5 C3PAO Red Flags

Provincia Government Solutions

5 C3PAO Red Flags

By Sese Bennett

November 14, 2022

In this blog, we discuss 5 C3PAO Red Flags that you should look for when interviewing a prospective C3PAO to perform your CMMC assessment.

Choosing the right Certified Third-Party Assessment Organization (C3PAO) for your CMMC assessment will take effort and time. This will be time and effort well spent if you find the right match and avoid companies that don’t have your best interest in mind

The Good, The Bad, and The Ugly C3PAO?

As the cybersecurity world gears up for CMMC, I was reminded not too long ago by a client, not all companies are the same. This includes how they approach CMMC assessments and what “style” of C3PAO works best for them. While it is true that most companies will perform the assessment correctly, the way they assess can feel like everything from a walk in the park to a root canal. Yes, compatibility of the two companies can make a huge difference. Although a company may have stellar recommendations, their approach and personalities may clash with the established culture of your organization.

But what about the bad eggs? As with any project or initiative your organization takes on, diligence is required with selecting a compatible C3PAO. Differing of opinion on implementation and requirements is common and normally not a showstopper. However, poor business ethics and ineptness are signals of future problems that could be major issues if you are not careful.

So how do you identify these bad eggs before they impact the success of your assessment? Awareness is key. Identification of these 5 C3PAO red flags will help you avoid C3PAO’s (or any other organization for that matter) who’s actions put the success of your CMMC certification efforts at risk.

5 C3PAO RED FLAGS

The missing puzzle piece means they are not complete and not a C3PAO.

Red Flag #1 Almost Certified

In the world of CMMC C3PAO’s there is authorized and not authorized.  C3PAO’s that have not officially completed the Cyber-AB authorization process cannot solicit business as authorized C3PAO’s. “As good as authorized” or “Almost Authorized” only means one thing – Not Authorized! There are so many things that could happen to delay or even prevent them from becoming authorized. If you make a “gentleman’s agreement” based on the expectation they will someday be authorized, this could leave you high and dry and place you in the back of the assessment queue.

Hiring a C3PAO with no Action plan feels like being lost in a maze.

Red Flag #2 No Action Plan

If your interview with a potential C3PAO leaves you with more questions than answers, that C3PAO may not have an adequate plan to execute your assessment. Coming up with a plan on the spot is not reassuring and could delay your assessment. Experienced C3PAO’s should be confident on what needs to be done. Although we are still in the early stages of rolling out CMMC, most experienced C3PAO have already allocated resources and created plans for executing successful CMMC assessments. You should leave any C3PAO preliminary discussion feeling confident that they can handle the assessment and the right fit for your organization.

Some CMMC questions are more important than others.

Red Flag #3 Not Asking the Right Questions

An interview with a C3PAO should be filled with questions from both sides of the table. The C3PAO most certainly should be asking questions about the size and scope of the assessment. They should be asking about System Security Plan’s and the maturity of your documentation process. How can anyone give a fair proposal without knowing how much work is involved? If they are underbidding, they may become frustrated, and the quality and integrity of the assessment could suffer. If they are overbidding, you are eating the cost of their poor calculations. Neither of these possibilities is a win for your organization.

Having a C3PAO you can trust is key to a successful CMMC assessment.

Red Flag #4 Promises, Promises, Promises

C3PAO’s should always be realistic in what they can deliver. Statements that over promise and under deliver will cause friction and frustration during an assessment. Promises such as “We will have you done in 10 days”, or “we guarantee that you will be at the front of the early assessment queue” sound great but are empty because C3PAO’s can’t guarantee what they don’t control such as how long an assessment takes, or which order the Department of Defense selects applicant organizations to be assessed.

Capable C3PAO’s present realistic documented expectations up front so that everyone is aware of engagement deliverables, activities, and timelines. If you start to hear promises that sound too good to be true, ask your C3PAO to back it up with facts and document it in your contract. If they cannot (or will not), run for the door!

