Last Updated on November 8, 2022
Should We Pursue a Voluntary CMMC Assessment?
The US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) program is progressing towards initial assessments in mid-2023. A clear sign of progress is the rollout of voluntary assessments, which are being jointly conducted by CMMC Third-Party Assessment Organizations (C3PAOs) and the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Companies that pass a voluntary assessment will be awarded a CMMC Level 2 certification (good for 3 years) once the CMMC rulemaking is complete—assuming there are no major changes to the assessment requirements in the interim. So, is getting a voluntary assessment a good idea for DIB orgs? And what about “bifurcation” and allowing some orgs to self-certify their compliance with CMMC v2?
To answer these and all the other top CMMC questions, a recent episode of The Virtual CISO Podcast featured Pivot Point Security’s lead NIST/CMMC Consultant, George Perezdiaz. Hosting the show as always is John Verry, Pivot Point Security CISO and Managing Partner.
How ready are you?
George observes that a voluntary assessment only makes sense if you’re confident you can ace it.
“It depends on what you’re trying to achieve,” explains George. “What is your motivation and how ready are you? If you know that you can pick up that test and score 100%, go for it by all means. But know that it’s not going to be painless. Know that it’s going to be demanding and it’s not going to give you an automatic CMMC Level 2 certification—we still have to wait for the rulemaking to happen to achieve that.”
George is working with three Pivot Point Security customers currently that are hoping to be accepted for the voluntary assessment program.
Is voluntary assessment a competitive advantage?
If you go through a voluntary assessment and come out with what is effectively a provisional CMMC Level 2 certification, how useful might that be for competitive leverage? Is it worth whatever the cost and/or effort differential might be to promote your business as “CMMC ready” today? Versus getting certified later “with the herd” but having more time to prepare?
In John’s view, there is “way, way more” value to a third-party assessment of NIST 800-171 controls than just having a high score in the DoD’s SPRS database: “SPRS is most often a self-attestation, one is third-party attestation. And the DoD has gone on record as saying that the average score in SPRS is something like 70% higher than it is in reality.”
John is alluding to ongoing DIBCAC review of DIB orgs’ scores in SPRS. Many of these reviews have detected major discrepancies between the self-assessed scores and the DIBCAC’s scores. If that “delta” amounts to a false claim in the market, a company could face prosecution by the US Department of Justice (DoJ) under its Cyber-Fraud Initiative, which wields the False Claims Act against suppliers that knowingly misrepresent their cybersecurity practices.
“If I’m an agency or I’m a prime and I’ve got somebody who’s been validated independently, objectively, versus someone who’s self-reported and they both have the same score, I’m definitely going with a company that’s been validated independently,” says John.
What happened to self-certification?
When CMMC v2 first came out, a proposed change was to allow some orgs to “self-certify” against CMMC, similar to the self-report situation today with NIST 800-171 compliance in SPRS. That “seems like it’s going off the table” but its final fate remains unclear.
“The DoD still hasn’t given clear guidance on when and if the bifurcation is going to apply, and how are they going to apply it,” relates George. “So, the message there will be: Do your self-assessment [in SPRS] and be ready for a CMMC assessment if you need it. Just do the right thing. Be prepared. If you’re saying you’re ready for CMMC, ready to handle CUI securely, then that should be the mentality there.”
“What I’ve told people is it really doesn’t matter if you’re going to self-certify [or be audited by a third party or the DIBCAC],” adds John. “The only difference is you’re saving X dollars on the assessment. But the process of getting prepared and being in a position to assert that you are prepared is the same. Just follow the same process and consider yourself lucky that you saved X dollars until finally they say you need to formal certification.”
To listen to this CMMC Q&A show with George Perezdiaz all the way through, click here.
Perhaps the single most critical step on the path to CMMC certification is to correctly spec the scope of your CMMC environment. This post explains: CMMC 2.0 Scoping