You have all heard the term Cybersecurity Maturity Model Certification (CMMC) and know that it is coming, but Cask is here to give you valuable reasons why your organization needs to be thinking about CMMC today. Voluntary Assessments are already being scheduled. The best way to prepare is to have a Pre-Assessment or Gap Analysis done now!
The Cyber-AB, formerly the CMMC-AB, and the DIBCAC have stated that CMMC requirements will begin showing up in new contracts expected early next year! Should you take advantage of the opportunity to receive an early assessment it will give your organization a significant competitive advantage in being able to bid on DoD contracts that reference DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.
Stacy Bostjanick, Chief of Implementation and Policy, Office of the DoD Chief Information Officer and Director of CMMC stated, there are “Potential incentives initially focused around allowing contractors to “garner a higher profit margin” or using contractor’s network security as part of the “criteria” for a “sole source selection evaluation”. In addition, by completing a Pre-Assessment or Gap Analysis your organization and employees will be prepared for their Formal Level 2 Assessment, greatly increasing your organization’s ability to meet the requirements.
What exactly is a CMMC Pre-Assessment?
A Pre-Assessment mimics a Formal CMMC 2.0 Level 2 Assessment, using the CMMC 2.0 Methodology which aligns with the NIST 800-171 assessment methodology. The Pre-Assessment includes a comprehensive examination of each practice, ensuring you have a minimum of two pieces of supporting evidence, which could include interviewing pertinent employees. Your Pre-Assessment will determine if your organization is ready for their Formal Assessment or if some fine tuning is necessary. In addition, your Pre-Assessment report will show you any nonconformities and allow your organization to close those out prior to your formal assessment. The more your organization is prepared the greater its chances are in meeting the requirements, obtaining certification, reducing the time, effort and cost required for your formal assessment.
During a Gap Analysis we will work with you through a specific set of controls that you have already identified from your self-assessment. We will assist you in closing those gaps. Your Gap Analysis report will present a clear summary of where the gaps exist between your organization’s readiness and the practice requirements. It will also show a recount of each requirement and the degree of compliance, with corresponding actions that need to be taken to close these gaps. This report will provide your organization with a specific way forward before scheduling your formal CMMC assessment.
By choosing to do a Pre-Assessment or Gap Analysis your organization will not only be prepared for their Formal Assessment, but your team members will own and understand their respective practices and corresponding evidence and will be prepared to answer questions and present that evidence when called upon.
Cask Government Services, the third Authorized C3PAO, has been conducting Pre-Assessments and Gap Analyses since June of 2021. We will provide recommended solutions based on the Federal Acquisition Regulations and security requirements within the NIST SP 800-171 and can also assist your organization in developing a System Security Plan (SSP) and supporting documents. Cask has a passion for securing the Defense Industrial Base by helping organizations of any size become Cyber Secure. Contact us now and we’ll walk you through the steps of getting started.