Having little or no experience equates to more mistakes with your CMMC assessment.

Red Flag #5 Little or No Cybersecurity Assessment Experience

When hiring a C3PAO, it can be hard to gauge experience since CMMC 2.0 is relatively new for C3PAO’s performing assessments. However, CMMC 2.0 is based in NIST 800-171, which easily translates to the CMMC practices. This knowledge can come in handy when assessing the experience level of a potential C3PAO partner.

Basic questions you can ask to gauge the level of experience include:

  • What type of assessments have they done in the past?
  • Do these assessments include NIST based assessments such as 800-171, 800-53, FISMA, or similar?
  • What size organization have they work with in the past?
  • How many years have they been in the cybersecurity assessment field?

 The last question is a very important one. Managing cybersecurity and assessing cybersecurity are two very different skill sets. Just because an organization is experienced in supporting cybersecurity, it does not mean they know how to assess cybersecurity. Experience in assessment work is invaluable when it comes to CMMC assessments because it gives the experienced assessor the advantage in knowing what to look and what to ask.

Summary

As a certified C3PAO, Provincia Government Solutions prides itself in the straightforward honest approach we take towards each and every client. We welcome vetting questions and want you to feel confident in selecting us to participate in your CMMC journey. Feel free to reach out to us and ask any questions that will help you make the best decision.

In our next article, we will address POAM’s and the role they play in the CMMC ecosystem. Be sure to subscribe to this blog so you do not miss out on any of the great articles coming up!

Upcoming Blog

We will discuss the significance of POAM’s in the next article. This article will help navigate this precarious aspect of CMMC.

Be sure to subscribe to our blog and check out our podcast for more in depth discussion of all things cybersecurity.

Next Steps

Are you ready for Provincia Government Solutions to help you? If so, reach out to our team and let’s talk. We can put you are on the path to success!

Until then, be safe and stay secure!

About Us

Provincia Government Solutions, LLC is a Nashville based HUBZone certified security and risk assurance firm with advanced expertise in government regulatory and compliance cybersecurity requirements including NIST, FISMA, CMMC, SCA, 800-171, TRICARE, MARS-E and ZTA (Zero Trust Architecture) solutions. Our client base includes  government agencies, contractors, and commercial organizations affiliated with government entities. Whether you are seeking audit preparedness, compliance and assurance assessments,  security consulting, or CMMC certification, we have the expertise to help.  Contact us at (615) 807-2822 or at info@provincia.io to discuss your security needs today. Consultations are free of charge and we look forward to speaking with you!

Subscribe to our Blog!

Be The First

to Know

When New Blog Content is Published

Contact Information

  • P.O. Box 1685
    Spring Hill, TN 37064
    United States
  • +1 (615) 807-2822 | info@provincia.io

Social Networks

Links List

ABOUT US

Provincia Government Solutions is a SBA certified Small  Business cybersecurity assurance firm and a CMMC Certified Third Party Assessment Organization (C3PAO).  We were the first organization to become a  C3PAO in the Middle Tennessee (Nashville) area and provide a full range of services including CMMC consulting and certification assessments. Our assessment team is trained in CMMC and other government assessment disciplines and we are experienced working with organizations of all sizes. Please reach out with any cybersecurity or CMMC related inquiries. We look forward to speaking with you!

 

Taking the Pain Out of Audit Readiness

Provincia Government Solutions

Taking the Pain Out of Audit Readiness

By Sese Bennett

October 20, 2022

Preparing for audits is no small task. Whether it is a single small audit or multiple enterprise audits, it’s a grueling process. It can sap the strength out of any organization and lead to poor audit performance.

So, how do you prepare for an audit? Most organizations choose to pull resources from their existing job responsibilities or assign the audit to a project manager. As you can imagine, both of these approaches come with a level of impact that can tax your resources. So, let’s rephrase the question – How do you prepare for an audit in a way that benefits your organization?

The article below will discuss how to remove the pain from the audit preparedness process  so that you can realize the benefits of a no-nonsense approach.

