As the facilitators of assessments, the CMMC 3rd Party Assessment Organizations (“C3PAOs”) play a vital role in the CMMC Ecosystem. Given the sensitive information the C3PAOs will hold and/or process, under the terms of the Statement of Work with the CMMC Accreditation Body (“CMMC-AB”), the US Department of Defense (“DoD”) is insisting that all assessment-related information handled by the C3PAOs be treated as though it was Controlled Unclassified Information. This means that the cybersecurity programs of all C3PAOs must be certified at or above CMMC Maturity Level 3. Of course, this creates a bit of a “chicken and egg” scenario, since there can’t be any assessments without C3PAOs.
That is where the Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”) of the Defense Contract Management Agency (“DCMA”) comes in. Prior to the release of the CMMC program, the DCMA DIBCAC team was responsible for assessing contractors’ compliance with NIST SP 800-171 for those contractors handling Controlled Unclassified Information (“CUI”). This assessment was a validation of the contractors’ assertions under their contracts with DoD that they had completed a self-assessment against NIST SP 800-171 and that their System Security Plan, when read in conjunction with any Plans of Action and Milestones, met the requirements under NIST SP 800-171. NIST SP 800-171 is also the basis for the majority of the CMMC Maturity Level 3 requirements.
The DCMA DIBCAC team has performed over 200 such assessments in the short time since the organization was stood up, making them some of the most experienced assessors in the DoD. The CMMC-AB also trained many of the DIBCAC team members to be Provisional Assessors. Thus, the DIBCAC team has been tasked with assessing the C3PAOs under CMMC Maturity Level 3.
DIBCAC CMMC Assessment Timeline
The DIBCAC assessments of C3PAOs only began in early March 2021. The full assessment cycle, from start to finish, takes approximately 6 weeks, including scheduling and pre-assessment reviews, virtual and on-site assessments, and post-assessment analysis. Thus, as of the writing of this article, only a few C3PAOs have been assessed by the DIBCAC team under CMMC. To the best of our knowledge, no C3PAO environments have received CMMC certifications. In an effort to help increase the number of C3PAOs who can begin performing their own assessments, the DIBCAC team released some preliminary lessons learned. Most Organizations Seeking Certification (“OSCs”) (i.e., government contractors) should expect their C3PAOs to apply similar standards when the C3PAO’s Assessment Team assesses the OSCs environment, thus there are some excellent lessons learned for the entire ecosystem. The level of pre-assessment work that is being performed by DIBCAC, and is likely to be performed by the C3PAO’s Assessment Team, is also an indicator of the likely costs associated with CMMC Maturity Level 3 assessments.
Get Your Ducks in a Row Before you Schedule
One of the issues the DIBCAC team has encountered is that, although C3PAOs think they are ready for an assessment, they aren’t. Thus, the DIBCAC team prepared a decision tree that C3PAOs should use before they sign up for a CMMC assessment. According to DIBCAC, they expect C3PAOs to ensure they have:
- A well-documented System Security Plan (SSP). According to Darren King, the Director of DIBCAC, NIST’s SSP is a great start, but it is only the beginning and shouldn’t be relied upon as a “fill in the blank” template.
- Policies, procedures, and plans that embody and correlate with the SSP, and don’t confuse policies, procedures, and plans.
- No open Plans of Action
- A well-described cloud customer responsibilities matrix that outlines the responsibilities that each cloud provider used by the C3PAO takes on, and those that the C3PAO must own. According to Mr. King, many cloud services providers (such as Microsoft) already publish such documents, and those responsibilities must be reflected in the SSP, policies, procedures, and plans.
- Procedures must be well-written, clearly illustrate that they are repeatable and adequate to implement each practice, and meet all objectives defined for that practice in the CMMC Assessment Guide.
- All documents, including documents incorporated by reference (such as HR policies), must be final (i.e., non-draft)
If the C3PAO has not meet all of the requirements above, the DIBCAC team suggests that the C3PAO wait to engage DIBCAC for an assessment.
Other Lessons Learned
Of those C3PAOs who have been assessed, one of the biggest problem areas identified by DIBCAC include the lack of a Customer Responsibility Matrix and correlation back to the SSP, policies, and procedures. Another is the prevalence of Bring Your Own Device (“BYOD”) in the environment and the lack of alignment between the SSP, policies, and what is observed in the environment.