This article looks at the most terrifying words in CMMC: "I’m from a RPO and I'm here to help!" This article focuses on a growing concern about Organizations Seeking Certification (OSC) being fleeced by Cybersecurity Maturity Model Certification (CMMC)-related “gap assessments” and what can do to remedy this feckless practice that often lead organizations down the wrong path, due to improper assumptions, based on the bad advice they are being provided.
When we wrote last year’s “dumpster fire” article, we hoped that we wouldn’t be in a position needing to write another chapter to this saga, but here we are. Unfortunately, the DoD and CMMC-AB have underwhelmed the Defense Industrial Base (DIB) with guidance on a myriad of topics that CMMC practitioners have sought clarification on and this has led to situations where OSCs are being led down the wrong path due to false assumptions. Too many stakeholders within the DIB view CMMC as primarily an “IT issue” that can simply be outsourced to a local/regional MSP/MSSP, as is commonly done with many IT-related functions. However, the assumption in question is that these “IT experts” are competent enough to handle all manners of CMMC-specific IT and cybersecurity needs, which is often not the case.
Topics Covered:
The real number of CMMC controls
Gap assessment pitfalls
What you can do to successfully address CMMC requirements
How Many CMMC-Related Controls Are There?
If your first thought is 110, you’re wrong. It’s not your fault! By now most of you will have heard, be it at a webinar or in-person event, that NIST SP 800-171 has 14 families which break down to 110 CUI controls. Unfortunately, those numbers are woefully inaccurate – when you add up all of the Assessment Objectives (AOs) in the CMMC Level 2 Assessment Guide, you will come up with 320 AOs. Not to kick you while you are down, but that doesn’t even include 61 NIST SP 800-171 Non-Federal Organization (NFO) controls.
What number has your RPO been telling you? Did that gap assessment you paid for cover the AOs, NFOs or just 110 CUI controls? Jacob Horne summed up this concept nicely, “The real version of any NIST-based model exists in the assessment objectives. Attempting to assess or remediate against control statements alone is like trying to read a book with just the table of contents. Any model that doesn't include assessment objectives is only half of a model.”
The good news is that there is some overlap between NFO controls and CMMC processes, since both focus on higher-level security program concepts. If you have nothing better to do with your time, you can read up on NFO controls at: https://www.nfo-controls.com/.
Why Should You Care About Assessment Objectives?
NARA runs the US Government’s CUI Program and points to NIST SP 800-171A as providing “procedures for assessing the CUI requirements in NIST SP 800-171 and is the primary and authoritative source of guidance for organizations conducting such assessments.” These AOs form the basis for how DCMA DIBCAC currently conducts NIST SP 800-171 assessments and is how C3PAOs will conduct CMMC assessments for OSCs. Note - 110 of CMMC’s primary controls where the AOs exist are just cut & pasted from NIST SP 800-171A.
The good news is we’ve quite literally been given the answers to the test. We know exactly what:
CMMC and NIST SP 800-171 assessments are going to look like, and
Questions your assessors are going to be asking you.
How cool is that? Seriously! You have the answers to the test and probably didn’t realize it! The bad news is that you most likely have the wrong answers submitted in your test, due to the inherent lack of knowledge surrounding the AOs. This leads many OSC to falsely assume they are ready for CMMC.
Gap Assessment Pitfalls
Raise your hand if your company paid for a third-party gap assessment to start off your NIST SP 800-171 or CMMC project. We can see you right there at your keyboard, so don’t be bashful! We know firsthand that many of you have, since we’ve heard the horror stories of OSCs paying $25,000-$80,000 for essentially nothing but being told, “You are not compliant and need to implement the controls.”
The pitfalls of these gap assessments is that unless your gap assessment covered the AOs, you (1) not only wasted your money, (2) are in no better of a position than you were previously and (3) you might have also lied to the government and your primes in the process. Hint – this affects your SPRS score, since you really should be using the AO to help answer the question if the control is adequately met. Doahhh!
With the recent release of DFARS 252.204-7020- NIST SP 800-171 DoD Assessment Requirements, contractors are required to calculate a self-assessment score based on the DoD Assessment Methodology (DAM) and submit that score to SPRS. Primes need to have a score submitted in order to bid/win new work and we routinely see subcontractors asked by primes to show proof of SPRS scores, in order to continue working with the prime. It is impossible to have properly-conducted a SPRS self-assessment and accurately submitted a score without going down to the AO level of every single practice, since based on Andrew Hoover, CMU SEI ,”All of the objectives for a given practice have to be met, in order for the practice to be implemented.”
For example, take the very first practice in NIST SP 800-171, 3.1.1 to “Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).” Sounds straightforward, right? However, if you look at the assessment guide, you’ll see 3.1.1 is broken down into six, distinct AOs. Each AO has to be met in order to meet the overall CMMC practice. If it is not a 100% pass for the AOs, you cannot honestly attest that the process is met when conducting a self-assessment to calculate a SPRS score. Since 110 of CMMC's controls are directly from NIST SP 800-171, those AOs in NIST SP 800-171 are what are found in the CMMC 2.0 Level 2 Assessment Guide.
What About Me? I Don’t Know Where To Start! Shouldn’t I Turn To A RPO??
We didn’t forget about you and we want to see the DIB succeed. We also know there are a lot of very competent CMMC practitioners, but there are also a lot of charlatans that only want your money. This comes to the RPO program, where it can often provide OSCs with a false sense of security by enabling consultants to literally wave a badge around for marketing purposes, even though the RP / RPO badges do not equate to competence with CMMC. Unfortunately, the badging program is merely a money-making scheme by the CMMC-AB to pay its bills where consultants, MSPs, MSSPs have eagerly paid money to obtain a false sense of legitimacy, specific to their RP / RPO badges.
If the first thing you hear from a consultant is, “We are a RPO and we have [x number] of RPs on staff!” just walk away and keep looking. If you want to keep talking with them, focus on competence and ask these questions:
How long has your company specialized in DFARS-related cybersecurity? (hint – NIST SP 800-171 has been around since 2016, so if they are new to the game that is a warning flag)
How many DIB clients do you currently support?
How many CMMC/NIST SP 800-171 gap assessments have you performed? (follow up with a request to see a report and be sure to ask how many questions the gap assessment covers)
Have any of your DIB clients successfully gone through a DIBCAC assessment?
Why did your company spend the money to get the RPO and RP badges?
What makes you different from other RPOs? Why should we work with you?
If you want to save a bunch of money and possible frustration, this is what we recommend:
Go through the CMMC 2.0 Level 2 Assessment Guide to answer each AO to the best of your abilities. If you prefer Excel you can download a beautiful, free spreadsheet from the CMMC Center of Awesomeness. If you are not 100% sure about the answer, consider it not met. If you are not sure, you can be sure that you are deficient on that control.
With that list of deficiencies, you should take a look at the CMMC Kill Chain that is a 24-step project plan to start from nothing to get to where you can go for an assessment.
You can thank us for saving you anywhere from $25,000-80,000 by providing you with a gap assessment and a project plan. You’re welcome, America!
About The Guest Authors
If you have any questions about this, please feel free to reach out.
Tom Cornelius is the Senior Partner at ComplianceForge, an industry leader in cybersecurity and privacy documentation. He is also the founder of the Secure Controls Framework (SCF), a not-for-profit initiative to help companies identify and manage their cybersecurity and privacy requirements.
Levi Kapilevich is the Director of Business Development for NeQter Labs, a cybersecurity software company that focuses on helping DIB contractors navigate their DFARS, NIST SP 800-171, and CMMC compliance process. Focusing primarily on managing the Auditing and Accountability practices of standards.