 

Audit Readiness - What is required?

Preparing for an audit involves several steps including reviewing your existing control status, scheduling resources, and collecting artifacts to satisfy evidence requests. How do you accomplish this while ensuring that you are adequately prepared to respond to the audit?

Re-assign Resources Approach

As mentioned previously, one approach is to re-assign existing resources to assist with the audit. While this approach can be successful, what impact will it have on your organization? Pulling resources from their daily job responsibilities can increase stress in the environment and lead to low-quality responses for your audit requests. Here are a few pros & cons for this approach.

Pros:

  • Internal resources may be more familiar with the environment
  • No need to bring in additional personnel
  • A single point of contact for interviews, artifacts and follow-up (audit response)
Cons:
  • Audit resources are split between the audit and other responsibilities
  • Additional tasks can stress resources leading to poor audit response
  • If internal resources are siloed, they may not familiar with overall audit process
  • Remediation efforts may conflict with assigned operational tasks

 

Project Management Approach

Another approach is to assign a project manager to head up your audit preparedness efforts. This approach is often successful in managing the timeline of the audit but may cause confusion due to the lack of familiarity with the technical aspects of audit requirements. One of the most prevalent evidence collection issues is that the evidence provided does not always match the evidence requested. This too can lead to frustration on the part of the audit team and the client causing delays and low-quality responses for audit requests. Here are a few additional pros & cons for this approach.

Pros:

  • Project managers are excellent at keeping projects performing and on schedule

Cons:

  • Project Managers may not be familiar with the technical aspects of the environment
  • Project Managers may not be technically savvy enough to interpret evidence request properly
  • Project Managers may not have the knowledge to validate evidence/artifacts properly
  • Evidence collection and management may not a high priority for the overall project

 

Taking the Pain Out of Audit Readiness

Provincia Government Solutions takes the pain out of audit preparation by providing the best of both approaches. We provide you with a highly experienced audit coordinator that is focused on assisting your team with:

  • Interpreting audit request
  • Reviewing evidence artifacts for accuracy and applicability
  • Scheduling appropriate resources for interviews and demonstrations
  • Developing and documenting a repeatable readiness process
  • Interfacing with your organization’s technical and project management resources
  • Flexibility – readiness assistance on demand or as a continuous contractor member of your team

Next Steps

Are you ready for Provincia Government Solutions to help you? If so, reach out to our team and let’s talk. We can help you tackle the headache of audit readiness and put you are on the path to success!

Until then, be safe and stay secure!

About Us

Provincia Government Solutions, LLC is a Nashville based HUBZone certified security and risk assurance firm with advanced expertise in government regulatory and compliance cybersecurity requirements including NIST, FISMA, CMMC, SCA, 800-171, TRICARE, MARS-E and ZTA (Zero Trust Architecture) solutions. Our client base includes  government agencies, contractors, and commercial organizations affiliated with government entities. Whether you are seeking audit preparedness, compliance and assurance assessments,  security consulting, or CMMC certification, we have the expertise to help.  Contact us at (615) 807-2822 or at info@provincia.io to discuss your security needs today. Consultations are free of charge and we look forward to speaking with you!

Subscribe to our Blog!

Be The First

to Know

When New Blog Content is Published

Contact Information

  • P.O. Box 1685
    Spring Hill, TN 37064
    United States
  • +1 (615) 807-2822 | info@provincia.io

Social Networks

Links List

ABOUT US

Provincia Government Solutions is a SBA certified Small  Business cybersecurity assurance firm and a CMMC Certified Third Party Assessment Organization (C3PAO).  We were the first organization to become a  C3PAO in the Middle Tennessee (Nashville) area and provide a full range of services including CMMC consulting and certification assessments. Our assessment team is trained in CMMC and other government assessment disciplines and we are experienced working with organizations of all sizes. Please reach out with any cybersecurity or CMMC related inquiries. We look forward to speaking with you!

 

So, You Need To Be CMMC Certified?

