Myth busting the cybersecurity maturity model certification

The role of cybersecurity has never been more prevalent than it is today. Safeguarding controlled government and military data from unauthorized disclosure is not only critical to our national security but also to economic freedom. Up until now, companies that process sensitive government data, whether directly or as a sub-contractor, have only been required to self-attest as to their knowledge of relevant regulatory requirements. In many aspects, self-attestation has proven unsuccessful as evidenced by notable breaches of critical government information in both the public and private sector. Over the past few years, data breaches, ransomware attacks and other cybercrimes have only continued to climb.

Due to this increase in cyberattacks on United States federal, state, local governments as well as private and public companies, the U.S. Department of Defense (DoD) has mandated a higher level of assessment by a third party – the Cybersecurity Maturity Model Certification (CMMC). CMMC is a unified standard for implementing cybersecurity controls based on the National Institute of Standards and Technology NIST 800-171. The mandate is for the protection of controlled unclassified information (CUI) as well as Federal Contract Information (FCI) at maturity levels 1 and 2 across the defense industrial base (DIB). The DIB supply chain includes over 300,000 companies.

While this is a step in the right direction, there are some confusion, speculation and rumors related to CMMC accreditation. The following are three common misconceptions around CMMC certification, with clarification to help organizations requiring CMMC certification to stay well-informed on the necessary guidelines and procedures.

Myth #1: DoD Contractors can get ahead of the curve and be deemed in compliance with CMMC

There has been much confusion about CMMC Service Providers and Assessors, and misinformation about companies offering CMMC services. The truth is there are no “official” CCP, CCA-1 or CCA-3 certified assessors or assessor instructors at this time. However to ensure the program is moving forward in preparation for upcoming company assessments, the CMMC-AB established a Provisional Assessor and Provisional Instructor Program. There are DoD-selected individuals who have been identified, trained and tested to validate that they meet the skills and requirements to deem them as “provisional.” Once the official exams are released, these individuals will be required to take and pass the actual exams to earn their assessor level certifications. It’s important to note that being deemed a “certified assessor” with the DoD for CMMC Level 1 and Level 3 assessments also requires passing a suitability check and the appropriate level in which they will be handling data.

From the beginning, the DoD had planned on running several pilots this year, then increasing the number of contracts with the CMMC clause in it year over year until it is in all contracts by 2025. With that being said, the effort involved in reaching any level of CMMC certification must begin now.

Myth #2: A Company that Provides You CMMC Gap Assessment and Readiness Services Can Assess You for Potential CMMC Certification

Again, this is false. It would be a conflict of interest for an RPO to consult on the readiness of organizations seeking certification (OSCs) and then also perform the assessment. The CMMC-AB rules prohibit this.

Myth #3: A CMMC Registered Provider Organization (RPO) is a certified CMMC Third Party Assessor Organization (C3PAO)

While there has been some speculation and confusion around this statement, this is also false. A CMMC RPO cannot provide CMMC assessor services to the same OSC. However, as a CMMC RPO, the provider is authorized to represent the organization as familiar with the basic constructs of the CMMC Standard by using a CMMC Accreditation Body (CMMC-AB)-provided logo. CMMC RPOs can currently only offer advice, not official assessment. Training for official certified assessors has yet to be conducted.

Assessors will play a critical part of the procurement ecosystem, and for implementing sweeping new cyber standards for all of DoD’s 300,000 contractors. While CMMC RPOs cannot provide assessor services, they are listed on the CMMC-AB’s Marketplace and have all agreed to the strict CMMC-AB Code of Professional Conduct.

RPOs can, however, pursue becoming a C3PAO by going through the entire authorization process for that class of provider. Regardless, if they provide RPO services to a company, they would be prohibited from also performing a C3PAO assessment for that same company.

Stay Agile and Up to Date on CMMC Guidelines

How can government agencies and other contractors stay agile and not fall victim to these CMMC myths? Keeping up to date with the latest news from the DoD will allow organizations to be aware of any new movements and updates in CMMC accreditation. The CMMC-AB website is an excellent source for current information. The AB also holds monthly Town Hall webinar meetings which are open to the public. Recordings of the meetings are later posted to the website. Additionally, there is information available on the website of the Office of the Undersecretary of Defense for Acquisition & Sustainment. The OUSD(A&S) and the CMMC-AB are the only organizations officially sanctioned by the DoD to speak and act on the Program’s behalf. While the CMMC rule has been delayed by COVID-19, it is still anticipated that CMMC will be in all DoD contracts by late 2025. Due to this inevitability, DoD contractors and sub-contractors must start preparing now.

CMMC compliance is required if your organization continues doing business for the DoD. CMMC requires each organization to undergo a third-party assessment to determine the maturity of their information security controls, which is assessed at five different levels. The levels are used to determine eligibility to respond to specific RFPs. Additionally, each one of these levels has its own set of specific practices and processes. Vendors must meet the practices and processes of each of these levels, which ends up creating an "all or nothing" approach.

CMMC is complex, which is why many organizations continue to experience confusion and more rumors circulate. However, achieving this level of compliance with this cybersecurity framework will strengthen and improve organizations to be resilient, prevent data breaches, and stop unauthorized access into their networks.

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.