Last Updated on October 27, 2022
What Will It Take to Survive a Third-Party CMMC Level 2 Assessment?
As the Cybersecurity Maturity Model Certification (CMMC) v2 program gets closer to “go-live” in mid-2023, thousands of orgs across the US defense industrial base (DIB) are wondering: How detailed and demanding will our third-party assessment be? Do we need a system security plan (SSP) to pass the assessment? How intensively will our procedures be scrutinized? How many months of evidence do we need?
In short, what’s it going to take to live through a CMMC Level 2 assessment from a Certified Third-Party Assessment Organization (C3PAO) or the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)?
To share the latest guidance on this and other top questions from around the DIB, a recent episode of The Virtual CISO Podcast features George Perezdiaz, NIST/CMMC practice lead at Pivot Point Security. Asking the questions is host John Verry, Pivot Point Security’s CISO and Managing Partner.
George sums up the CMMC Level 2 assessment experience in 2 words: “Buckle up.”
“The good thing about the process now is there is a review before the assessment,” clarifies George. “The C3PAOs and the DIBCAC realize that they don’t have time to go assess someone just to fail them. So yes, it is going to be detailed—but it’s going to be detailed from day one. As soon as you contact a C3PAO and say, ‘Hey, I think we’re ready for an assessment. Oh, are you? Let me see what that looks like.’ So right then and there it is going to be detailed. It is going to be demanding. The key is to be ready. Start generating your evidence today for each one of those requirements. Document it; log it.”
Yes, you need an SSP
Absolutely you will need a robust SSP to pass your CMMC Level 2 assessment. Not only is it a requirement in NIST 800-171, but also it is the launch pad for your entire CMMC program.
George emphasizes that you need to create your SSP with the goal that someone can pick it up and know how to maintain your CMMC system or even rebuild it.
“Your SSP is your plan,” highlights George. “How do I manage it? How do I build it? How do I maintain it? Your processes can be within the SSP or be assigned to something else. But it has to make sense for the assessment team to pick it up and see, ‘Okay, I see how this process will generate this output,’ and that it is repeatable and achievable.”
“So, buckle up,” George reiterates. “You have to be ready and no kidding you have to be ready.”
Advance planning tips
A great way to prepare for what happens in a CMMC Level 2 assessment is to check out NIST 800-171A, “Assessing Security Requirements for Controlled Unclassified Information.” This is the guidance that auditors will be using. It explains where they’ll be looking, what evidence they’ll be looking for around each control, and more.”
“I think that’s probably the best way to prep for an audit, short of us doing a readiness assessment or preliminary audit—which is recommended if passing is critical,” adds John.
The CMMC v2 assessment guides for Level 1 and Level 2, based on NIST 800-171A, are also valuable.
What happens when NIST 800-171 is revised?
NIST plans to update NIS 800-171 to address changes in cybersecurity threats, vulnerabilities, technologies, etc. The pre-draft call for comments has closed and the NIST 800-171 Rev. 3 draft is now getting underway.
Will DIB orgs certified under the current R2 version need to be recertified when NIST 800-171 R3 is released?
“Very likely, yes,” George reports. “Say you get certified today [under NIST 800-171 R2] during the voluntary period, and in May 2023 we codify CMMC and in July it starts showing up in programs. Now you start that clock. And let’s say NIST 800-171 revision 3 comes out around July 2023. Next time you are up for recertification you’ll probably want to start moving towards that new standard.”
As of now, CMMC v2 has a 3-year certification cycle, so orgs that are CMMC certified before NIST 800-171 R3 comes out could have up to 3 years to prepare for the new standard. Or, depending on when R3 is available, you may be able to get your initial CMMC certification against R3.
To listen to this special CMMC Q&A episode featuring George Perezdiaz, click here.
If you’re interested in exploiting CMMC assessment guidance, check out this blog post: Making the Most of the CMMC Assessment Guidance from the CyberAB