Navigating CMMC Compliance: Insights from an Expert Assessor

In the latest edition of Right Hand Technology Group’s (RHTG) office hours, Matt Gilbert, a seasoned principal from Baker Tilly, provided invaluable insights into the complexities of Cybersecurity Maturity Model Certification (CMMC) compliance. Drawing on his extensive experience, Gilbert shared practical advice for companies striving to meet CMMC standards, addressing common concerns and highlighting key strategies. Here are the key takeaways from the session.

Handling Legacy Systems and Paper Documents

One of the session’s first topics was the handling of legacy paper documents and physical copies of code. Gilbert emphasized the Department of Defense’s (DoD) pragmatic approach, noting that while companies are not expected to relabel all stored documents, any accessed documents should be treated as Controlled Unclassified Information (CUI) and labeled accordingly. For physical copies, robust protection measures, such as locked cabinets or strong perimeter security, are essential.

Commercial Off-the-Shelf (COTS) Products and CUI

Gilbert clarified how to handle COTS products in relation to CUI. He advised that while standard catalog parts might not need CUI designation, any unique specifications, testing data, or quality reports likely would. It’s crucial to confirm with customers if certain information should be classified as CUI to ensure compliance.

Managing Subcontractors and MSPs

When it comes to subcontractors, Gilbert explained that subcontractors must ensure that they meet the CMMC requirements applicable to their level of access to CUI. They may need to undergo certification if their role involves handling or processing CUI in a significant way. Ensuring that contract clauses allow for this approach is vital. Similarly, Managed Service Providers (MSPs) must comply with CMMC requirements if they handle CUI or security protection data. However, if MSPs only provide remote management without possessing data, they may not need the same level of CMMC certification.

The Road to CMMC Rule Finalization

Gilbert provided an update on the progress of the CMMC rule. The DoD has submitted the proposed rule for public comment, and after responding to comments and making necessary adjustments, it is expected to be finalized and published in the Federal Register by the end of the year. The timing for when official assessments will begin is subject to the final publication of the rule and may vary. Companies should stay updated with DoD announcements for precise timelines. Gilbert advised companies to start planning for compliance now to avoid any disruptions in DoD contract pursuits.

Scheduling and Scoping Assessments

For companies preparing for assessments, Gilbert recommended engaging in preliminary discussions with potential assessors. Officially certified assessors must follow DoD guidelines and should not accept deposits or schedule assessments before the rule is finalized and they are officially allowed to perform CMMC assessments. He emphasized the importance of readiness assessments, following the DoD’s assessment guides and scoping guidance meticulously to ensure all aspects are covered.

Specialized Assets and System Security Plans (SSPs)

Gilbert touched on the categorization of specialized assets and the preparation of SSPs. He advised that companies might choose to have multiple SSPs for different systems, but in many cases, a single comprehensive SSP might be more user-friendly and effective. Each organization must decide based on its unique environment and operational complexity.

Duration and Nature of Assessments

When asked about the duration of assessments for small businesses, Gilbert estimated a couple of weeks of preparation, followed by a week of fieldwork and another week for wrap-up activities. Depending on the company’s setup, assessments could be conducted remotely or require on-site visits, particularly for physical security evaluations.

Policies and Remote Work

With the rise of remote work, companies must have robust policies and training to manage CUI effectively. Gilbert highlighted the importance of acceptable use policies, training programs, and ensuring employees understand and follow these guidelines. While assessors won’t visit employees’ homes, they will review policies and conduct interviews to verify compliance.

The Importance of Historical Compliance Evidence

Gilbert emphasized that while CMMC assessments are technically point-in-time evaluations, assessors will look for evidence of historical compliance. Companies need to demonstrate that processes have been in place and followed consistently, rather than just implemented last-minute.

Conclusion

Matt Gilbert’s insights during RHTG’s office hours provided a comprehensive overview of the steps companies need to take to achieve CMMC compliance. From handling legacy systems and CUI to managing subcontractors and preparing for assessments, his expert advice is invaluable for organizations navigating this complex landscape. As the finalization of the CMMC rule approaches, companies must act proactively to ensure they are well-prepared to meet the stringent requirements and secure their position in the defense contracting ecosystem. For more detailed guidance and assistance, companies can reach out to Right Hand Technology Group or explore resources provided by experts like Matt Gilbert and Baker Tilly. As Gilbert aptly noted, preparing for CMMC compliance is a critical step in safeguarding sensitive information and maintaining competitiveness in the defense industry.