Provincia Government Solutions

So, You Need To Be
CMMC Certified?

By Sese Bennett

November 14th, 2019

So, you need to be CMMC certified?  If you’re like most small to mid-sized companies, you’re asking yourself – “What do I need to do to meet the CMMC requirements?” That is the million-dollar question.

Logically speaking, to pass an assessment, you need to know and understand what you’re being assessed on, and what is considered a “passing” grade.  We hope this blog will assist in that understanding.

If you do not have any idea of what CMMC is, I encourage you to review our previous two blogs on the subject for a basic breakdown of the program. Since the articles were written, the CMMC program has matured a bit, but it should still give you the background you need to get up to speed.  

So, let’s jump right in!

CMMC Levels

The first thing that should be on your radar is to determine what Cybersecurity Maturity Model Certification (“CMMC”) maturity level you are seeking as an organization. If you are storing, processing, or transmitting only Federal Contract Information (“FCI”), then you are likely only seeking CMMC Maturity Level 1 (“ML-1”) certification. If you are storing, processing, or transmitting anything else, then you are most likely seeking Maturity Level 3 (”ML-3”) or above. This is an overly-simplified description of the maturity level designations but hopefully it’s enough to get you going in the right direction.

Now for the good news! If your seeking ML-1, consider that the EZ button of the certification levels. ML-1 certification requires that your organization demonstrate compliance with seventeen (17) CMMC controls and meet a set of basic cyber hygiene requirements. These requirements are focused on validating what you are doing at the time of the assessment. Another way of putting it is that ML-1 is focused on performing the practice versus documenting the practice.  

This means that technically your organization will not fail a ML-1 assessment because of the absence of practice documented. But in reality, you will need to have some sort of documentation available to show that your organization is performing the practice.  Subsequently, it may be acceptable to provide informal or less detailed documentation to the CMMC assessor when reviewing ML-1 controls.  

While we are on the subject of passing or failing, let’s talk about what that means in regards to CMMC.  It should be noted that the CMMC certification is an all-pass or all-fail assessment. This means that you must pass all of the required practices for ML-1 in order to qualify for the certification.  

Now, let’s do a quick breakdown of what those seventeen (17) ML-1 controls are looking for:

Access Control

The first four (4) practices are based on the Access Controls (“AC”) practice family. These practices are designed to ensure that your organization properly limits access to authorized personnel, employs the privilege of least privilege by only giving the level of access that fits the users job role or responsibility, connections to external systems, and control of what is posted to publicly accessible systems such as websites on the internet. (AC.1.001, AC.1.002, AC.1.003, AC.1.004)

Identification and Authentication

The next two (2) practices are based on the Identification and Authentication (“IA”) practice family. These two practices focus on identifying your users and services acting on their behalf to include things like service accounts or other accounts that may be device based. Additionally, this practice area examines how you authenticate (or verify) the identity of users, processes, and devices prior to allowing access to your systems. (IA.1.076, IA.1.077)

Media Protection

The Media Protection (“MP”) practice family contains only one (1) practice to consider  for ML-1. The practice focuses on how you sanitize or destroy media containing Federal Contract Information (“FCI”) before disposal, release or reuse. (MP.1.118)

Physical Protection

The next four (4) practices fall under the Physical Protection (“PE”) practice family. These practices focus on limiting physical access to your systems, equipment and their respective operating environments to authorized individuals. This practice family also includes how visitors are handled when they visit your facilities, how audit logs are maintained, and how physical access devices like badges, access cards, etc. are controlled and managed. (PE.1.131, PE.1.132, PE.1.133, PE.1.134)

System and Communications Protection

The System and Communications Protection (“SC”) practice family contains two (2) practices that you need to consider. The first one focuses on monitoring, controlling, and protecting communications transmitted, or received by your systems at your key internal and external boundaries. The second practice examines how you are physically or logically separating your internal network from publicly accessible systems. (SC.1.175, SC.1.176)

