CMMC has become a cybersecurity framework for the defense industrial base with CMMC C3PAOs (third-party assessor organizations) guiding organizations through this complex compliance landscape.
We recently spoke with Tony Buenger, Director of Governance, Risk and Compliance at SecureStrux, a C3PAO at CMMC CON 2023. Tony has decades of experience in Department of Defense cybersecurity consulting, planning, and implementation.
“Each organization is unique and at the same time, each must meet the same CMMC standards,” begins Tony. “Companies need the people, processes, and technology along with the budget in place to pass a CMMC assessment. For a small company, it’s going to take them longer. Prepare now. Get an independent expert to assist and keep in mind that it’s not only technical architecture you need to consider, as there are many non-technical aspects involved in achieving and maintaining compliance as well.”
Common CMMC challenges
The biggest obstacle to CMMC compliance spans companies of all sizes from small startups to global conglomerates. The issue involves properly defining CUI, which results in improper scoping. When companies do not know how to categorize or define their CUI, they can’t properly isolate and protect it. No matter what size the company is, an entity that doesn’t understand its CUI is at risk for not successfully passing a CMMC assessment.
“A lot of companies want to start working toward CMMC compliance but just don’t know where to begin with determining the CUI in their organization. Once you get that figured out, you can start heading in the right direction,” says Tony. “If you’re generating CUI, understand how to mark that and that helps drive scoping. Isolating CUI and developing a secure enclave can also be an important step. Bottom line is it’s important to get your scoping right.”
Another common challenge is companies only focusing on the technical components of CMMC compliance and neglecting the non-technical aspects. Not addressing the people and processes as relates to the technology will result in assessment failure.
How prime contractors and subcontractors are impacted
Collaboration between primes and subs is important in the process of meeting the requirements of CMMC. With the flow down of various clauses and the expected flow down of CMMC, defense contractors need to have strong relationships at all levels of the relationship funnel.
Communication is key in this regard as it’s critical to share specifications and ensure that both parties meet CMMC requirements.
“As a C3PAO that may be scheduled to conduct a CMMC assessment for either the prime or the sub, we cannot provide the party with any advice on how both entities should scope their environments,” continues Tony. “Sometimes as a consultant, we’re talking to both the prime and the sub at the same time. It’s possible that the prime and the sub do not have a direct relationship from a technical architecture perspective. Other times the companies may be technically intertwined. That’s where going back to scoping and understanding their non-technical and technical relationship is so important.”
As an assessor or consultant, it’s important to understand what the contracts say and what their responsibilities are. Companies where a sub has close technical ties to the prime, with many inherited shared technical controls and even non-technical controls, can get slowed down in preparing for a CMMC assessment by misunderstanding or not agreeing to proper scoping.
Build what your organization needs
Each organization is different and requires a different approach to help them understand where they are and where their destination is—and these directives must come from the leadership team. A consultant helps them build out the strategic roadmap to get to the level of maturity that they need.
“For example, a small business might consider building a more complex and expensive secure enclave than they need to protect CUI. We could interject that we know of a more affordable solution that can meet their CMMC standards. And that’s an eye-opening experience for these companies,” Tony states. “If you have a small technical architecture and a small administrative staff, you don’t need a lot of automation—such as a truly automated SIM system. As long as you’re meeting the intent of the CMMC standards, you can do it a lot cheaper. It’s doable, and even more importantly, maintainable.”
Thoughts on NIST 800-171, Rev. 3
General consensus is that companies should not be concerned about the new revision at this time, as it’s too far off for organizations seeking compliance and defense industrial base contractors to worry about, especially when it comes to being ready for CMMC. Many organizations seeking compliance have not yet implemented NIST 800-171, rev. 2, and this revision two looks to be around under DFARS 7012 for quite some time. Keep an ear to on rev. 3 and focus on the requirements at hand.
“CMMC is going to happen as we have threats to our defense supply chain today—and we have to do something about these threats,” Tony concludes. “Companies need to do their due diligence and meet those requirements because threats to our supply chain will only increase. Meet the foundational cybersecurity requirements until CMMC is formalized and protect your sensitive data against those threats.”
If you have any questions about how to prepare for a CMMC C3PAO compliance audit, contact us. We will be happy to answer questions regarding your organization’s readiness.
