CMMC Audits: Preparation, Remediation, Successes and Failures

Table of Contents

Understanding CMMC

Understanding what type of sensitive information your organization has today or wants to have in the future guides you to the CMMC maturity level that you should be seeking. 

Let’s start with COTS providers. If your product isn’t modified from a commercially available version, you may not need CMMC certification.

However, COTS vendors or any other contractor who receives FCI will need a Maturity Level 1 certification. Contractors receiving CUI or hoping to bid on future contracts involving CUI will need a Maturity Level 3 certification.

Once you understand the nature of the sensitive information, you’re not done. You need to safeguard and the Maturity Level you should seek.

CMMCAudit_COTS_821

Let’s talk through how to prepare your organization seeking certification (OSC) for CMMC.

First, the term “Maturity Model” should give you a heads up that CMMC is more than just a “check the box” type compliance audit. The assessment involves determining not only that you’re doing a required practice, but that it’s done and that it's a part of your culture

In other words, assessors will want to see that you’ve accomplished requirements six months or more in advance.

Second, scoping is an important consideration to address early in the preparation process. This term refers to the people, processes and technologies that have logical access to…

  • Store sensitive data

  • Transmit sensitive data

  • House sensitive data

The scope includes all the equipment on the network where sensitive data exists. It also includes the location of any physical information. Physical information includes hard copies of CUI documents and relevant wireless access points.

For small businesses, this means that their entire network may be in scope if they haven’t separated their networks into logical or physical enclaves. This logical or physical separation can help limit the scope of the corresponding assessment. This happens by limiting the information systems that have logical access to store, transmit, or otherwise house sensitive data.

Limiting logical access happens by using different…

  • Virtual local area networks (VLANs)

  • FedRAMP moderate cloud service providers (CSPs)

Those systems allow for establishing proper employee access control. In other words, the VLAN or the CSP can manage the access of those employees who need access to sensitive data.

CMMCAudit_Network_821

As organizations methodically go through the practice requirements and build their library of objective evidence (OE), it’s important to keep track of...

  • Institutionalized policy dates

  • Updates to policies

  • Future update requirements

Assessors want to see that organizations adopt required practices and policies for a sufficient period of time. Although vague, ultimately they want the requirements to become a part of the organization’s culture. However, most assessors note that the minimum time for that cultural shift to happen is around six months.

Whether you’re seeking certification at Maturity Level 1 (ML1) or Maturity Level 3 (ML3), the sufficiency requirements for each practice don’t change. Assessors evaluate 2 of 3 types of objective evidence including…

  • Documentation

  • Interviews

  • Testing 

Preparation should entail…

  • Storing OE such as documentation that demonstrates sufficiently implemented controls

  • Testing to demonstrate the controls

  • Performing mock interviews of key personnel assigned with responsibilities around enforcing controls

  • Role assignment for evidence upload and approval

  • Hiring an outside firm to be a second approval level to validate the OE and ensure that it’s sufficient to demonstrate that the practice or process is being performed correctly

This is really where the value in a tool like K2 compliance comes into play. It helps organizations…

  • Track progress towards compiling evidence

  • Keep that evidence up to date

  • Enable multiple levels of approval to ensure the evidence is sufficient

When is it too late to remediate?

Many organizations will find that when they go to document practice steps that there’s room for improvement. It’s inevitable.

Previously, organizations could use a Plan of Action and Milestones (POAM) to identify deficiencies.  

With CMMC, everything needs remediation before the assessment. Not to mention incorporation into a System Security Plan (SSP).

OSCs can make updates or remediate processes but it’s important to carefully document those changes. To back refer to culture, keeping track of updates helps show differences between adjustments and additions.

CMMCAudit_SSP_821

Any updates should take place at least six months before scheduling certification assessments.

Now, let’s get into Registered Provider Organizations (RPOs) and Certified 3rd Party Assessor Organizations (C3PAOs). Both may provide a readiness assessment prior to an actual certification assessment.

However, it’s important to note the following. If your C3PAO provides remedying consulting advice, you can’t use them when trying to get certified.

Non-registered participants in the CMMC Ecosystem can also provide consulting services to OSCs. Who I’m mainly referring to in that point are MSPs. However, they may not have access to some of the training available to RPOs.

Once the certification assessment starts, remediation falls on C3PAO. At this point, he/she must agree that the nature of the issues qualifies for remediation. 

For example, if a staff member is unavailable due to personal reasons, they’ll likely miss their validation interview. If this happens, then the OSC would have 90 days to remedy the scenario.

If an OSC misses one or more policies at this point, it’s too late. At this point, any newly created policy can’t be a part of the organization’s culture. 

What does success look like?

Let’s start with successfully scheduling a certification assessment.

At the time of writing, there are only three C3PAOs in the CMMC Ecosystem.

Organizations that wish to become certified this early in the process need to work with the CMMC Accreditation Board (AB). They need to demonstrate to the CMMC-AB that they’re bidding on a contract that contains CMMC requirements.

The CMMC-AB will try to identify multiple C3PAOs available to perform the provisional assessment for the OSC. Ultimately, the OSC will contract directly with the C3PAO to perform the assessment.

CMMCAudit_C3PAO_821

This provisional assessment period focuses on meeting the DoD’s short-term needs prior to rulemaking.

Until the finalization of the DFARS rule change, the CMMC-AB won’t formally certify any assessment results. Delta assessments may need to happen if changes to CMMC happen during rule change. Of course, this depends on the nature of the changes made, before the CMMC-AB can certify the assessment results.

