CMMC audit confusion causing panic?
There is a lot of confusion around CMMC. It is NOT dead…just being reworked. Many contractors have been told that they must “get a CMMC certification”. Well, that isn’t exactly true because there is no certification…yet. However, just because a certification isn’t ready, you aren’t off the hook for putting security controls in place.
Regardless of marketing CMMC 2.0 isn’t ready
The rules for CMMC 2.0 are still being developed. There are no CMMC Certified instructors or auditors. You can’t become a CMMC 2.0 certified…anything yet. If you pay close attention, they are all “provisional” because they haven’t seen, and been tested on, the final rules.
According to the Cyber AB (the CMMC certification body) the work proceeds. It is clear that the DoD has every intention of augmenting NIST 800-171 with a formal certification process. Also worth note is that other government bodies may join the DoD and use CMMC as a requirement.
It is clear that every company should be taking security seriously enough to be putting controls in place. Companies with government contracts should probably be moving security toward NIST 800-171. When a certification becomes available, they will be ready.
NIST 800-171
While CMMC isn’t ready, all DoD contract owners should already be compliant with NIST 800-171. This was a requirement back in 2020 and all 110 controls defined in NIST 800-171 should be addressed.
DIBCAC can issue a POAMs (basically a plan to resolve any non-compliance with controls) and require a date those will be complete. Often this can be a request for documentation but can be an ‘over the shoulder audit’ to prove the controls are being performed.
Do I need a CMMC Audit?
I’ve had clients that are being contacted by their contract managers that they need to complete their “CMMC certification”. I think this is a result of confusion. There is a requirement that a NIST 800-171 self-assessment be performed every three years. I think that CMMC is easier to say than NIST 800-171 so this request is usually a call for that the required 3-year self-assessment. (Sometimes this request is driven by the Prime contract holder because they need to keep their sub-contractors compliant)
What is the SPRS Score?
The Supplier Performance Risk System score is really a confusing score. The maximum score is 110, representing all 110 controls. Every assessment starts with 110 points, but each control a company doesn’t have in place takes away from that score (-5, -3, -1) based on a weight for each control. Because of the weights, it is very possible that you can have a negative assessment score.
According to Basic Self-Assessment data, the average score in 2012 is about 56. I believe this is a surprisingly high number. In fact, the average score when the DIBCAC asks for the documentation behind the score, the average drops to -57.75. That shows that it is not enough to report ‘Yes, done’, you need more behind it. (A cynical view of this is that most companies are over-reporting their security position.)
Reporting a score of 110 is a real mistake unless you are literally perfect! You really aren’t and everyone knows it. If you report 110 points, you are putting a target on your back for an audit.
Is a self-assessment valid?
A self-assessment is certainly valid but it may not reliable. It is really easy to “fake” the assessment and kick the can down the road. The DoD knows this and CAN audit a contractor to confirm the assessment is valid. This may not seem like a big risk but you can lose your contract and may face criminal charges for making false claims.
Where are the biggest challenges?
According to the DCMA (Defense Contract Management Agency) is the responsible party for DIBCAC assessments. These are the most common problems:
3.13.11 – FIPS-validated cryptography (50% of ‘other than satisfied’ results have this noted)
3.5.3 – Multifactor Authentication (38% of ‘other than satisfied’ results have this noted)
3.14.1 – Identify, report and correct system flaws (22% of ‘other than satisfied’ results have this noted)
Proactive assessments, scans, and reviews – more generally, most contractors don’t play an active role in system security. They are not periodically assessing risks (3.11.1), scanning for vulnerabilities (3.11.2), or monitoring logs and alerts (3.3.3, 3.3.4, 3.3.5)
- The Imperative for Cyber Talent on Corporate Boards - March 29, 2024
- Talking CMMC preparation - March 12, 2024
- Protecting Your Business: Strategies to Combat DNS Attacks - February 20, 2024