Blog
CMMC/NIST 800-171 Compliance Assessment with a C3PAO: What to Expect
Background on CMMC Compliance Assessment
In our recent webinar, we shared insights together with guest speakers from KLC Consulting, a certified CMMC 3rd Party Assessment Organization (C3PAO), about what to expect when going through a CMMC/NIST 800-171 compliance assessment and how to prepare for and pass it.
With cyber threats and data breaches growing in volume, sophistication, and impact, ensuring cybersecurity within the Defense Industrial Base (DIB) has become paramount. The Department of Defense (DoD) has worked diligently to upgrade cybersecurity protocols by introducing the Cybersecurity Maturity Model Certification (CMMC).
CMMC serves as a standardized set of security practices designed to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Initially introduced as CMMC 1.0, it was revised to CMMC 2.0, streamlining the standard by focusing on the effective implementation of the 110 security controls defined in National Institute of Standards and Technology Special Publication 800-171 (NIST 800-171).
Latest CMMC Timeline
Recent CMMC timeline updates include the DoD’s submission of the CMMC Rules to the Office of Management and Budget’s Office of Information and Regulatory Affairs (OIRA) on July 24, 2023. The OIRA review typically takes approximately 60 business days. Because we’ve passed that date there has clearly been an extension to this period, but the OIRA review will likely be complete before the end of the year. The Rules will next be published in the Federal Registry, either as a Notice of Proposed Rulemaking (NPRM) (which then enters a review/comment/update cycle that takes approximately 280 business days) or as an interim final rule that will significantly speed up the implementation timeline.
In the meantime, it’s important to check your contracts for the following Defense Federal Acquisition Regulation Supplement (DFARS) clauses:
- 252.204-7012
- 252.204-7019
- 252.204-7020
DFARS 7019 requires completion of a self-assessment and accurate reporting of your score on the DoD’s Supplier Performance Risk System (SPRS). If you’re not abiding by the regulation and/or reporting inaccurate scores, you subject yourself to adverse consequences, including being found in violation of the False Claims Act. You can read more about the False Claims Act and other implications of non-compliance with DFARS clauses here.
How a CMMC Mock Assessment Can Help
A mock assessment is an informal engagement to evaluate all of your NIST 800-171 practices as if it were a real CMMC third-party audit. The mock assessment includes detailed findings that describe weaknesses of your organization’s processes relative to the corresponding NIST 800-171 requirements, indicating whether practices would be rated as ‘met’ in a formal CMMC assessment. It also includes looking at the evidence of compliance that an organization provides, as well as testing team members to assess whether they understand the practices and procedures. A mock assessment is not an advisory service; it’s an unofficial, comprehensive exercise that mirrors the formal CMMC Assessment to help you determine your company’s readiness.
What is the Joint Surveillance Voluntary Assessment Program (JSVA)?
The Joint Surveillance Voluntary Assessment Program (JSVA) is a program offered by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) in association with C3PAO companies. As part of this program, a CMMC C3PAO compliance assessment team is paired with a DIBCAC team to conduct a compliance assessment. The DoD expects a successful JSVA review will translate into a CMMC Maturity Level 2 (ML 2) certification issued by the participating C3PAO when the CMMC rulemaking takes effect.
A mock assessment is recommended before pursuing a certification or participating in the DoD’s Joint Surveillance Voluntary Assessment Program (JSVA) in order to give your company time to remediate gaps. Once the gaps identified in the mock assessment have been remediated, your company can work with a C3PAO company to schedule the JSVA. The same C3PAO can perform the mock assessment and JSVA; there is no conflict of interest, provided the C3PAO companies are not involved in the remediation of any Plans of Actions and Milestones (POAMs) identified in the compliance assessment.
What Does the JSVA Preparation Process Involve?
To qualify for the JSVA, your company must be in an active DoD contract, whether as a prime or a subcontractor. First, you will select an authorized C3PAO company to perform your JSVA; this C3PAO will submit your JSVA request to The CyberAB. The CyberAB is the official accreditation body of the CMMC ecosystem and the sole authorized non-governmental partner of the DoD in implementing and overseeing CMMC conformance. Upon acceptance, the DIBCAC will contact you and add your company to the JSVA queue.
Your C3PAO assessment team will be paired with the DIBCAC to conduct a CMMC assessment. The C3PAO will meet with you to verify the scope of the audit (based in part on where CUI lives in your enterprise) and create a plan. DIBCAC and the C3PAO will ask for supporting evidence or artifacts as part of the process.
Evidential artifacts may include the following:
- System Security Plan (SSP)
- Data Flow Diagram (DFD) that depicts the CUI boundary
- Asset categorization diagram
- Policies and plans for each of the 14 security domains in NIST 800-171
- Applicable documented procedures and processes referenced in the SSP
- Configuration items and organizational defined parameters
- Customer responsibility matrix for inherited/assigned practices from cloud or managed service providers
- Service Level Agreements (SLAs) for vendors providing services that involve CUI
The JSVA typically takes five business days to cover everything from reviewing your company’s SSP to inspections and tests, examining required documentation, and an out brief. There will also be interviews and tests for all applicable practices and compliance assessment objectives for CMMC ML 2.
We hope this post has helped you understand the essential aspects of going through a CMMC/NIST 800-171 compliance assessment with a certified CMMC 3rd party assessment organization (C3PAO). We invite you to watch the recording and review the slide deck for more details about the JSVA and mock assessments.