Advanced Update on the Cybersecurity Maturity Model Certification CMMC
I know many of you have been following the roll-out of the CMMC rules and requirements. I wanted to take a minute to update you on what we know. F1 recognized well over a year ago the impact that this new requirement would have on you, our customers, and we made a push to stay in the know. I have spent a lot of time and energy keeping up with the CMMC AB board releases. We’ve also maintained relationships with insiders who are close to the assessment and accreditation process itself. Let me state that no one is an expert on CMMC. At this point, we are all doing our best to go with the consensus of future expectations and plans. Here is a CMMC Fact sheet of the current state of CMMC as it is known today.
Q. What is F1 doing to stay connected to CMMC
A. Here is the Synopsis of what we have been doing
- Our heavy involvement in cybersecurity and government contracting worlds has allowed us to be a part of exclusive cybersecurity and CMMC communities and partnerships that keep us in the know.
- We have engaged with a leading DOD industry expert with in-depth knowledge of CMMC practices as well as FedRAMP, RMM, RMF, and other subject areas needed to conduct a pre-gap on F1 against controls and methodology.
- This process will allow F1 to understand better how controls will be interpreted by the first few groups of provisional assessors, which will be a massive help for the remedial process. We are developing pre-gap assessment models and questionnaires, standard corrective actions for common gaps, and updating our written policies based on this process
- F1 has negotiated with three third-party firms whom we know and trust that are in the process of getting their C3PAO (Certified Third-Party Assessing Organization) and staff credentials through the Certified Auditing (CA) Process. Our goal is priority scheduling for over 40 of our clients who will need CMMC certification during the DoD roll-out. We want assessors who understand your use case and the F1 strategy for CMMC for a simplified assessor selection and scheduling process.
- F1 has received confirmation that it has been granted RPO status and will appear on the CMMC AB board website as a Registered Provider Organization. Selected members of our staff will sit for the Registered Practitioner (RP) certification test as soon as training becomes available, further ensuring that F1 is aligned with the CMMC AB accreditation process and “speak the language” when assisting clients during their onsite assessment.
Q. Why can’t F1 do it all for us?
A. We can do most, but not all. As you know, CMMC requires a certain level of independence from its third-party assessors. As of now, if F1 has had a consulting relationship with a Government contractor within recent history, then we cannot also assess them as a third party. Since most of our clients benefit from an ongoing, consultative relationship with F1, becoming a “one-and-done” assessment firm is not aligned with our core focus. Our compliance clients count on F1 to coach and counsel them and, at times, project manage and implement their compliance remediations.
- F1 can perform a Pre Gap analysis of your current security maturity based on the
The existing CMMC model and practices. The results of this gap analysis will allow F1 to create a remediation plan - F1 will help implement remediation that addresses missing control gaps
- F1 can work with the auditor to tightly scope the assessment around you CUI Data assets
- F1 can put some ongoing monitoring, phishing, audit log management, and many other continuous security control processes in place for you.
- F1 can organize your third-party assessment with a trusted accredited partner
- F1 can sit next to you in the audit and find evidence quickly to satisfy the auditor and move you forward to a better outcome and score.
- After any certified third-party CMMC assessment, you will be given 90 days from the time of reporting to address any findings. During this critical phase, we will work with your team to remediate these findings and document completion with the C3PAO.
Q. Has the timetable changed on release of CMMC
A. Yes. At the point, the best guidance tells us this
- The first pathfinder contract (a multiple-award, IDIQ opportunity) containing CMMC is public. GSA reportedly plans to award up to 45 contracts for each of the ten pools for a maximum of 450 contracts. The contracts are expected to each include a 10-year ordering period. Doing this as an indefinite-delivery contract is a smart move by DoD because it allows them to specify CMMC as they go, allowing the number of assessors to increase in the coming months.
- Provisional assessments performed this year will not “count” as a permanent certification and will need to be revisited when C3PAO’s are formally trained and listed in the CMMC AB marketplace.
- Looking beyond the pathfinder efforts, it seems as if CMMC assessments will not be available until December or January at best.
If you have any questions about CMMC or would like to sit down with Jennifer and discuss your plan, please send your request to [email protected]
