Last Updated on July 8, 2021
Since the US Department of Defense (DoD) first announced development of its Cybersecurity Maturity Model Certification (CMMC) in mid 2019, a third-party CMMC compliance audit has been “on the horizon” for thousands of companies in the US defense industrial base (DIB). But now that future is upon us.
With DIBCAC audits of certified third-party assessment organizations (C3PAOs) underway and the first CMMC “pathfinder” assessments expected for summer 2021, the focus on exactly what CMMC assessments will look like is getting sharper.
To get a deep insider’s market-fresh view of what DIB orgs can expect their CMMC assessments to look like—and get insights on how to prepare—a recent episode of The Virtual CISO Podcast features Stacy High-Brinkley, VP of Compliance Solutions at Cask, which will be among the first approved C3PAOs. Hosting the show as usual is John Verry, Pivot Point Security CISO and Managing Partner.
How many assessors are required?
John’s first question for Stacy (besides asking about her “drink of choice”) concerns the level of auditor effort expected for CMMC Level 3 assessments. What’s the current estimate and what major questions remain?
“For a Level 3 assessment, you’re going to have to have three folks as of now,” shares Stacy. “You have to have a certified assessor, and provisional certified assessors are the only ones out there right now. And they will be performing the formals. They’re not going to be called provisional [audits], like some people are confused about.
“And then you need two CPs. Well, there are not two CPs available right now, so what we’re going to have to do is looking like is leverage other provisional assessors (Pas). So you need three people as it stands today, three assessors to do a Level 3 assessment,” Stacy clarifies.
Can provisional assessors leverage registered practitioners for the assessment?
John notes that, in the CMMC-AB’s registered provider organization (RPO) and registered practitioner (RP) trainings, he’d heard that an RP could assist a certified assessor or provisional assessor with an audit. But apparently that is not the case currently.
Regarding the significantly more costly and resource-constrained approach of using three provisional auditors for a CMMC Level 3 audit, Stacy says, “I am so hoping that that does not come to fruition. I’m so hoping that they realize the criticality of getting these assessments started, especially after what’s happened in the last few weeks, and I hope that we can move forward with RPs. It will be massively not good if we had to use provisional assessors because as you know, all of them have been in the field for over 25 years, and you’re talking about a substantial amount of budget drills that these folks are going to have to do to reassess and to redo these proposals.”
How many person-days will a “typical” audit require?
What is the expected number of person-days for a CMMC Level 3 assessment for a “typical” DIB manufacturer with about 300 employees in scope for CMMC? John mentions that he’s heard estimates on the order of 25 to 30 person-days.
“On-site, on cloud or on-prem—it depends, right?” asserts Stacy. “It depends on if they’re really in a secure environment already, or if they have put other security implementation pieces of the pie together to get to that Level 3 compliance.”
Stacy explains: “25 to 30 days is pretty, pretty tight. [Cask’s] assessment right now with the DIBCAC is going to be… Well, we upload tomorrow [mid-May] and they start, and then I think we’re done mid-June, and then it takes a couple of weeks if we’re going to get authorized when we pass. So that’s taking longer, and we’re a lot smaller than that. We’re a 50-person shop. … So it depends if they’re really ready on their game and the documentation is great. Once we get the documentation and review that, if it looks great, it could be within that 25 [person-days].”
But Stacy suggests that most DIB firms plan for more than 25 person-days for their initial CMMC Level 3 assessment.
Ready to start preparing now for your upcoming CMMC Level 3 assessment? This podcast episode with Stacy High-Brinkley is one you won’t want to miss.