring a CMMC Registered Provider Organization (RPO) to help you prepare. In this interview, Dalton said:
”CMMC is a context model, it’s not an audit model, so it isn’t like there’s yes or no questions to every single practice. There are some, but a context model means that understanding the context of the organization – you know, size, scope, culture, product line, things like that – are going to to affect the decisions that you make in order to achieve a level of CMMC. So working with an RPO that knows your company and will work for you long-term can be very advantageous.”
Also, remember that security and compliance are not the same thing. The CMMC Assessment Methodology is a complex document and requires study and experience to navigate and apply. The most experienced security consultant does not automatically know and understand how to implement the CMMC model. (I'll be talking about how to choose an RPO in my next newsletter.)
Third, have an independent party (RPO or C3PAO) conduct a gap analysis. Dalton said:
"Any company that goes in for an official assessment without an external gap analysis is probably in for a very big surprise, and not a good one. Anyone who performs a self-assessment should understand that these are generally not as deep or as broad as an outside analysis."
He recommends reaching out to an RPO or C3PAO as soon as you decide you are going down the path of CMMC certification. He suggests doing the independent gap analysis at least 6-12 months before you anticipate scheduling your official assessment, so that you have time to correct any deficiencies that were identified, and to develop the necessary process maturity.
Next Work(fromhome)shop January 26
This newly-updated online class will cover the basics -- what is it, why do we have it, applicability, terminology, timeline, and the assessment process. It's an introduction to my "deep dive" series on the specifics of achieving Maturity Levels 1-3 coming up in Spring 2021. Participants in this class will have the first chance at signing up for the spring series.
Tuesday, January 26 @ 10:00 AM - 11:00 AM (CT)
Remember, the time to prepare is now, and I can help! Contact me with your questions, and let’s talk about the path forward for your organization.
PS -- If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!