System and Information Integrity

That brings us to the last practice family for those organizations considering ML-1 CMMC certification. System and Information Integrity (“SI”) contains four (4) practices that focus on identifying and correcting system flaws (patching) in a timely manner. Malicious code protection and how malicious code mechanisms are also examined as part of this practice family. Finally, periodic and real-time scanning is examined as part of reviewing files from external sources as they are downloaded, opened, or executed.  (SI.1.210, SI.1.211, SI.1.212, SI.1.213)

Next Steps

Now that you’re a CMMC ML-1 one expert, are you ready to get started on your CMMC journey? We certainly hope so. If you need assistance getting prepared, feel free to reach out and our team. We can help you prepare by conducting a readiness review to make sure you are on the path to success!

Be on the lookout for our next article in this series where we discuss the CMMC Maturity Level 2 (ML-2) designation, how it differs from ML-1, and how it fits into the overall CMMC ecosystem.  

Until then, be safe and stay secure!

About Us

Provincia Government Solutions, LLC is a Nashville based HUBZone certified security and risk assurance firm with advanced expertise in government regulatory and compliance cybersecurity requirements including NIST, FISMA, CMMC, SCA, 800-171, TRICARE, MARS-E and ZTA (Zero Trust Architecture) solutions. Our client base includes  government agencies, contractors, and commercial organizations affiliated with government entities. Whether you are seeking audit preparedness, compliance and assurance assessments,  security consulting, or CMMC certification, we have the expertise to help.  Contact us at (615) 807-2822 or at info@provincia.io to discuss your security needs today. Consultations are free of charge and we look forward to speaking with you!

Subscribe to our Blog!

Be The First

to Know

When New Blog Content is Published

Contact Information

  • P.O. Box 1685
    Spring Hill, TN 37064
    United States
  • +1 (615) 807-2822 | info@provincia.io

Social Networks

Links List

ABOUT US

Provincia Government Solutions is a SBA certified Small  Business cybersecurity assurance firm and a CMMC Certified Third Party Assessment Organization (C3PAO).  We were the first organization to become a  C3PAO in the Middle Tennessee (Nashville) area and provide a full range of services including CMMC consulting and certification assessments. Our assessment team is trained in CMMC and other government assessment disciplines and we are experienced working with organizations of all sizes. Please reach out with any cybersecurity or CMMC related inquiries. We look forward to speaking with you!

 

CMMC Gears Up For Launch – Are You Ready?

Provincia Government Solutions

CMMC Gears Up For Launch - Are You Ready?

By Sese Bennett

June 3rd, 2020

If you’ve been following our resources page, you’ll know that a few months before the Cybersecurity Maturity Model Certification (CMMC) was officially released by the Department of Defense (DoD) we released a guide to everything you need to know about the CMMC.

The DoD have since published updated guidance with regards to the CMMC program, which will affect every DoD contractor along the supply chain and will include any DoD contractor that is handling Federal Contract Information (FUI) and Controlled Unclassified Information (CUI).

As such, the pressure is on for contractors to fully understand the new CMMC guidelines and be prepared to comply with them. We’re providing insight into the CMMC to help contractors understand the updated regulations and prepare for the new certifications.

A Quick Review of the CMMC

The updated CMMC version 1.02 was released by the DoD on March 18, 2020. The CMMC has replaced the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 assessment model which was in place for contractors of the DoD previously.

This new certification requires third party evaluation in order to determine whether a contractor is secure enough to work with the DoD, whereas previously this was up to the contractor. In the past, contractors were responsible for certifying the security of their information technology systems, however this was deemed unacceptable by the DoD.

To stop vulnerabilities and protect the FUI/CUI that contractors may be handling in their work, the DoD has chosen to involve a third party in the certification of contractors.

To make things clear, the DoD has introduced a unified cybersecurity standard for DOD acquisitions which boosts the cybersecurity posture of the Defense Industrial Base (DIB). The certification focuses on various cybersecurity standards and best practices that range from basic cyber hygiene (Level 1) to the more advanced cybersecurity controls (Levels 4 and 5).

