What Does Getting a CMMC Accreditation Involve?
The DOD encourages its contractors to complete a self-assessment prior to scheduling a CMMC assessment. But what does a CMMC assessment involve?
The CMMC Accreditation Body, a nonprofit, independent organization, is starting to accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors — those who will actually perform the CMMC assessments of DOD contractors. Earlier this month, the CMMC Accreditation Body completed the first provisional training of 25 C3PAOs.
The provisional assessors will “shake out the program and what needs to be done before the training and certified assessors for the open market are released,” William “Tony” Bai, federal practice lead at A-LIGN, a cybersecurity and compliance firm, said earlier this month, according to MeriTalk. Arrington has estimated that 7,500 companies will be certified in 2021.
What are assessors looking for when they look at a contractor’s approach to cybersecurity? First, they are looking at what kinds of certifications a company has already achieved to see what its level of cybersecurity controls are. CDW•G has achieved ISO 28000 certification, demonstrating end-to-end secure supply chain controls, as well as ISO 27001, which covers requirements for NIST-based information security management standards. When assessors looked at our security controls, we did not have to close any gaps because of those earlier certifications.
Achieving those certifications demonstrates to the C3PAOs a level of commitment to security controls. If contractors do not have such certifications already, it may be difficult to achieve the required level of CMCC accreditation.
C3PAOs are also looking to assess the kinds of controls a contractor has in place to protect DOD data, such as but not limited to, a build of materials or a schematic or other government data that is sent over as part of a contract. That data needs to be protected. At CDW•G, such data is firewalled off from the commercial side of CDW. We employ multi-layered authentication controls to provide access to such data on a need to know basis and have security controls around which personnel can try to access the data.
CMMC Levels 1 through 3 encompass the 110 security requirements specified in NIST SP 800-171 Rev. 1, which covers the protection of controlled unclassified information in nongovernment systems. There are additional controls built on top of that for the CMMC, and assessors look at not only a contractor’s implementation of cybersecurity protection system, but also its institutionalization of cybersecurity practices.
The Value of a CMMC Accreditation for a Contractor
Each DOD contractor is going to be at a different maturity level in terms of the cybersecurity controls it employs. That is based on the company’s understanding of security controls and processes and how central they are to that company’s business model.
Companies cannot attain a high-level CMMC accreditation by taking a cookie-cutter approach to cybersecurity. That is not how security in the government contracting world works.
CDW•G has in-house security team of experts and entire internal organizations dedicated to security controls. Attaining certifications requires commitment and investment — but that pays off when it comes time to receive an accreditation, such as the CMMC. Government agencies trust CDW•G to protect their data because they know about and trust the rigorous controls that have been put in place to do so. Gaining that trust via an accreditation like the CMMC demonstrates not just a company’s commitment to security but also its value as a trusted partner.
Attaining a high-level CMMC accreditation is a signal that the company can meet the DOD’s core objectives when it comes to cybersecurity. Currently, the DOD needs to perform a separate evaluation of each supplier, on a task order by task order basis, to ensure that the suppliers meet certain cybersecurity controls. The CMMC will mean the DOD will no longer need to perform its own assessments. It also ensures that DOD will have a pool of accredited suppliers that have already been vetted and meet the necessary controls.
The CMMC will be rolled out in pathfinder contracts, and those that have achieved a high level of certification will be in a strong position to participate in those. Ultimately, the CMMC process could be applied in the years ahead to agencies outside the DOD. That makes being able to navigate the process even more valuable for contractors, especially as they perform more services for agencies and conduct operations onsite with them.
The CMMC process is not simple. However, for those looking to contract with the DOD and beyond, mastering it is essential.