One of the best things you can do to prepare for the Cybersecurity Maturity Model Certification is to perform a CMMC mock audit. This will give you an understanding of the areas where your IT needs to improve prior to being audited by a C3PAO (Certified Third-Party Assessment Organization). A mock audit is more than just good practice — it could save you millions of dollars in contracts.
Why Accuracy Matters
The Department of Defense (DoD) has become more strict about the self-assessments that contractors submit to them for Level 1 compliance. This was made evident when it was disclosed over the past year that 75 percent of those contractors who claimed to have perfect scores were found to be in error. Inaccurate self-assessments don’t simply get you a slap on the wrist. You could face the loss of current and future contracts because of it.
Keep in mind that those DoD scores are reported and shared with government agencies. Those reviewing contractor bids will see your score and whether it disqualifies you.
When Will CMMC 2.0 Be Released?
Some contractors may hesitate to jump on a CMMC mock audit and application process because they’ve seen how the latest version, dubbed CMMC 2.0, has had its rollout repeatedly delayed.
According to MeriTalk, CMMC 2.0 may be available for public comments starting in November or December. At that point, the “[i]ndustry will then have 60 days to submit their input before the Defense Department (DoD) unveils the finalized rule, which is expected in the fall of 2024.”
Contractors should use the time afforded to them to evaluate their IT rather than wait. The changes that mock audits uncover that may be necessary to meet compliance can sometimes be time-consuming and costly. Plus, when contractors are found to either lack a CMMC requirement or be in error of one, they have 30 days to make the necessary corrections.
Now that we’ve covered why a mock audit is important, let’s review what steps you can take to prepare for one.
Step 1: Know About CUI
A big part of CMMC is establishing how your organization will manage Controlled Unclassified Information (CUI). While most contractors learn about what data is considered CUI after their bid has been accepted, you’ll still want to have a framework in place that details how you’ll store, process, and transmit this information. This framework must adhere to DFARS 252.204-7012/NIST SP 800-171.
Part of this will involve a System Security Plan (SSP) for handling CUI, as well as obtaining a five-digit commercial and government entity (CAGE) code from the Defense Logistics Agency (DLA).
Do you know the difference between CUI and Federal Contract Information (FCI)? Test your knowledge here.
Step 2: Develop and Document Policies, Procedures, and Standards
CMMC 2.0 has three maturity levels, and handling CUI requires that you reach Level 2 at minimum. To do so, you’ll have to demonstrate compliance with 110 requirements (formerly practices) under NIST SP 800-171, including the development of internal policies, procedures, and standards for meeting them. You’ll want to document everything thoroughly, and maintain two (2) pieces of evidence for each requirement.
Policies should also include any applicable laws that deal with data privacy and your industry.
Step 3: Have an RP Administer Your CMMC Mock Audit
Contract with a registered provider (RP) to test your organization’s ability to meet all 110 requirements. RPs have been certified by The Cyber AB, the official accreditation body for CMMC.
Your RP will be able to help you understand the findings from your mock audit, and what those results mean in terms of a SPRS score. That score is what will be submitted to the DoD as your self-assessment, which will also be compared against an official CMMC assessment that you’ll receive from a C3PAO.
Step 4: Identify Gaps and Create POA&Ms
If your mock assessment finds areas where you’re lacking, a registered provider can help you develop strategies and timeframes for correcting them. Many organizations may be tempted to think of the CMMC framework as focused strictly on hardware and software, but physical security and team training are equally critical to cyber defense. Simply look at the massive data breach that affected MGM back in September, which reportedly started from a help desk ticket, to understand why this is so important.
Even if organizations identify gaps in their security, they can still submit lower SPRS scores if they can demonstrate Plans of Action & Milestones (POA&Ms) for how and when they intend to meet those requirements. Your RP can advise you on whether this is appropriate based on your CMMC mock audit.
Hire Brenda Doles as Your Registered Provider
If you’re looking for assistance with preparing and performing a CMMC audit, Ms. Doles is ready to assist. She has over twenty years of healthcare and government experience, and is certified by The Cyber AB as a Registered Provider (RP), Certified CMMC Professional (CCP), and Certified CMMC Assessor (CCA). She also has firsthand experience achieving Level 2 CMMC compliance through spearheading these requirements within her own company, Healthcare Resolution Services.
Let Ms. Doles help your team improve its risk management, identify the CMMC requirements you may lack, and establish a timetable to implement necessary changes. She can also put you in touch with the appropriate third-party assessor when you’re ready to be audited.
Contact her today to discuss a partnership.