The Reality of Self-Assessments Under CMMC 2.0 Levels 1 & 2
By: Karl Bickmore, CEO, Snap Tech IT
With the capacity to conduct self-assessments for Level 1 and a subset of Level 2, CMMC 2.0 delivers substantial improvements and sighs of relief to many Defense Industrial Base contractors. While this alleviates a significant load in many ways, there is a downside to these changes that you should be aware of as you move toward certification. Contractors have options, thanks to key improvements to self-assessments, but it’s vital to think about what these changes mean for your organization. How do DoD contractors cut through the fog when it comes to self-assessments and continue the CMMC path with so many variables still unknown? Let’s start with an overview of CMMC Levels 1 and 2, as well as the role of self-assessments in each.
CMMC 2.0 Level 1
CMMC 2.0 Level 1 will include the 17 controls of CMMC 1.0 Level 1, a limited subset of NIST 800-171 meant for foundational cybersecurity. This will apply to organizations handling ONLY Federal Contract Information (FCI). The department sees this foundational level as an opportunity to engage contractors in developing and strengthening their cybersecurity posture. CMMC 2.0 Level 1 will be achievable with a self-assessment.
CMMC 2.0 Level 2
The 110 controls of NIST 800-171 are included in CMMC 2.0 Level 2. The criticality of the information possessed by the organization will determine how Level 2 is divided. A third-party evaluation will be required every three years for businesses that are found to have CUI classified as Critical National Security Information. An annual self-assessment against these controls will enough for some contractors.
While self-assessments can help enterprises achieve CMMC Level 1, most contractors who are concerned about CMMC were aiming for Level 3 (new Level 2) or higher. If the related programs “involve information essential to national security,” most contractors handling controlled unclassified information (CUI) will be required to undergo a third-party assessment or a DoD-led assessment under CMMC 2.0. It’ll be interesting to see how broadly or narrowly this is read. However, we expect the Department of Defense to err on the side of caution, which means that many contractors will have at least one such contract and will be ineligible for self-assessment.
Policies and Procedures
While CMMC 2.0 does away with the process requirements, NIST 800-171 mandates that 49 of the 110 items be “specified,” which usually takes the form of a policy or procedure. Furthermore, if you submit annual statements to the Department of Defense about your organization’s cybersecurity environment, it is beneficial to have rigor and structure to ensure such assertions remain true.
An annual affirmation from a senior corporate official is required under CMMC 2.0. This obligation is similar to Sarbanes-Oxley (SOX) 302 requirements. In addition, the Department of Justice (DOJ) declared its intention to prosecute organizations or persons who willfully misrepresent their cybersecurity policies. Organizations should start assessing their process for completing this affirmation, determining who will sign it and what foundation is needed to feel comfortable signing it.
Choosing a Path: In-House or Registered Provider Organization
The challenge is that most small business contractors and suppliers face is the lack of necessary experience, bandwidth, and financial resources to ensure security and compliance. Understanding how equipped you are in each area will determine your ability to successfully complete requirements in-house, or if the best business decision is to go with a Registered Provider Organization to assist with identifying & resolving security gaps in your environment & work alongside you preparing for certification requirements.
Contractors working for the Department of Defense can hire a CMMC Registered Provider Organization (RPO) consultant to help them comply with the CMMC. This will save you a lot of time, money, and heartache.
Going for Level 2 Certification: Benefits of Using an RPO for CUI
The Department of Defense is splitting CMMC 2.0 Level 2, which is the lowest level for contracts requiring the contractor to manage CUI. Contracts involving “sensitive national security information” will require third-party assessments and certification every three years. Annual self-assessments will be allowed for less sensitive programs. The Department of Defense has not stated how many Level 2 programs will require third-party evaluations.
- Work alongside your business to implement NIST SP 800-171
- Assist in annual self-assessment & prepare for C3PAO audits every three years
- Work with you to identify locations & pathways of CUI exchange through your environment
- Physically help you get your processes in place
- Provide the documentation you need for certification
- Assist you with a solid assessment to support non-prioritized acquisitions moving forward with a Plan of Action and Milestones
CMMC Next Steps
In the immediate term, the release of CMMC 2.0 will alleviate worries regarding third-party certification among contractors. All DIB contractors will be bound by FAR 52.204-21, and all DIB contractors who handle CUI will be bound by the DFARS Cyber Rule as well as the self-assessment obligation created by the Interim CMMC Rule. In the meantime, the Department of Defense is looking into ways to reward contractors who voluntarily earn CMMC certification.
If more high-profile data breaches occur as a result of CMMC 2.0, the Department of Defense will likely revert to a tougher strategy. This is one of the primary reasons it is highly recommended that contractors continue enhancing their cybersecurity processes and systems, regardless of the anticipated timing for CMMC program updates. From a security standpoint, it’s not a question of “if,” but “when” when it comes to cyber-attacks. From a certification standpoint, it is highly likely that the DoD won’t sacrifice the security of sensitive supply chain data for the sake of program acceleration.
When It Comes to CMMC 2.0, What Should I Do Now?
Cybersecurity is not going away as a requirement, and it appears that CMMC 2.0 is meant to not only simplify compliance, but to accelerate it. There are a few more things to think about as you continue to security program development.
Cybersecurity: It’s Not Just an IT Challenge, but a Business Challenge As Well
- Determine the sort of data that goes through your company: is it all FCI, all CUI, or a mix of both?
- Understand where all of your company’s data resides and how it travels through the operating process.
- Identify security flaws in your present IT environment and be able to demonstrate how you plan to address them.
- As you progress toward certification, consider the level of expertise and resources you have available to continue working on security gap solutions.
When it comes to security compliance, this is not the time to relax. After all, cybersecurity isn’t just an IT problem; it’s a problem that affects all companies. Prepare yourself with the knowledge you’ll need to achieve compliance while also protecting important supply chain data.
Do you have questions about security gaps you found when using the CMMC Self-Assessment Gauge? Contact us, and we’ll be happy to answer your questions.