The primary objective of our CMMC Readiness Review is to identify any weaknesses or gaps in the organization’s current cybersecurity posture or maturity. We assess the current cybersecurity state and maturity by reviewing existing documentation, including current certifications, security plans, IT policies, and procedures against the desired CMMC maturity level requirements. This assessment uses the same three states for each CMMC practice, MET, NOT MET, and not applicable. For the organization to attain CMMC certification, all practices need to be MET. If not applicable, detailed documentation is needed to explain why the practice does not apply to the organization.
Malicious cyber actors have targeted and continue to target the Defense Industrial Base (DIB) sector and the supply chain of the Department of Defense (DoD). The DoD has worked with industry to enhance the protection of the following types of unclassified information in the supply chain.
Federal Contract Information (FCI) – FCI is information provided by or generated for the Government under contract not intended for public release.
Controlled Unclassified Information (CUI) – DCSA defines CUI as government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide policies. CUI is not classified information. It is not corporate intellectual property unless created for or included in requirements related to a government contract.
The Office of the Under Secretary of Defense for Acquisition and Sustainment has developed the Cybersecurity Maturity Model Certification (CMMC) framework to address these issues.
The primary objective of the CMMC Readiness Review is to identify any weaknesses or gaps in the organization’s current cybersecurity posture or maturity. We assess the current cybersecurity state and maturity by reviewing existing documentation, including current certifications, security plans, IT policies, and procedures against the desired CMMC maturity level requirements. This assessment uses the same three states for each CMMC practice, MET, NOT MET, and not applicable. For the organization to attain CMMC certification, all practices need to be MET. If not applicable, detailed documentation is needed to explain why the practice does not apply to the organization.
In September 2020, DoD released its DFARS Interim Rule, which went into effect November 30, 2020. The Interim Rule’s main objective is to instruct contractors to perform and report a self-assessment score based on NIST 800-171. The Interim Rule provides an onramp for the rollout of CMMC.
All work done by defense contractors—primes and subcontractors—subject to DFARS 252.204-7012 is impacted by the requirements described in the Interim Ruling. Under that DFARS -7012 clause,
The gap analysis stage consolidates the CMMC practices and controls, with findings identifying where the weak links lie. The result is a gap analysis report with actionable steps on how to move forward in areas such as your staffing needs, technical assessments, documentation, processes, and the time frame for implementing your improved security measures. Previously in the 800-171 framework, these gaps are documented in a POA&M.
As stated in previous sections, CMMC certifications requires that all practices and processes are met for compliance. Gap remediation is the process of remediating the findings from the Gap Analysis to meet the CMMC requirement. The remediation can take form in several forms. It could be the documentation of procedures, addition of hardware/software, or the combination.
The CMMC framework does not specify how an organization should remediate or address a specific practice. The organization is free to implement any administrative or technical solution to address a specific practice. The organization needs to provide evidence that they are following such practices. It is highly encouraged that the organization should automate many routine tasks such as asset inventory or continuous monitoring. It makes it easier to provide evidence that the practice is being done by the organization.
Coefficient Technologies, LLC is also a MSSP as well as a VAR where we offer cybersecurity tools as a service or sell subscriptions. The following table lists are preferred vendors that we support and sell software licenses and services.
After the gaps have been remediated and obtained a status of MET, the organization is almost complete with the CMMC readiness process. All the required documentation should be organized and assessed in the previous steps. The audit is not just composed of documentation. There is an interview process with key staff during the audit process. We assist the organization in preparing for the verbal portion of the audit. Senior managers outside of IT and Security teams must understand how their cybersecurity practices affect their areas of responsibility.
The CMMC-AB outlines the assessment (audit) process as the following:
- Schedule and Complete the Assessment
- Go to the CMMC-AB Marketplace to find a C3PAO.
- C3PAO will schedule the assessment with a Certified Assessor (CA)
- CA will perform the CMMC assessment by reviewing your documentation/evidence and conducting interviews with key staff.
- CA will send the assessment recommendation to CMMC-AB.
- Finalize the Assessment.
- The CMMC-AB reviews the Assessment with Quality Auditors
- OSCs have up to 90 days to resolve any findings with the C3PAO.
- Receive your CMMC-AB Certification