CMMC Webinar FAQ
For companies who have not done much yet to prepare for these requirements, what are the first things they should do?
If being a child of the 80s has taught me anything, it’s that “knowing is half the battle.” There are two immediate goals we believe companies should pursue:
- Determine if there are near term requirements to complete a NIST SP 800-171 self-assessment
Open your existing contracts, subcontracts, and proposals and search for DFARS 7012, 7019, and 7020. If you see these clauses, you likely have a near-term requirement to create a System Security Plan (50 to 200 pages), perform a self-assessment, and upload the results to the Supplier Performance Risk System (SPRS).
- Determine the targeted CMMC maturity level
Based on the above, you can start to formulate your targeted level of compliance for the CMMC. If you see any of the above noted clauses, at a minimum, you will likely be at CMMC ML 3. If not, and you provide products or services other than basic COTS, then you will likely be at ML 1. However, companies presently at ML 1 should contemplate not just their current requirements, but instead consider future contracts and whether they will likely be at a higher maturity level.
There are rumors that the CMMC will be rolled out to the rest of the Federal government. Have you heard anything about this?
We have heard those same rumors, but there is nothing official yet. Because of the huge amount of overlap between contractors that service DoD and contractors that service the civilian agencies, it would not surprise us at all to see CMMC rolled out to the rest of the Federal government at some point in the future.
You mentioned that companies can be strategic with their scoping to minimize the compliance impact. Can you explain more what this means?
Fundamentally, the CMMC is about protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). If you can limit where FCI and CUI goes, you can accordingly limit the attendant compliance requirements. So, there are two key strategies companies can employ here:
- Scoping: They can carefully scope their compliance by excluding people, processes, and systems that do not come in contact with FCI/CUI. So, if an organization has a commercial practice and a DoD practice, the organization could segregate those parts of the organization from a scoping perspective, and only implement/document the CMMC controls in the part of the organization that requires the controls.
- Data Minimization: They can minimize where data goes and what data is obtained. For example, an organization that presently has loose controls around these types of data could place restrictions on that data, confining it to one portion of the company network, or encapsulating it entirely in a CMMC compliant cloud platform. Additionally, an organization could work with the government and their prime contractors to limit where data is processed and what data is received. For example, an organization may need to interact with CUI, but if it does so on government or prime contractor systems, rather than on the organization’s own systems, that minimizes the compliance impact of that contract.
You mentioned that starting at ML 2, an organization needs to document a system security plan (SSP)? What is that and what goes into one?
An SSP documents two key elements: First, it contains high level information about a system, such as the name, purpose, system owner, network diagrams, interfaces, etc. Second, it documents, at a high-level, how an organization implements each and every CMMC/NIST SP 800-171 practice/control for the given system. It is required for DFARS 7012/7019/7020 (NIST SP 800-171) compliance, and it is required for CMMC at maturity levels 2 and above. To break this down a bit further, for NIST SP 800-171, you will have to document what you do to comply with each of the 110 controls. For CMMC ML 3, you will have to document how you comply with all 130 practices.
The “system” can be an individual computer system, it can be a group of related systems, or it can be an entire organization. If the scope of the SSP is broad, that is more information to organize and keep straight within the SSP; if it is narrow, the SSP is easier to follow, but you may have more of them.
Generally, and SSP will range from 50 to 200 pages. The official NIST SP 800-171 template can be found here: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final. To retrofit this template for the CMMC, you would simply renumber the sections to align with the CMMC.
Official guidance on what goes into a CMMC can be found at 3.12.4 of NIST SP 800-171, which is accessible at the link above.
For companies considering the readiness process, how long will it take? Similarly, how long will a CMMC assessment take?
From our experiences, you can expect that a readiness project to take about a month to complete. You can expect about 1-2 weeks of onsite fieldwork and about 2 weeks for follow up, closing conference, and report issuance. Now remember, you will not be finished once the readiness process has been completed. You will now need to begin the process of remediating any gaps that are identified during the readiness process, which, depending on resources, can take months to complete.
As far as the CMMC assessments themselves, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), who is responsible for performing the assessments of the CMMC Certified 3rd Party Assessor Organizations (C3PAOs), indicated that it takes approximately 6 weeks to complete ML 3 assessments. Of the six weeks, three weeks relate to planning, one week relates to assessment fieldwork, and two weeks relates to assessment wrap up and issuance of final report. Thus, DoD contractors can assume similar timing to obtain their CMMC ML 3 assessments, which will be an important consideration when scheduling the assessments to ensure they are completed prior to contract award.
For further questions, please contact a member of our Government Contracting Services Team and we will put you in contact with the appropriate party from Keiter.