Five lessons learned as you prepare for CMMC

With CMMC requirements on the near horizon, those in defense contracting are asking important questions about the timing, process, and preparation for their assessments. While the industry waits for the final rule, a voluntary early assessment program is providing answers that can help small businesses. 

Recently, one of our small to mid-sized contractor clients went through the Joint Surveillance Voluntary Assessment Program, earning a perfect score. The program is based on the same 110 controls required for CMMC Level 2, so the process is an accurate example of what we can expect from CMMC assessments.

JSVAP is a collaboration between Cyber AB and the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). These are voluntary assessments for companies that believe they are already meeting or exceeding compliance requirements. As of this writing, only 22 companies have completed the assessment process, with another 17 in progress or scheduled to get started.

The client, IVA’AL Solutions, is an 8(a) contractor that made the choice to apply for the JSVAP as a way to further differentiate the organization. They understood that having an early assessment would be a competitive advantage - allowing contracting officers and partners to trust their cybersecurity compliance.

Achieving that perfect score is a significant milestone for all SMB contractors. It demonstrates that small businesses can, in fact, meet the standards and rigor needed for CMMC and do their part in helping secure American infrastructure. Significantly, it also showed that government-level security could be achieved by a small business using cloud solutions and an MSSP.

What did we learn?  

The JSVAP process had many valuable takeaways for managed security solutions providers (MSSPs) to help their clients prepare for future assessments – and five BIG lessons learned for small businesses in the DIB.  

Lesson #1: Scope is important 

Our client is a 150-employee organization. Like many contractors, they constantly move people around on different programs. Once we verified the flow of controlled unclassified information (CUI) we were able to narrow the scope of their assessment down to just 15 employees. 

Instead of implementing the highest level of cybersecurity for everything and everyone, we were looking at a small subgroup of employees who were trained on the importance of special security measures and a limited number of networks and systems. 

Implementing advanced cybersecurity is already a steep learning curve for DIB companies. There’s a massive effort needed to implement the controls and write policies and procedures and another push to enforce them within the organization. Limiting the scope impacts the time and money involved in cybersecurity at every level, from preparation to documentation to evaluation.  

Lesson #2: Documentation is a VIP (Very Important Process) 

Documentation is a central aspect of any assessment. It’s the evidence that proves a company is meeting each control. Again and again, during the JSVAP assessment, the assessor asked the team to point to where a control was documented. For those with a system security plan written to NIST SP 800-171A and well-organized documentation, it is as easy as referencing a page number. 

Documentation for JSVAP, like CMMC, requires two pieces of evidence for every control — 220 pieces of evidence for all 110 controls. Documentation allows assessors to verify or test the network configurations and daily security practices. 

The need for documentation is also why contractors should allow 12 months to become compliant. Configuring the technical pieces can typically be completed in six months or less, but implementing and operationalizing policies and providing evidence of compliance takes considerably more time.  

Lesson #3: You can outsource a lot, but be prepared to handle some of the work internally 

Many MSSPs will tell you they can do it all. The JSVAP preparation process shows that it takes a team. Every company will need leaders who are knowledgeable and involved in cybersecurity and IT staff. 

A small contractor will need two to three people internally, at a minimum, to fill the roles that administer and enforce the policies and procedures of the CMMC Level 2 requirements. You might find a unicorn who can do the security engineering and the documentation or a CIO who can also help with the other tasks. 

Outsourcing everything else – including the initial documentation needed for an assessment – requires a 6-figure budget. The refining process – reviewing configurations and policies to ensure they meet compliance standards – is ongoing. Assessors look for recent documentation, not evidence that is a few weeks or months old. Having internal staff to keep up with the tasks that prove you are staying compliant throughout the certification periods is cost-saving.

Lesson #4: You’re not the only one who has to be compliant  

Expect your MSSP to need the same certifications you are being assessed for. 

This is not yet a formal requirement of JSVAP or CMMC, but the policy was posted and then retracted a few months ago. It makes sense that if you are hiring someone to handle your cybersecurity and giving them access to your logins, systems, and configurations, their own cybersecurity needs to be up to standards, too. 

Increasingly, we are seeing many primes and companies require their vendors, subcontractors, and partners to meet standards for cybersecurity and be able to prove it. This trickle-down requirement may result in larger companies lending a hand to their subcontractors to implement proper cybersecurity. Expect cybersecurity to be the price companies must pay to play in federal contracting, 

Lesson #5: Compliance takes more time than you think 

The preparation process for an assessment takes more time than you would expect. I’ve mentioned that refining is an ongoing process.  

Our client began implementing an information security program compliant with NIST SP 800-171 about 18 months before their JSVAP. There were several months between applying, being accepted, and having the assessment conducted, and we used every minute of that to review each assessment objective and solidify security processes within the company. 

Until CMMC is finalized and the first few companies go through the certification assessment, we won’t know with certainty what success looks like. The JSVAP experience provides a sneak peek into the future – allowing other SMB contractors to prepare for their own cybersecurity assessment properly. 

Derek Kernus is the director of cybersecurity operations for DTS, a professional services firm providing cybersecurity, management, and consulting services. He holds the Certified Information Systems Security Professional (CISSP) and Certified Cloud Security Professional (CCSP) certifications from (ISC)2, and CMMC Certified Professional (CCP) from the Cyber AB.