Self-Assessment and Certification

In the Cybersecurity Maturity Model Certification (CMMC) framework, self-assessments and third-party certifications are two key mechanisms that organizations use to demonstrate compliance with cybersecurity requirements set by the Department of Defense (DoD). These mechanisms are designed to ensure that contractors handling Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) have adequate cybersecurity measures in place.

1. CMMC Overview:

The CMMC framework is a tiered certification model intended to assess the cybersecurity maturity of contractors and suppliers within the Defense Industrial Base (DIB). It is divided into three levels of increasing cybersecurity rigor, from basic cyber hygiene at Level 1 to advanced protection measures at Level 3. The CMMC ensures that contractors meet specific security standards, particularly those outlined in NIST 800-171 and enhanced security practices beyond that.

2. Self-Assessments in CMMC:

At lower CMMC levels, specifically for Level 1 and in some cases Level 2, companies are allowed to conduct self-assessments of their cybersecurity practices and controls. Here’s how it works:

Level 1 Self-Assessments:

• Level 1 focuses on basic cyber hygiene, covering 17 controls designed to protect Federal Contract Information (FCI), such as using antivirus software, implementing access controls, and protecting communications.

• Self-assessment is allowed for Level 1 contractors. These companies are not required to undergo a third-party audit but must:
  • Complete a self-assessment based on the specified practices.
  • Submit their score (from the self-assessment) to the Supplier Performance Risk System (SPRS), a DoD-managed system.
  • Reassess and resubmit their status annually.

3. Third-Party Certification in CMMC:

For Level 2 and above, third-party assessments are required to validate compliance. Certification levels vary depending on the sensitivity of the information being protected:

CMMC Level 2:

• Level 2 represents a transition between basic and more advanced cybersecurity practices, containing 110 requirements from NIST SP 800-171 rev2.

• For contractors handling CUI, third-party certification from a C3PAO (Certified Third-Party Assessor Organization) is required, although during the phased rollout some self-assessments will be allowed.
• When third-party certification is mandatory, the CMMC-AB / The Cyber AB (CMMC Accreditation Body) oversees this process.
• Certification at this levels is valid for up to three years before re-certification is needed (unless a significant change happens in the environment, in which case, re-certification would be required).

CMMC Level 3:

• Level 3 involves increasingly sophisticated cybersecurity requirements to address risks posed by Advanced Persistent Threats (APTs). 24 additional requirements from NIST SP 800-172 are included in Level 3.

• DIBCAC performs assessments of the 24 requirements in Level 3 after completion of a C3PAO Level 2 assessment.

• Certification at this levels is valid for up to three years before re-certification is needed (unless a significant change happens in the environment, in which case, re-certification would be required).

4. Steps in the Certification Process:

For companies required to undergo third-party certification, the following steps are typically involved:

1. Preparation:

• Companies conduct a gap analysis to determine where their current cybersecurity posture aligns with the CMMC level they are aiming to achieve.

• Many contractors hire consultants or use tools to help them prepare for the formal assessment by ensuring that their processes and systems meet the necessary standards.

2. Assessment by C3PAO:

• Certified Third-Party Assessor Organizations (C3PAOs) are accredited by the The Cyber AB to conduct assessments.
• Assessors are guided by the CAP, found on the Cyber AB's website here, and discussed on this Wiki here.

• The C3PAO reviews the organization's policies, procedures, security controls, and their implementation to ensure compliance with the required CMMC level.

• The assessment may include interviews with personnel, documentation review, and technical testing of the organization's systems.

3. Certification:

• If the organization passes the assessment, the C3PAO submits its findings to The Cyber AB, which then issues the certification.

• Certification is valid for three years at Levels 2-3, after which the organization must undergo re-certification.

4. Post-Certification Monitoring:

• Certified companies must continue to maintain and update their cybersecurity controls throughout the certification period.

• If significant changes occur, such as new systems or processes, companies may be subject to interim audits or additional assessments.

CMMC Levels Summary

CMMC Level 1 (Basic Cyber Hygiene): Self-assessment allowed, focused on FCI protection.

CMMC Level 2 (Intermediate Cyber Hygiene): Transition level, self-assessment may be allowed for FCI; third-party certification required for CUI.

CMMC Level 3 (Good Cyber Hygiene): Third-party certification required, covers NIST SP 800-171.

Challenges and Considerations

Cost: Third-party assessments, particularly at higher levels, can be expensive and resource-intensive. This is a challenge for small-to-medium businesses that may struggle with the financial burden.

Choosing the right support: Some organizations might choose to work with consultants, or engage in pre-assessments to gauge their readiness prior to assessment. Choosing knowledgeable and capable organizations to support you is very important. Some guidance on picking this support is below:

• Identifying a Managed Service Provider
• Identifying a Consultant
• Identifying a Certified Third Party Assessing Organization (C3PAO)

Continuous Compliance: Certification is not a one-time event. Organizations must continuously maintain their cybersecurity posture, as lapses in compliance can lead to a loss of certification or future contract eligibility.

Supply Chain Impact: Prime contractors are responsible for ensuring that their entire supply chain, including subcontractors, meet the required CMMC levels, which can make compliance across the supply chain complex.

CMMC 2.0 Update

The CMMC 2.0 model, announced in 2021, simplified the original model by reducing the number of levels from five to three. This updated version emphasizes self-assessments for lower-level contractors but retains third-party certification for higher-level contractors handling CUI. It aims to make compliance more streamlined and less burdensome while maintaining strong security requirements.

Conclusion

In the CMMC framework, self-assessments allow lower-tier contractors to meet basic security standards at a lower cost, while third-party certification is required for companies handling more sensitive data, such as CUI. This dual approach balances the need for strong cybersecurity controls with the practical realities of cost and resource constraints across the defense industrial base. Organizations aiming to do business with the DoD must understand their specific CMMC requirements and implement the necessary controls to achieve certification or self-assessment compliance.