The CMMC Accreditation Body (CMMC-AB) is the governing body charged with certifying assessors. The CMMC-AB, which is comprised of 13 members from the defense industrial base, the cybersecurity community, and academia, will take the CMMC model and set up the training and certification programs for assessors. Those who conduct CMMC assessments will be independent 3rd party organizations, such as small businesses and independent consultants. Once licensed to become an assessor, those organizations will conduct assessments and create reports to submit to the accreditation body to get the vendor their CMMC level.
When Can Businesses Undergo a CMMC Audit by an Approved Assessor?
It’s a natural progression for companies already offering NIST 800-171 compliance services to become and assessors. Additionally, cybersecurity requirements exist within the financial and healthcare sectors, so firms working in those fields may become auditors as well.
The DoD has indicated that it will provide initial training guidance to the CMMC-AB in the first quarter of 2020. The organizations completing this program should be able to start conducting audits and certifying companies in May 2020.
The CMMC Accreditation Body’s FAQ clarifies, “To be clear, offering pre-assessments or consulting using the most current draft of the standard is acceptable and encouraged. However, it is not currently appropriate for any vendor to offer a formal CMMC assessment claiming that is authorized by the CMMC-AB.”
How to Prepare for CMMC Pre-Assessments
It’s often difficult for compliance teams to collect all the compliance info they need to do accurate reporting. Working with a firm that leverages a compliance operations (ComOps) tool like Hyperproof is the solution. This cloud-based software brings standardization to compliance operations. Such tools are built to make compliance projects easier and help with common pains associated with manual and duplicative work that IT audits require, and the lack of insight organizations have into how prepared they are for audits.
Evidence collection, or the act of documenting your compliance processes and outcomes, is a key component of CMMC audits and certification. To prepare for a CMMC audit, compliance professionals will need to collect and manage multiple evidence files to demonstrate compliance. Unfortunately, this is often a time-consuming administrative ordeal.
Few organizations know exactly where they have stored all of their risk and compliance data. When collecting evidence, your compliance officer or vendor partner must clarify who is responsible for each compliance activity and connect with the business process “owners” — people who are responsible for maintaining compliance evidence.
Challenges in Collecting Evidence
Collecting and organizing evidence is a challenging, and extensive undertaking. If you are relying on different tools to track compliance updates, document compliance efforts, store evidence, communicate with people providing evidence, and manage the interplay between all of those tasks, you will be fighting an uphill battle. Your compliance vendor should operationalize collecting and updating compliance evidence which is the antidote for wasted time on manual processes.
The proper technology for managing compliance is vital because controls change often. If a control is updated—for example, the way in which a system authenticates users—then the documentation itself needs to reflect the current control. Without systems to manage compliance overall, and evidence collection specifically, these changes won’t be reflected in your compliance documentation.
Instead of asking a colleague in another department to provide the same piece of evidence three times a year for three different audits, you can ask for that evidence once, file it in Hyperproof, and be ready for future audits.
CMMC Audit and Certification Support
At ATS, we understand that accountability for complying with the CMMC lies with your organization. We partner with our clients and share the responsibility of satisfying the required processes and practices. ATS takes a holistic and structured approach to support your successful CMMC audit.
We start by identifying the key stakeholders in your organization who will need to participate in the compliance effort as well as identifying the types of FCI and CUI in your organization and relevant information systems.
Next, we conduct a baseline assessment of your organization’s current infrastructure against the CMMC requirements and identify the areas for improvement. Contact us to see if we can help you mount the CMMC audit summit and download our eBook to learn more about CMMC.