CMMC Audit
Let’s jump in and learn:
What Is a CMMC Audit?
CMMC has three compliance levels that align with an organization’s risk profile, which are associated with type of data they use, store, and transmit. Level 1 is the lowest in the CMMC guidelines and is a mandatory requirement for all companies working with the DoD, while Level 3 is the highest.
A CMMC audit, which the US Department of Defense (DoD) refers to as an assessment, confirms compliance with the requirements for each of the three levels. The governance and oversight of the CMMC program fall under the DoD’s Office of the CIO (OCIO). This is a shift from CMMC 1.0, where it was the responsibility of the Under Secretary of Defense for Acquisition and Sustainment (A&S).
A CMMC audit assesses an organization’s risk prevention and cybersecurity systems and practices. It is compulsory for any organization that does business with any entity under the DoD. The initial version of the CMMC framework was rolled out in January 2020. However, it was deemed too complex and cumbersome to implement, so the DoD rolled out a revised version, CMMC 2.0, in November 2021.
While more streamlined, CMMC 2.0 has stringent security specifications that require third-party evaluations at levels 2 and 3. The self-declaring model of CMMC 1.0 has been replaced with third-party certification. A CMMC audit is conducted by DoD-approved assessors— CMMC Third Party Assessment Organization, or C3PAO.
However, with the release of CMMC 2.0 in November 2021, DoD has relaxed the rules on third-party audit requirements. This means that somewhere between 40,000 and 80,000 organizations will be able to self-attest versus being required to obtain third-party certification.
Any organization that intends to meet CMMC 2.0 Levels 2 or 3 needs to pass a third-party audit. However, the previous pass or fail audit process has changed to allow auditors to give organizations that do not meet the requirements plan of actions and milestones (POA&Ms).
With these completed, an organization can receive certification with the CMMC audit. However, organizations should do everything possible to pass the CMMC audit with no POA&Ms, because not having a clean pass could inhibit its qualification for DoD contracts.
Another important consideration for a CMMC audit is the availability of auditors. As of fall 2021, there were only 100 people certified to do a CMMC audit, while the estimated need was 5,000. Therefore, organizations should be proactive in booking a CMMC audit to ensure that they can have their assessments done in a timely manner.
Three Levels for CMMC Compliance
A CMMC audit will be based on an organization’s level. A summary of the three CMMC compliance levels is as follows.
Level One: Foundational
For organizations that access, use, or store only federal contract information (FCI), which is information that requires protection, but is not considered sensitive or critical to national security. At Level 1, a CMMC audit can be performed through a self-assessment of how the organization follows 17 specific security practices and controls.
Level Two: Advanced
This is the minimum level for any organization that handles controlled unclassified information or CUI. At Level 2, a CMMC audit may be completed through a self-assessment or a third party. If an organization only handles non-prioritized acquisitions, it is only required to complete and report a CMMC Level 2 self-assessment and submit senior official affirmations for the supplier performance risk system (SPRS). For organizations that handle prioritized acquisitions, they are required to have a third-party CMMC audit. There are 110 security practices and controls in Level 2, aligned with NIST SP 800-171, which are considered a part of a Level 2 CMMC audit.
Level Three: Expert
Most organizations fall under Level 1 or Level 2. However, organizations that handle high-value assets and high-priority programs are required to implement and maintain more than 130 security practices and controls, from NIST SP 800-171 and NIST SP 800-172, to protect CUI from advanced persistent threats or ATPs. At Level 3, organizations must have a government-led CMMC audit every three years.
CMMC Audit and Compliance Acronyms
Key Acronyms to understand when considering CMMC compliance and CMMC audits are:
- C3PAO – Certified Third-Party Assessment Organization
- The Cyber AB – CMMC Accreditation Body
- CUI – Controlled Unclassified Information
- DFARS – Defense Federal Acquisition Regulation Supplement
- DIB – Defense Industrial Base
- FCI – Federal Contract Information
- NIST SP 800-171 – Security requirements for protecting CUI
- NIST SP 800-172 – Enhanced security requirements for protecting CUI
- OSC – Organization seeking certification
- POAM – Plan of actions and milestones
- RPO – Registered Provider Organization
Who Needs CMMC Certification?
CMMC audits are required for any organization in the defense industrial base or DIB, which includes the more than 300,000 organizations that do work for the United States Armed Forces under the DoD. CMMC 2.0 is far-reaching. A CMMC audit includes contractors, subcontractors, researchers, and staff in engineering, development, and supply chain operations. The participants involved with a CMMC audit depend on the type and nature of information flowing from the prime contractor.
If an organization does not possess, store, or transmit CUI, but does possess FCI, it is required to meet FAR clause 52.204-21. This means that the organization needs to be certified at a minimum of CMMC Level 1. Exempted from CMMC certification are organizations that solely produce commercial-off-the-shelf (COTS) products.
Organizations are allowed to achieve different CMMC levels for parts of their network based on where CUI or Federal Contract Information (FCI) is handled and stored. However, industry best practices suggest that CMMC compliance levels be the same across an organization’s network. This allows disparate groups within the ecosystem to communicate and share information more easily.
As part of the initial rollout of CMMC 2.0, prime DoD contractors are required to perform a self-assessment of their implementation of NIST SP 800-171 via the NIST SP 800-171 DoD Assessment Methodology. The resulting score from this self-audit will need to be submitted to the DoD’s Supplier Performance Risk System (SPRS).