To gain a CMMC certification, a contractor needs to understand the associated practices that when implemented, will reduce risk against a specific set of cyber threats. Certified independent 3rd party organizations will conduct audits and inform risk, depending on the kinds of data a contractor is handling.

The New CMMC Framework

In our previous post, we ran through what the CMMC was expected to cover. In this article, we will give you a run-down of what the CMMC framework includes in reality. For more details, you can find the DoD’s CMMC Overview Briefing Document Here, however below are key points to know.

Key Facts About CMMC

  • The CMMC Model v1.2 framework organizes processes and cybersecurity best practices into a set of 17 capability domains. For each domain there are 5 processes across four levels to measure process maturity, 13 capabilities and 171 practices that span the 5 levels. These practices are used to measure technical capabilities.
  • Contractors are expected to work to meet basic cyber hygiene in the following 17 capability domains:
    • Access Control (AC)
    • Asset Management (AM)
    • Awareness and Training (AT)
    • Audit and Accountability (AU)
    • Configuration Management (CM)
    • Identification and Authentication (IA)
    • Incident Response (IR)
    • Maintenance (MA)
    • Media Protection (MP)
    • Physical Protection (PE)
    • Recovery (RE)
    • Risk Management (RM)
    • Personnel Security (PS)
    • Security Assessment (CA)
    • Situational Awareness (SA)
    • System and Communications Protection (SC)
    • System and Information Integrity (SI)
  • CMMC levels and the associated practices and processes are cumulative. In order for an organization to meet the next level they must demonstrate achievement of the preceding lower levels.

This is how each level maps onto previous certifications:

The CMMC Framework

Since the five levels of the CMMC are so important, we thought it worthwhile to review them briefly. The five certification levels are:

Level One - Performance

This level includes the 17 basic cyber hygiene practices that protect Federal Contract Information (FCI). This kind of information is of a private nature and might include data that a contractor is using on a job but is not intended for public release.

The reason that the contractor will have this information will be to complete a project or job, and therefore basic cyber hygiene must be carried out to ensure that it is never released to the public.

The practices and processes associated with this level are basic and include things like having an incident response plan, using antivirus software and teaching employees about the benefits of password security.

Level Two - Document

To reach the next level of cybersecurity hygiene a company needs to have intermediate cyber hygiene in place. These practices begin to protect any Controlled Unclassified Information that might be used by a contractor to complete a project.

This level maps onto a subset of 48 practices from the NIST SP 800-171 which safeguards sensitive CUI, plus 7 additional practices that are added to document and protect the use of sensitive data that is not intended for public use.

Level Three - Manage

The next level of the CMMC framework includes the management of CUI and includes the addition of all practices from the NIST SP 800-171 plus 20 practices to support good cyber hygiene.

The goal of this level is to get businesses to provide an institutionalized management plan to ensure that good cyber hygiene is practiced throughout the company.

Level Four - Review

The next level up requires a company to have a review process in place and have implemented processes for reviewing the cybersecurity practices that their company has committed to.

It is essential that contractors reflect on how effective their security measures have been, in order to flag any issues. Once the security practices are well established, and good cyber hygiene has been achieved, the next step is to detect any changes that need to be made.

This level includes the addition of 11 practices from the NIST SP 800-171B, as well as all of the practices from the NIST SP 800-171, which ensures that an APT (Advanced Persistent Threat) plan is in place to detect and respond to threats.

Level Five - Optimize

Level Five includes 4 more practices from the NIST SP 800-171B, which leans towards optimization of the cybersecurity protocols that a company has in place. To complete Level Five, a contractor must have a standardized and optimized process in place to protect the whole business from threats and vulnerabilities.

Level Five means having an agile and sophisticated cybersecurity strategy in place, with additional practices that allow you to detect and respond to threats and manage change.

As you can see, the CMMC Framework builds on a variety of cybersecurity standards and offers a unified cybersecurity standard for DOD acquisitions. The standard combines various cybersecurity standards and best practices, which are mapped across several maturity levels.

