CMMC (Cybersecurity Maturity Model Certification) is quickly becoming more and more of a priority for over 300,000 businesses across the country.
As the impending certification standards creep closer and closer, we interviewed Cential CEO David Ponder for his insights on the CMMC process and why DoD contractors need to focus on CMMC in 2021.
CMMC—why is it important? Why is it important right now for these organizations to be thinking about?
Ponder: It’s important right now, because starting this year, in 2021, and between now 2021 and 2025, new requests for proposals from the Department of Defense are gradually going to begin requiring CMMC certification.
So that means that any DoD contractors that want to bid on those will have to have that level of CMMC certification in order to even be qualified to bid on those. And so obviously, that’s very important for anyone who contracts with DoD because they need to qualify for the work before they can even bid on it. Getting ready for that is a process in itself, because likely you won’t go from where you are today to CMMC ML3 (Maturity Level 3) certified. There’s a process to get there.
Can you expand on how becoming CMMC certified is not as simple as just submitting a form? What is this process like, why is it so extensive, and how should these contractors that need to become CMMC certified start the process?
Ponder: A majority of the requirements are going to land on the Maturity Level 1 or Maturity Level 3. Now, if you’re an organization that is only involved in work for Maturity Level 1, then that will be a much lower bar that you have to meet. But it’s still a bar nonetheless, especially if you’ve done no compliance work or security work internally for your organization in the past.
Maturity Level 1 focuses on FCI, which is contract information, and it has 17 practices that are in its scope. If you think of a practice like a control, it is a process that is in place to lower the risk. For ML1, you’re going to have to have 17 of those practices in place. And then you’ll have to apply for a certification and we’ll go through that process later. For ML3, the bar is a lot higher. (There is also ML2, which is seen as kind of a stepping stone to ML3.) With ML3, there are 130 practices that are required and across 17 domains, and those domains are things like asset management, and access control, and so forth.
In addition to those 130 practices needing to be in place, there are two other additional layers that the CMMC refers to as processes. This means that there must be appropriate documentation in place that covers those practices, including a System Security Plan, which is an overarching plan that includes your policies for your organization. Those need to encompass all the 130 practices as well, and you also need to be performing self assessments. So you need to actually be performing risk management and risk assessment and testing that those practices are in place and operating effectively for your organization. So ML3 is a journey to get to, no doubt.
How long is this process from the beginning, when you’re just learning about CMMC and have no idea where to start, to becoming Level 3 certified?
Ponder: It depends on the will and the number of resources that your organization is willing to allocate; it’s just like anything you’ve got, you’ve got time, and you’ve got resources, and you’ve got the number of features that you need to meet. In this instance, it’s 130 practices—that leg of the triangle is not willing to bend.
But how many resources you allocate will determine the timeline. I would think that if I were going from zero to trying to get ML3 certified, I would need to allocate at least a year to the process and allocate some significant resources as well.
That’s quite a long process, especially since some of these organizations are already needing to be certified pretty soon. For those companies that need to be certified very soon, where is the first place they should start to become CMMC certified?
Ponder: I think there’s two big things that they need to do. So they need to set a “point person” who’s going to be in charge of it for the organization, and who starts to learn about what those requirements are. They should also do a current state assessment of where they stand today against what those requirements are, because you need to understand where those gaps are.
There may also be the question of whether the person that they make the point person is qualified to run a team and perform a full self assessment. In those instances, I would recommend getting help from professionals who have worked with security frameworks in cybersecurity, understand the ins and outs of CMMC, and have the appropriate CMMC training and certifications to help them do so. It will be critical that they really understand the state that their organization is in, and what the gaps are between where they are today and where they need to be for ML3, because that’s then where you’re going to focus all your time, attention and resources.
Cential already has two team members that early on became two of the first people to be CMMC certified provisional assessors, and then a little bit later, you had the experience of actually going through that CMMC education and training yourself. What are your top takeaways from personally going through the training experience yourself?
Ponder: Yes, three of us did go through. At the time that we finished, there were only around 200 certified provisional assessors worldwide, and I don’t think that they’ve made any more since then.
One of the things that I took away was that this is a heavy lift, not just for the organizations seeking certification who need to become CMMC certified, but it’s a heavy lift for the DoD. It’s also a heavy lift for the CMMC Accreditation Board who has been charged with overseeing this program and making sure that there are enough trained professionals with the certifications to perform the RPO (Registered Practitioner Organization) work, which helps organizations get ready for the certification and makes sure that there are appropriate training providers in place.
There’s a lot of work that has needed to go into place and they’ve been working very hard to roll out this entire program. Like anything that is this big of an effort, there have been delays and dates that have been pushed back. But we’ve seen, for the most part, what they’ve said they were going to roll out has rolled out. And so I would fully anticipate that the contract requirements are going to start hitting later in 2021 and then CMMC will move forward.
It’s great to hear about your experience of becoming a provisional assessor. I’m sure that gave you a different perspective on the process than you had to begin with.
Ponder: Yes, absolutely. It’s not only a heavy lift for a DoD organization seeking certification and the CMMC-AB, but also for an organization like Cential, it’s a heavy lift to try to get ready to be able to provide the advice and a certification work. So in addition to having to go through and get our several professionals certified, we have had to put in place a lot of the CMMC requirements, because we too as an organization, have to be CMMC ML3 certified in order to become a C3PAO (Certified 3rd Party Assessment Organization), which is the designation that allows Cential to perform the certification work. And so it’s a heavy lift for us as well, because each one of those 130 practices and the System Security Plan and the policies, all of that has to be in place for an organization like us as well.
So I would say it’s been a journey on our side, as well, and we’ve really, really committed to it because we understand the importance that CMMC plays to the cybersecurity community and those that serve the DoD.