Once more C3PAOs get certified, the OSCs will be able to communicate directly with C3PAOs to schedule their own assessments. The C3PAO then reviews pre-assessment readiness or other information the OSC deems relevant.

Once both parties agree on the scope, staffing, duration and price they’ll enter into a contract and the assessment begins.

At the beginning of the assessment, the team conducts an opening briefing to provide an overview of…

  • The certification

  • Assessment processes

  • The individuals on the team

All assessments must include an on-site component to validate some of the controls. This includes those in the physical protection domain. All interviews happen privately unless the lead assessor agrees otherwise. The assessment team can’t provide consulting advice or recommendations to the OSC during or after the assessment.

Once complete, the assessment team prepares the formal report and identifies unsatisfied controls. They’ll provide the OSC their recommended findings and a timeline of when the results will register with the CMMC-AB.

The OSC will have the opportunity to review the report and remediate any minor issues permitted by the lead assessor.

Once any remediation is complete, it's time to submit again. The lead assessor turns in the final report and their certification recommendation to the C3PAO.

In order to receive a passing grade for each practice, the OE must sufficiently demonstrate that the practices exist in the environment. A non-applicable means that the OSC demonstrated to the assessment team’s satisfaction that the practice doesn’t apply in their environment. 

The C3PAO performs a quality assurance review of the assessment report before submitting anything to the CMMC-AB. If the C3PAO recommends certification of the OSC, the CMMC-AB will perform its own independent Quality Assurance (QA) review of the assessment report.

If the review warrants certification, the CMMC-AB notifies the OSC. Upon payment of a corresponding fee, the CMMC-AB will issue a certification to the OSC.

What are my options if I fail the CMMC assessment?

When the assessment team reviews OE, they’ll report out one of three findings: pass, fail, or non-applicable.

A fail means that the OE didn’t provide sufficient details to demonstrate that the practice is properly implemented. Since IT constantly changes, evaluators may have different interpretations of what constitutes sufficient. The CMMC-AB created an adjudication process for disputes.

OSCs also have the opportunity to submit an adjudication request to the CMMC-AB if they believe the decision was due to…

  • Egregious errors

  • Misinterpretation

  • Malfeasance

  • Ethical lapses

CMMCAudit_Adjudication_821

The OSC must submit their request along with a specific description containing evidence in writing. The request must include a list of controls or practices in question within 14 calendar days after the completion of the assessment.

Upon receipt of the request, a CMMC-AB certified quality auditor (CQA) will acknowledge receipt of the request. They’ll then perform a preliminary evaluation of the assessor and C3PAO’s…

  • Certification

  • Training

  • Quality

  • Status

  • Standing

  • Licensing

After evaluation, they look at the code of professional conduct and CMMC assessment methodologies.

Interviews with the certified assessor and OSC must happen as part of the preliminary evaluation.

If the CQA determines certification should've happened, the CMMC-AB will issue revised results.

If the CQA agrees with the assessment results, the OSC receives the opportunity to either accept it or request a secondary evaluation. 

The secondary evaluation adheres to the assessment methodology and exists as a delta assessment. It also includes only the disputed practices or controls.

Adjudication assessments have a completion deadline of 90 days. 

During the second evaluation, the CQA plans and conducts an on-site delta assessment of controls and practices in question. Once completed, they submit the results and recommendations to the CMMC-AB.

CMMC-AB’s staff then evaluates the secondary evaluation and informs the OSC of the final result of the adjudication process.

Adjudication assessments that don’t result in the award of CMMC certification are final.

Successful adjudication that leads to certification stay valid for three years.

What if my supply chain fails CMMC certification?

Prime contract holders are responsible for multiple CMMC avenues. They must achieve their own certification and confirm that their vendors receive any CUI and FCI they’re supposed to. 

Contractors must include in their subcontracts, the FAR 52-204-21 and DFARS 252-204-7012 where the subcontractors will receive or create FCI or CUI.

Upon award of CMMC contract, subcontractors that haven’t received Maturity Level 3 can't receive CUI. Some prime contractors are now setting up for their key subcontractors, access to CUI from their own certified environments.

CMMCAudit_FAR_821

It’s important to note that in these cases, the CUI cannot leave the prime’s environment. Furthermore, the prime’s policies and procedures would need to exist in a way that takes into account all outsiders.

An alternative would be for prime contractors to mandate the use of a compliance tool like K2 Compliance down their supply chain. That way, the prime has visibility into their subcontractors’ compliance efforts. 

Thus, providing the prime with ample time to either…

  • Consult the sub and keep them on track

  • Find a suitable replacement if it becomes evident that the sub isn’t going to be compliant by the time of contract award.

Conclusion

Planning is everything when it comes to preparing for CMMC.

The size and complexity of networks and data determine the length of the planning and preparation processes.

A small manufacturing company seeking a Maturity Level 1 may only need a few days to gather OE and prepare for their assessment. However, a large aerospace company with a complex network and multiple contracts with CUI may take 12 to 18 months to prepare.

Contracting with a third party to assess OE through a gap analysis or can help OSCs identify any practices or processes that need attention.

Any remediation updates occur before the assessment so that the updates become institutionalized. Once you get to the certification assessment, it's too late to add policies or remediate.

Success results in a certification issued by the CMMC-AB for a period of three years.

There’s an adjudication process for assessments and assessors.

There’s no policy preventing an OSC from seeking a second or third assessment after failing.