Last Updated on September 10, 2021
If your company is preparing for a Cybersecurity Maturity Model Certification (CMMC) or NIST 800-171/DIBCAC assessment, you know your business with the US government is pretty much riding on the outcome. Failure is “not an option.”
But what happens if failure happens? What recourse do you have? Is there a process for making things right without having to start the whole assessment process over again?
To brief you on everything that should or could happen during your CMMC or NIST 800-171 assessment, a recent episode of The Virtual CISO Podcast showcases two Pivot Point Security consultants: Caleb Leidy, CMMC Consultant/Provisional Assessor, and George Perezdiaz, CMMC/NIST Security Consultant. Hosting the show per usual is John Verry, Pivot Point Security’s CISO and Managing Partner.
Failing a DIBCAC assessment
Many defense contractors are familiar with Plans of Action & Milestones (POA&Ms) associated with cyber compliance. If you “fail” your NIST 800-171 assessment with the DIBCAC, you can propose a plan of action (PoA) and set a date for when you expect to be compliant. Your DIBCAC assessors are not authorized to give you “recommendations” on how to fix an issue; that’s up to you to figure out.
Meanwhile, your current compliance score will be posted to the DoD’s SPRS database. On your compliance date, the DIBCAC will double-check your compliance and update your SPRS score.
Failing a CMMC assessment
Unlike a NIST 800-171 assessment with its corresponding compliance score, a CMMC assessment is go/no-go. If there are negative findings associated with your assessment, you will not achieve CMMC certification.
In that event, you have 90 days to rectify the issue(s) and resubmit all the relevant evidence for review, in hopes of then achieving certification. As with a NIST 800-171 assessment, your CMMC assessors will not provide “recommendations” on how to address deficiencies in your security program.
Documenting continuous improvement
As George points out, for either a NIST 800-171 or CMMC cybersecurity program, it’s expected as part of your ongoing compliance posture that you will have POA&Ms. But these should relate to planned improvements that you’ve identified and are moving to address—not to patching holes in your controls.
“That’s one thing that perhaps is misunderstood and misjudged,” George observes. “Part of that constant monitoring inevitably will be for you to have a finding and the recommendation on how you can improve your operational environment. Therefore, that should be a plan of action and milestone.”
Don’t share more than you need to with assessors
But while it’s expected that you’ll have identified and documented “opportunities for improvement” (OFIs), you don’t need to tell your assessors all about your deficiencies during your assessment.
George explains: “We recommend to our clients that you don’t share that [POA&M] with the DIBCAC. If they find it in something you can say, ‘Yes, I was aware of that deficiency. I have a POA&M already in place,’ or whatever the case may be. But if you go and present all that information with your SSPs and your evidence, now you’re clouding their judgment automatically. They’re going to get confused. They’re probably going to go down a rabbit hole. You don’t want that. So keep those to yourself. If you’re asked to present any of your POA&Ms, show them one that has been closed.”
Wondering what your CMMC or NIST 800-171 assessment will look like? This podcast episode with Caleb Leidy and George Perezdiaz offers the perfect tour, with details and also the bigger picture.