The Defense Contract Management Agency's process to conduct assessments for the Pentagon's Cybersecurity Maturity Model Certification program is adapting to meet the needs of stakeholders, according to Defense Department official John Ellis who provided an overview to Inside Cybersecurity on lessons learned in recent months.
The assessments are conducted through DCMA's Defense Industrial Base Cybersecurity Assessment Center, which was formalized in 2019 to conduct assessments of defense contractors against NIST Special Publication 800-171.
The Pentagon's CMMC program is largely based on NIST 800-171, and the DIBCAC started conducting assessments for certified third-party assessment organizations for CMMC level three in March.
"CMMC by design is a 'maturity-based model' where compliance must be demonstrated not only from a technical perspective; but also from a governance and procedural aspect to meet maturity level processes which are very heavy on documentation," Ellis told Inside Cybersecurity via email.
"CMMC Level 3 requires an additional 20 controls in addition to the 110 requirements as specified in the NIST SP 800-171," Ellis said. "In addition, assumptions made in the NIST SP 800-171 such as documentation of policy, process, and procedures (NFO controls) are now mandatory requirements as part of the CMMC standards."
There are currently four C3PAOs who passed their CMMC level three assessment by the DIBCAC, and are fully authorized by the CMMC Program Management Office and the CMMC Accreditation Body.
The CMMC-AB's marketplace provides details on the four companies, but official assessments have not begun due to delays on finishing the portal, known as eMASS, where C3PAOs will submit their CMMC scores for defense companies they assess, according to CMMC-AB CEO Matthew Travis.
DOD is in the process of updating its CMMC assessment guides for levels one and three with a scoping appendix that will provide details for contractors and the C3PAOs.
The DIBCAC has determined its own process to scope assessments for C3PAOs, which Ellis said is "typically less complex than that of a defense contractor who may have global production facilities and a multitude of internal networks. The scope of a DIBCAC candidate C3PAO assessment is limited to only the portion of the candidate C3PAO that handles assessment data and any supporting enterprise infrastructure."
"There are several steps that occur to determine if a C3PAO is ready for a DIBCAC assessment," Ellis added. "The CMMC-AB performs a series of checks and verifications on candidate C3PAOs. After the CMMC-AB has completed their validation of the candidate C3PAOs, the CMMC Program Office initiates additional vetting. Once the CMMC Program Office forwards the candidate C3PAO to DCMA, the DIBCAC performs a series checks and holds discussions with the candidate C3PAO."
The DIBCAC held a brown-bag meeting in May for candidate C3PAOs to share "lessons learned from early assessments," Ellis said. "This brown-bag stressed the importance of proper documentation for CMMC Level 3."
The DIBCAC has made "additional improvements" to their assessment process, which Ellis said "run the gamut of optimizing scheduling to early identification of potential issues."
In the first meeting with a candidate C3PAO, Ellis said the DIBCAC asks questions about "its constructed environment" to get details on how the C3PAO "has built the environment which is to be used for CMMC activities and any external dependencies."
"For instance, if the candidate is solely cloud based, the DIBCAC will focus on understanding how the candidate C3PAO's employees access the cloud, what controls are inherited from the cloud provider, et cetera," he said. "Conversely, if the candidate C3PAO utilizes a physical infrastructure, DIBCAC will ask about locations, network topology, et cetera."
There are 181 candidate C3PAOs in the CMMC-AB's pipeline to get a DIBCAC level three assessment in the accreditation body's marketplace.
When asked about the DIBCAC's staffing needs, Ellis said: "The DCMA DIBCAC is working closely with the CMMC Program Office and the CMMC-AB to ensure the rest of the DIBCAC obtains CMMC Provisional Assessor certification. This will allow additional teams to support the CMMC mission. The DCMA DIBCAC has multiple missions and will focus its available resources based upon priorities established by the DOD."
"Whether a CMMC C3PAO or NIST SP 800-171 assessment, participants would largely agree to the benefit of the [DIBCAC] assessment process itself. Each assessment is an open, transparent learning process for both the assessed organization and the assessors, and we have seen companies make great strides in improving their cyber posture as an outcome of this collegial process," he added.