The CMMC certification process varies depending on the desired level. Generally, an organization can spend 9-24 months preparing for and going through the CMMC audit process.
According to the DoD: “CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.” |
What Is CMMC Compliance?
CMMC compliance and a CMMC audit are meeting and adhering to the requirements for the U.S. Department of Defense (DoD)’s Cybersecurity Maturity Model Certification (CMMC). The CMMC is a security framework mandated for all of the more than 300,000 organizations that work with the DoD. CMMC compliance requirements vary according to the three levels of security maturity—foundational, advanced, and expert. Depending on the work they do and the information they use, organizations fall into one of these three categories with regards to CMMC compliance and a CMMC audit.
The need for CMMC, explained by Katie Arrington, Chief Information Security Officer (CISO) for the Assistant Secretary for Defense Acquisition: “The U.S. is losing $600 billion a year to our adversaries in exfiltration, data theft and R&D loss. If we were able to institute good cyber hygiene and we were able to reduce, let’s just say email phishing schemes by 10%, think of the amount of money that we could save to truly reinvest back into our partners in the industrial base that we need to stay on the competitive edge. And the only way that we saw fit to do this was to create this CMMC so we can ensure that we are doing everything we can do to buy down the risk of our adversaries stealing our hard work.” |
CMMC Compliance Timelines
The DoD initially released CMMC 1.0 in January 2020, with the rollout planned to run from 2021 through 2025. According to the original plan, an organization would have to be prepared for a CMMC audit by 2026, as all defense contracts would have incorporated the robust requirements of CMMC 1.0. However, in response to more than 850 comments on the interim rule, the DoD ultimately halted CMMC 1.0.
In November 2021, the DoD announced a restructured program—CMMC 2.0. Clear CMMC compliance timelines were not set, so most organizations have continued to prepare for a CMMC audit of some type. Subsequent announcements gave more insights into the rollout timeline.
With CMMC 2.0 expected to be implemented by Summer of 2023, organizations that are ready for a CMMC audit could receive incentives by voluntarily obtaining CMMC certification while the rulemaking process is in progress. It is expected that a mandate for a CMMC audit, under an interim rule, could be in place as early as May 2023. If the DoD proceeds as expected, by October 2025, organizations should be certified and ready for a CMMC audit.
CMMC Audit Preparation Tips
For DoD contractors who have been working on meeting requirements for a CMMC audit, there is often stress and sometimes confusion about the best way to get ready. Whether it is a CMMC audit by a Certified Third-Party Organization (C3PAO) or a government-led CMMC audit, the following tips will go a long way to make the preparation process easier.
Establish an understanding of the organization’s current state of security
Pay particular attention to how closely the organization is following all of the previous NIST SP 800-171 requirements. For a Level 3 CMMC audit, also review NIST 800-172.
Perform a gap analysis based on desired CMMC level
Small businesses that do not work with CUI may need to do very little for their self-run CMMC audit. However, larger entities will have to implement a long list of additional security requirements to pass a CMMC audit. Carefully review the CMMC documentation and maintain a detailed list of control requirements for the desired level to determine what else is needed to facilitate compliance with those requirements, so that your CMMC audit will be successful.
Establish a security roadmap
Based upon internal security assessments, create a plan for how to implement the required measures to be ready for a CMMC audit. If a CMMC audit is already scheduled or planned for, work backward and include extra time for inevitable complications that will arise. Since there is often a long lead time to get a CMMC audit scheduled due to a limited number of authorized auditors, the roadmap helps avoid misses and mistakes that could delay certification.
Stay connected with the CMMC Accreditation Body (The Cyber AB)
The CMMC Accreditation Body is the official accreditation body of the CMMC ecosystem—from auditors to trainers. It provides information about the CMMC audit process as well as access to members of the ecosystem.
Preparation Makes a CMMC Audit Easier and Improves Overall Security
Although the specific directives set forth in CMMC 2.0 are relatively new, they are rooted in existing frameworks. Many of the areas focused on in a CMMC audit are enhancements to frameworks that are already used by the DoD to manage risk in the supply management domain. Among the frameworks that serve as the foundation of CMMC 2.0 and a CMMC audit are NIST SP 800-171 and Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.
Following a CMMC audit, organizations receive a report from The Cyber AB (formerly the CMMC AB) regarding how it measures up to the CMMC’s directives. This detailed report will cover findings across all of the assessed controls—according to the level at which the organization is trying to be approved.
The CMMC audit determines if an organization has achieved the recommended cybersecurity capabilities that are required to win a contract with the DoD. In some cases, those reports uncover deficiencies in control implementations, such as something that could result in the loss of CUI. In those cases, the organization will have to remediate the issues to achieve positive results from its CMMC audit. The scale of the failure can range from an isolated occurrence to systemic issues across the organization.
For organizations that have done or want to do business with the DoD, passing a CMMC audit is mandatory, but it has significant benefits. A CMMC audit is a forcing function for assessing and implementing risk and security solutions. Successful completion of a CMMC audit results not just in the ability to do business with the DoD, but it also provides confidence in the organization’s overall risk and security posture.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 17,000+ customers with millions of users worldwide.
Last Updated: 17th November, 2022