Now that the long waiting game is over and CMMC V1.0 is (Facebook) official, the biggest questions we are hearing from clients are:
What CMMC Level should we pursue?
How long will it take?
How much will it cost?
This blog post will address the first question, and I’ll cover the other two in upcoming posts.
I think most organizations will want to pursue Level 3, unless you have specific guidance to the contrary. If that is all you need to read, enjoy the rest of your day :>)
If you want to understand the logic behind my assertion, read on.
There are five Levels to CMMC:
CMMC Level 3 is the first level that achieves full NIST SP 800–171 coverage. As 800–171 was the previous “requirement” for Controlled Unclassified Information (CUI), it is logical to assume it will be the “standard ask” in most RFP/RFI/contracts. Another way to confirm this is that if you have a Section 7012 clause in your contract, then you will need to be CMMC Level 3 certified. (Section 7012 of DFAR 252.204 is for vendors handling CUI for DoD.)
Assuming you agree, what next?
Are you already NIST SP-800–171 compliant?
If you’re confident that you are already (truly) NIST SP-800–171 compliant, that is very good news. It means you only have to worry about 20 additional controls that were added beyond the 110 that are included in 800–171. Many of those 20 controls are complementary in nature to 800–171 and you may already have implemented them, at least to some level.
For SP-800–171 compliant organizations, the most direct route to CMMC compliance/certification would be to have an internal or external resource perform a “Gap Assessment” against all 130 controls to ensure that the 110 you have previously implemented are operating as intended and consistent with the CMMC audit requirements. A Gap Assessment will also determine the level of coverage you have on the 20 new controls and provide a roadmap to CMMC certification.
The benefit to performing the Gap Assessment internally is that it is ostensibly free.
The benefits to engaging an external resource for the effort include:
You get an independent/objective validation that you are where you need to be. (If an internal resource didn’t know enough to implement a control correctly, would they know enough to identify that?)
If you do not get formally CMMC certified this year, the external vendor can provide a Letter of Attestation you can use to demonstrate 800–171 (or CMMC) conformance to an agency or prime contractor (e.g., as evidence prior to you joining their pursuit team.)
It provides “Safe Harbor” in the event that you have a security incident that meaningfully exposes CUI or are subject to a complaint. The DoD has filed multiple False Claims Acts against suppliers who “misrepresented … to the government the extent to which it had equipment required by the regulations and instituted required security controls…” (e.g., United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., №2:15-cv-2245, 2019 WL 2024595, *3 (E.D. Cal. May 8, 2019). They were breached.)
Are you about 80% of the way to NIST SP-800–171 compliance?
For organizations that are “close” to 800–171 compliance, the Gap Assessment route above should still work, assuming you have done a formal Risk Assessment in a manner consistent with NIST SP 800–30 (or another good risk methodology like ISO 27005) and you have developed a System Security Plan.
Are you far from NIST SP-800–171 compliance?
For those whose “gap” is large, the Gap Assessment route above is not a good starting point. Your project needs to follow a logical, structured approach to ensure that you get to where you need to be when you need to be there. It’s critical to understand your CUI scope, determine if it can be reduced, and conduct your Risk Assessment to contextualize the Gap Assessment. Otherwise you might get to the top of the ladder and you realize it’s against the wrong wall.