The CMMC Academy recently hosted a CMMC Summer 2021 Update webinar. Discussion topics included the latest updates on the CMMC rollout, challenges facing small businesses, and preparing for CMMC assessments. Webinar participants answered several viewer-submitted questions.
Here is a quick recap of just a few of the most popular questions answered during the recent CMMC Academy webinar.
What are the latest details on the CMMC rollout?
Answer from Chris Gundel, COO of Celerium and the lead on our CMMC initiatives:
The good news is there are now three authorized CMMC third-party assessment organizations (C3PAOs), which can conduct up to level three assessments now. The not-so-good news is all the delays. If you are or would be an assessor, there are delays on the official training that's going to be available and certification tests. We're still waiting for the DoD to release the final test objectives for the certification test.
As you know, we're still waiting for any modifications to the CMMC model. And a key deliverable is the scoping guidelines from the DoD and the revised CMMC assessment methodology from the CMMC Accreditation Body (CMMC AB). I wouldn't expect final certification tests to be available until probably the first quarter of next year. You might start seeing some official training for would-be assessors later this year.
The NIST 171A assessment guide, along with the CMMC documentation, shows a pile of artifacts for each requirement. So, are all these needed or just some to show that you meet compliance?
Answer from Chris Gundel:
This is the same kind of confusion we've had from customers and some beta testers that took our CMMC Insights course. There is a ton of information.
The net of it is, there are three types of objective evidence that you need to collect, or at least be aware of. You need to examine the evidence, which is collect your artifacts, and that gets operationalized into demos. The assessor who will be looking at demos will be interviewing those responsible for the practice, and they're also going to be looking at testing. So, you should have at least two different types of objective evidence for each of the practices. And that's the best advice.
Walk the talk, have your people practice, and get well trained on this stuff.
What unique challenges face small and midsize businesses when it comes to implementing CMMC?
Answer from Chris Opp, Director of SMB Solutions at Celerium:
So, a lot of companies are very familiar with how the 800-171 requirements have been rolled down since it's an older program. I think that the considerations there will mirror the considerations with the CMMC.
Realistically the two biggest things that will impact organizations are the cost to implement and the amount of time that people will have to implement these things. There will be a learning curve here as companies begin to figure out what they need and what assessors are looking for.
The difference between how auditors understand the controls and how companies have interpreted them in the past may also turn into a cost for these organizations. Finally, the time it takes their IT staff to tailor or change the way they have been doing things is another hidden cost, both in time itself and the cost of paying IT to do the work.
What do you think the right level of investment is into cybersecurity for SMBs?
Answer from Chris Opp:
I'll answer it in two parts.
First off, from the perspective of DoD contracts. If your business is primarily using DoD contracts as your main source of income, then theoretically, you may have a bigger appetite for the cost to ensure you keep your contracts.
A lot of folks are talking about how the CMMC is cost-prohibitive to small businesses. One thing to remember is that companies doing business with the DoD should have already implemented the NIST 800-171 controls. This means that the differential between 800-171 and CMMC should be a much easier transition and not as big of a cost for those starting from scratch. In the end, really evaluating how important those contracts are to your business will be the key.
The second thing I'd like to point out here is these guides (CMMC and NIST SP 800-171) are meant to be a minimum cybersecurity maturity level. They are attempting to address the current threat landscape and prepare companies in the DoD supply chain for the future. In other words, doing these things is not only to check a compliance box but also to help a company overall protect itself and other important data, not just Controlled Unclassified Information (CUI). Consider this perspective when looking at how much you want to invest.
Can a company comply if they lack cybersecurity personnel or staff? What are their options if they lack the staff?
Answer from Chris Opp:
Many organizations rely on third parties like a managed security service provider (MSSP), or maybe they have somebody come in and help them with their cybersecurity. That doesn't mean the person has to always be on the staff. Still, you want to get somebody with a cybersecurity mindset to help because of the different opinions on how these controls can be implemented.
The government wrote compliance practices purposely vague so companies can be creative answering these questions, and they don't have to have a one-size-fits-all solution. But it also creates a little bit of unclarity. So, looking at MSSPs might be a good way because they're going to have lots of clients, and they're going to have seen these questions over and over.
How do you do your scoring in SPRS for 800-171?
Answer from Chris Gundel:
First, I think we can make it somewhat easy for you. The CMMC Academy has a free NIST 800-171 self-assessment tool. And that has the scoring algorithm in it.
There are 110 controls. You go through it, you either meet a control or not, and then it adds up to a max of 110 points, or whatever the score is. That's what would be the score that gets entered into SPRS.
I urge you to download the 800-171 assessment methodology; it's called the DoD assessment methodology. I believe it was June of 2020 and version 1.2. It goes into a great deal of detail on the scoring itself. And obviously, you're going to want the 800-171 NIST document, SP NIST 171. And then the score you come up with is what you enter into SPRS.
The CMMC program is being rolled out between 2021 and 2025. Now is the time for companies to prepare for CMMC assessments. Remember, prime contractors will be required to ensure that their subs are CMMC certified for that DFARS flow-down clause. So, there's more urgency around CMMC than you may think when you think about that time range of 2021 to 2025.
The CMMC Academy offers free resources like the CMMC Summer 2021 Update webinar, other webinars and videos, and a free online reference guide. And our fee-based CMMC Insights courses help government contractors gain insights into what assessors will be looking for when evaluating a company's CMMC implementation.