Getting Ready for CMMC: Steps One Should Take Prior to a CMMC Assessment

Cybersecurity Maturity Model Certification (CMMC) is a standard for significantly enhancing cybersecurity across the Defense Industrial Base (DIB). The CMMC process includes a security assessment conducted by Certified Third-Party Assessment Organizations (C3PAOs), of which Kratos was one of the first to be authorized. Once implemented, satellite companies as well as all companies in the Defense Industrial Base (DIB) will require CMMC to be eligible for U. S. Department of Defense (DoD) awards.

On a recent episode of Constellations podcast titled Protecting Critical Information, Contracting with DoD and CMMC, Kratos Defense Director of Cybersecurity Services, Justin Padilla, discussed how satellite and space companies seeking to do business with the DoD will need to be CMMC accredited. In this follow-on interview, Kratos CMMC Practice Lead, Cole French sits down with Constellations to expand upon this conversation and discusses some of the key changes brought about by CMMC 2.0

Constellations: Hi Cole, tell us a little bit about the work with CMMC at Kratos

French: I manage our CMMC assessment and advisory services. That means we provide assessment services as a C3PAO and advisory services as a Registered Provider Organization (RPO). I support customers and our CMMC team in delivering CMMC service offerings, in addition to outreach efforts, and intellectual capital development to bolster the services.

Constellations: On the Constellations podcast episode, Justin Padilla explained CMMC as a maturity model and a benchmark for cybersecurity practices and processes. Is there anything else you’d add to this definition?

French: I would agree with his definition and will add a little explanation. The practices and process are indeed benchmarks – they define the baseline requirements for cybersecurity. The maturity aspect is a bit different from traditional, existing cybersecurity benchmarks. Most of those function as benchmarks only. CMMC requires that the meeting of benchmarks be demonstrated consistently over time. We all know that consistency is key with just about anything that we want to be successful at. Thus, introducing maturity is key in institutionalizing cybersecurity within DIB organizations.

Constellations: Have there been any updates on CMMC’s roll-out since the podcast?

French: Yes, there have. After the initial CMMC 1.0 framework and Interim Rule were released in 2020, the CMMCAB began collecting industry feedback via DoD working groups and steering groups that resulted in a revised framework, CMMC 2.0, that will be accompanied by supplementary rulemaking still to come. The revised framework will safeguard sensitive information and meet evolving threats while enhancing public trust in the DoD. CMMC 2.0 streamlines the level of effort necessary to meet compliance standards and minimizes the monetary cost of compliance for small and medium businesses.

CMMC 2.0 is composed of 3 levels, which is a reduction from the 5 levels of certification present in CMMC 1.0. CMMC 1.0's Levels 2 and 4 have been eliminated. Although the complex nature of CMMC 1.0 and the continuously evolving nature of CMMC has caused frustration in the DIB, the DoD considers CMMC 2.0 a positive step forward. The points below are a snapshot of what's new. The subsequent sections of this paper will go into more detail, but below are the key points

Constellations: Does anything remain the same?

French: Yes, not everything has changed, and much of the progress C3PAOs and DIB members have taken will still apply and ease CMMC certification. For example, CMMC 2.0 still addresses FCI and CUI security concerns and divides levels based on what type of information an organization handles. Certified C3PAOs are still able to assess or offer advisory services. CMMC 2.0 does not alter the Level 1 controls. The difference is that CMMC 2.0 only requires a self-attestation for Level 1 certification.

Constellations: How does one know what certification level they will need?

French: CMMC level requirements will be established in the DoD solicitation itself and will be determined by the type and sensitivity of information that a prime or sub-contractor is privy to. All levels will be certified by a C3PAO who will conduct in-person assessments.

Constellations: What prompted the DoD to create CMMC?

French: The DoD is a target of cyberattacks due to its presence and the sensitive work that it performs and is targeted by several foreign governments daily. Furthermore, in recent years, there has been a significant increase in phishing and ransomware attacks. While we rely on technical controls to combat most of these attacks, maturity is key is combating them completely. This is because a successful phishing or ransomware attack requires action by user. In addition, the data quite simply revealed that the self-attestation model wasn’t working. Prior to CMMC, members of the DIB, including those in the satellite industry, were only required to self-attest to implementation of cybersecurity. The self-attestation model is not sufficient to affirm maturity.

Constellations: Kratos was one of the first companies to be designated as a CMMC C3PAO. As someone who worked on this, what makes companies eligible for this certification?

French: First and foremost if are you providing services to the DIB there are some basic requirements that have to be met. An ISO 17020 certification is required and the C3PAO has to be certified at the same level you are assessing the customer So, to provide a level 3 certification, the C3PAO must also be level 3 certified. Additionally, a C3PAO must be a fully U.S. owned company.

Constellations: What happens if a company fails the assessment?

French: CMMC doesn't allow any failed security practices in an assessment. If one fails, the entire assessment fails. However, if the number of failures is 10% or less of the total number of security practices evaluated, the company has an opportunity to come back. They have 90 days to remediate those findings, or really about 75 days to remediate those findings and then about a 15-day period to reassess whatever remediation they implemented.

Constellations: What are some of the key considerations a company should be mindful of prior to beginning the CMMC process?

French: Well any organization responding to a DoD RFP, such as a satellite prime, knows they will need CMMC certification, but they first need to determine “scope. ” This is where you determine if a CMMC certification is required for the entire organization or a subset. If seeking a certification for the entire organization, the scope, cost and level of effort can be significant. And, of course, the satellite supplier, in this case, needs to have some level of assurance that they are meeting and addressing all of the CMMC security practices. This is where a readiness assessment can help identify gaps so that they can be closed before the assessment.

Constellations: Can you tell us more about readiness assessments?

French: The key component of a readiness assessment is a gap analysis, which provides a view of your organization or environment against each of the defined CMMC level requirements within the defined CMMC boundary. The Gap Assessment should include a review and analysis of all applicable security practices and process maturity controls to determine compliance, identify gaps, and develop strategies and plans for any required remediation.

Constellations: What should companies do to prepare themselves so that when CMMC assessments begin they can feel confident that they will pass?

French: We have found that the following operational challenges are the most difficult, time consuming, or cost concerning requirements…but will greatly facilitate the assessment process. If not already implemented, these will require the longest lead time and/or changes to the organization’s security culture.

Constellations: And they are?

French: First is vulnerability: Prior to assessment, vulnerability scans should be conducted on all operating systems, databases and applications and remediation plans, if required, should be established. If companies don’t already have multi-factor authentication for all privileged and non-privileged access to the environment accompanied by regularly scheduled reviews of access privileges, they need to implement one. Encryption is another key consideration. The satellite engineers may not be familiar with these cryptographic modules but the security team will be. Also, make sure defined content is sent to a centralized repository and configure automated alerts for specified failures and indicators of compromise. CUI Marking and handling is another important preassessment consideration. Establish guidelines and procedures to ensure that CUI is marked and handled in accordance with CMMC and contractual requirements. Lastly, establish and enforce either access allow or access block lists to prevent the use of unauthorized software.

Constellations: Thank you Cole, for providing our readers with some insights to CMMC and how to prepare for it. Is there anything you want to add?

French: Yes, actually, we have published a guide to CMMC 2.0 that covers major changes and anticipated CMMC 2.0 clarification.

Constellations: Thank you Cole, for providing our readers with some insights to CMMC and how to prepare for it.