When Will CMMC Compliance Be Necessary?

Minimum certification requirements are likely to be in place by June 2020, with compliance becoming necessary between June and September 2020. The DoD has suggested that people need not panic about CMMC compliance, but that making steps towards compliance is necessary by June 2020. Certification preparation needs to start now for all businesses that are competing for DoD contracts.

Different contracts will require different levels of compliance, however every contractor working with the DoD will need at least Level One. At present there is no set date for when compliance will be necessary – we are still in the transitional period. To learn more about the CMMC changes and their implications for your business, you can visit the official CMMC FAQs page.

Your Trusted Advisors

Provincia Government Solutions, LLC is a Nashville based HUBZone certified security and risk assurance firm with advanced expertise in government regulatory and compliance cybersecurity requirements including NIST, FISMA, CMMC, SCA, 800-171, TRICARE, MARS-E and ZTA (Zero Trust Architecture) solutions. Our client base includes  government agencies, contractors, and commercial organizations affiliated with government entities. Whether you are seeking audit preparedness, compliance and assurance assessments,  security consulting, or CMMC certification, we have the expertise to help.  Contact us at (615) 807-2822 or at info@provincia.io to discuss your security needs today. Consultations are free of charge and we look forward to speaking with you!

PGS logo

Contact Information

  • P.O. Box 1685
    Spring Hill, TN 37064
    United States
  • +1 (615) 807-2822 | info@provincia.io

Social Networks

Links List

ABOUT US

Provincia Government Solutions is a SBA certified Small  Business cybersecurity assurance firm and a CMMC Certified Third Party Assessment Organization (C3PAO).  We were the first organization to become a  C3PAO in the Middle Tennessee (Nashville) area and provide a full range of services including CMMC consulting and certification assessments. Our assessment team is trained in CMMC and other government assessment disciplines and we are experienced working with organizations of all sizes. Please reach out with any cybersecurity or CMMC related inquiries. We look forward to speaking with you!

 

Everything You Need to Know About the CMMC

Provincia Government Solutions

Everything You Need to Know About the CMMC

By Sese Bennett

November 14th, 2019

CMMC is the latest development in the Cybersecurity Maturity Model Certification (CMMC), recently announced by the Department of Defense (DoD). The CMMC will affect every DoD contractor along the supply chain and will include any DoD contractor regardless of the type of information handled. As such, the pressure is on for contractors to fully understand the new CMMC guidelines and be prepared to comply with them.

We’re providing insight into the CMMC to help contractors understand the new regulations and prepare for the new certifications.

What is the CMMC?

The CMMC refers to the Cybersecurity Maturity Model Certification that will replace the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 assessment model currently in place for contractors of the DoD. This new certification will require third party evaluation in order to determine whether a contractor is secure enough to work with the DoD. The CMMC aims to ensure that all contractors dealing with the DoD are able to protect the Controlled Unclassified Information (CUI) that they may be handling in their work.

The CMMC will be a unified cybersecurity standard for DOD acquisitions which will boost the cybersecurity posture of the Defense Industrial Base (DIB). The certification focuses on various cybersecurity standards and best practices that range from basic cyber hygiene to the more advanced cybersecurity controls.

To gain a CMMC certification, a contractor will need to understand the associated practices that when implemented, will reduce risk against a specific set of cyber threats. The CMMC is intended to be cost-effective and affordable for small businesses to implement at the lower CMMC levels. Certified independent 3rd party organizations will conduct audits and inform risk, depending on the kinds of data a contractor is handling.

Most of the information that has been released on the CMMC is provisional and has been released by The Office of the Under Secretary of Defense for Acquisition and Sustainment. They are set to release a final version (Rev 1.0) in January 2020 with another version that includes Requests for Proposals in June 2020.

The levels of the CMMC have been outlined as:

Why CMMC Now?

