By Scott M. McAuliffe, CPA, CISA, CFE, Partner, Risk Advisory Services
Note: Important Change as of November 2021
The Department of Defense announced a major overhaul to the Cybersecurity Maturity Model Certification (CMMC) program. No new contracts will feature CMMC compliance requirements until the Department completes its rulemaking process for CMMC 2.0. Read our summary of the changes, Goodbye CMMC 1.0, Hello CMMC 2.0. For more detailed information, visit the CMMC website.
Keiter’s Cybersecurity team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.
Key Takeaways for DoD Contractors Regarding CMMC AB Progress and C3PAO Assessment Process
On April 27, 2021, the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body (AB) held their monthly Town Hall Meeting. The new CEO of the CMMC AB spent much of the meeting discussing the progress and goals of the CMMC AB with the remaining time spent discussing the C3PAO assessment process and answering participant questions. The main takeaways that I had from the meeting are as follows:
- The new CMMC AB CEO, Matt Travis, made his first significant public comments during the Townhall. He noted the importance of the defense industrial base (DIB), the CMMC AB’s goals of obtaining its own ML 3 certification, and their openness to suggestions. Specifically, Mr. Travis noted that the CMMC AB is welcoming suggestions that could make the CMMC process less costly to DIB organizations.
- The Defense Industrial Base Cybersecurity Assessment Center (DIBAC) who is responsible for performing the assessments of the CMMC Third-Party Assessor Organizations (C3PAOs) indicated that it takes approximately six weeks to complete the assessments.
c3PAOs Assessment Completion Schedule
- Planning: 3 weeks
- Assessment fieldwork: 1 week
- Assessment wrap up and issuance of final report: 2 weeks
- Thus, DoD contractors can assume similar timing to obtain their CMMC Maturity Level 3 (ML-3) assessments, which will be an important consideration when scheduling the assessments to ensure they are completed prior to contract award.
- The DIBCAC presenter shared several common pitfalls they have noted after performing roughly 200 NIST SP 800-171 assessments within the past two years.
200 NIST SP 800-171 Assessment: Common Pitfalls
- Supporting policies and procedures should be final and not marked draft.
- Many organizations do not know what is in their own policy and procedure documents, implying that they were created for compliance purposes, but they are not followed.
- Some assessments have started despite there being open plans of action and milestones. These should all be closed prior to starting an assessment.
- Many companies do not have a Cloud Customer Responsibility Matrix that identifies what the customer responsibilities are with respect to security.
- Organizations had inadequate plans to apply technical control objectives to BYOD devices.
- Inadequate documentation of procedures, policies, and the establishment of a resource plan to implement the policies and procedures.
- In previous town hall meetings, it was indicated that the DoD planned to perform “pilot” assessments for 15 contracts in 2021. However, during the April town hall, it was stated that several of the pilot assessments have been delayed or withdrawn because the assessments could not be completed in time for contract award. It was further stated that it is taking longer to get C3PAOs certified to perform the assessments. They are hoping to have a few C3PAOs ready to perform assessments in June. Lastly, it was indicated that many of the planned assessments for 2021 are being moved to 2022. Thus, it appears that the goal of 452 ML-3 assessments will not be met in 2021 and it will be interesting to see how this impacts future year’s assessment goals.
- In previous town hall meetings, it was indicated that contractors can include the costs for ML-1 through ML-3 certifications in their overhead rates and the costs for ML-4 and ML-5 would be direct billed to the program. However, during the April town hall, it was indicated that they are still trying to figure out how reimbursement will work for ML-4 and ML-5.
I continue to find value in attending the CMMC town hall meetings. It is interesting to hear the progress that is being made with the CMMC ecosystem, as well as hearing questions/concerns that are being raised and how they are being addressed. There is still a long road ahead, which aligns with the effective date for all DoD contract awards after FY25.
Many DoD contractors will not have the expertise or resources needed to perform a CMMC readiness assessment, identify the gaps, and develop corrective action plans. In these cases, the contractors are turning to cybersecurity consultants with knowledge of NIST and the CMMC framework. If you want to learn more about CMMC, Keiter’s team of cybersecurity specialists can help you. Email | Call: 804.747.0000.
Our team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.
About the Author
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.