In recent years the DoD has experienced a high profile set of data breaches that have put public information at risk. As such, the DoD has been forced to take a look at the security controls surrounding every contractor who works with them. At the time of these breaches, the DoD were reliant on the NIST SP 800-171 as their guidelines.

As the compromise of sensitive data has occurred in the contractor supply chain, the DoD have tightened controls on CUI in this area. The DoD understand that the leakage of this Controlled Unclassified Information could have catastrophic results, and therefore they are putting security at the top of their priority list. While traditional procurement models will stay in place, security will be seriously considered alongside cost, delivery timeline and quality of output in order to protect the DoD from further security breaches.

CMMC Building Blocks

The CMMC will be a unified cybersecurity standard for DOD acquisitions. The standard combines various cybersecurity standards and best practices, which are mapped across several maturity levels.

The CMMC builds on a variety of security standards and best practices including but not limited to:

Who Does it Apply to?

Any contractor doing business with the DoD will need to comply with these standards, including subcontractors. The focus of the CMMC is on supply chain integrity, therefore all suppliers involved in work with the DoD will need to complete the required level of certification. This will go beyond the first tier of supply chain subcontractors to completely open up the supply chain and ensure that anyone working with sensitive data will be certified.

The CMMC was created with this in mind, therefore efforts are being made to ensure smaller companies and subcontractors will still be able to comply. The varying degrees of compliance depend on the amount of DoD CUI the company handles and not by size. While this may benefit bigger companies, who deal with the same level of CUI as smaller contractors, the DoD is committed to ensuring that small businesses will have equal opportunity to compliance.

Prepare Now for the CMMC

Since the CMMC is building on many previous cybersecurity requirements and guidelines, it will benefit contractors to brush up on their knowledge on past security guidelines. This is especially true of the NIST SP 800-171, since the DoD is building on this heavily to create the CMMC. Although nothing has been confirmed where the maturity levels are concerned, it is thought that implementing and understanding the NIST SP 800-171 will help contractors prepare for the CMMC. Furthermore, it will benefit contractors to meet the existing requirements around Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 concerning safeguarding information and reporting incidents.

Advanced preparation now is essential for successfully navigating the new CMMC program. Performing targeted risk assessments on programs and systems that handle CUI data will enable you to identify possible problem areas where security can be increased. Remember, the varying degrees of compliance depend on the amount of DoD CUI the company handles and not by size. Proper documentation and implementation of key security programs such as access control, change management, and incident response should detail how you handle CUI and what you would do in the event of a cybersecurity incident involving DoD CUI. These steps will enable a smooth transition to the CMMC.

Prepare Now for the CMMC

Provincia Government Solutions, LLC is a Nashville based HUBZone certified security and risk assurance firm with advanced expertise in government regulatory and compliance cybersecurity requirements including NIST, FISMA, CMMC, SCA, 800-171, TRICARE, MARS-E and ZTA (Zero Trust Architecture) solutions. Our client base includes  government agencies, contractors, and commercial organizations affiliated with government entities. Whether you are seeking audit preparedness, compliance and assurance assessments,  security consulting, or CMMC certification, we have the expertise to help.  Contact us at (615) 807-2822 or at info@provincia.io to discuss your security needs today. Consultations are free of charge and we look forward to speaking with you!

References

Subscribe to our Blog!

Be The First

to Know

When New Blog Content is Published

Contact Information

  • P.O. Box 1685
    Spring Hill, TN 37064
    United States
  • +1 (615) 807-2822 | info@provincia.io

Social Networks

Links List

ABOUT US

Provincia Government Solutions is a SBA certified Small  Business cybersecurity assurance firm and a CMMC Certified Third Party Assessment Organization (C3PAO).  We were the first organization to become a  C3PAO in the Middle Tennessee (Nashville) area and provide a full range of services including CMMC consulting and certification assessments. Our assessment team is trained in CMMC and other government assessment disciplines and we are experienced working with organizations of all sizes. Please reach out with any cybersecurity or CMMC related inquiries. We look forward to speaking with you!