CMMC and the role of the internal audit

In November 2021, the U.S. Department of Defense (DOD) announced changes to the Cybersecurity Maturity Model Certification (CMMC), branded as CMMC 2.0. Many of the requirements remain the same, however we urge you to refer to our detailed overview highlighting five key changes of CMMC 2.0 and their impact to your organization. Since then, further progress in the rulemaking indicates that the DOD intends to move forward with CMMC and DOD contractors and their internal audit teams need to ensure they are prepared for this new requirement. Before moving toward a CMMC assessment, organizations should strongly consider employing their internal auditing function for assurance of their CMMC readiness. And, with the requirement that a senior official affirm continuing compliance, internal audit can play an important role each year after certification is earned.

Because of its independent and objective assurance role, internal audit is positioned to assess whether an organization is taking the steps necessary to appropriately safeguard the DOD’s data at the CMMC maturity level that will soon be required to compete and win certain DOD contracts.

Contractors that only have access to federal contract information (FCI) and do not foresee pursuing contracts with any kind of data beyond FCI need only to meet and maintain the 17 practice requirements of CMMC Level 1, which map directly to existing Federal Acquisition Regulation (FAR) 52.204-21 requirements. Contractors already working with controlled unclassified information (CUI) or that would like to do so in the future must put into place the 110 practices required by CMMC Level 2.

Understanding where FCI and CUI data exist in your environment is an important first step to determine the level and scope that needs to be covered by your CMMC. This is where the organization’s internal audit function or an objective third party can help to confirm and/or recommend how management sets the boundaries on where FCI and CUI exist within the organization’s environment. Limiting the scope whittles down where robust CMMC-required practices must be applied, which could speed up the CMMC readiness process.

Internal audit may want to support management’s CMMC readiness efforts by using a phased approach. The following describes a suggested scope and phasing strategy. (Note: The approach below applies to organizations seeking CMMC Level 2 certification):

Phase one

Once management begins to feel confident that the FCI and CUI are appropriately covered by the scope they intend to have certified, it is time to consider involving internal audit with the following:

Governance

Like other initiatives, CMMC requires the right engagement from senior leaders to drive the process maturity required to comply with CMMC Level 2 and above

• Understand how the organization has managed its CMMC readiness efforts and whether the right focus, attention and resources are in place.
• Confirm the active participation in the readiness effort of all key functions that will be impacted by CMMC.

Scope and level verification

The scope that you intend to have certified should align to and follow where FCI and CUI are stored, processed and transmitted.

• Validate the appropriateness of the CMMC level and scope that the organization intends to have certified; understand whether a data enclave or otherwise segmented scope should be employed because CUI is only stored in a portion of the company’s systems and doing so is more time- or cost-efficient.
• Inquire and review potential information, such as associated commercial and government entity (CAGE) codes, used by the organization during its prior National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” self-assessments or other reviews to ensure the company can clearly articulate the scope it intends to have certified and how it relates to the broader organization.
• Review and provide feedback related to the level of CMMC compliance needed or desired.
• Review the organization’s processes and support to represent that FCI and CUI exists only within the scope of the environment defined for CMMC.

FCI/CUI tracking and inventory

Incomplete understanding of where FCI and CUI exist could result in a certification that does not adequately address contractual requirements.

• Understand where FCI and CUI exist within the organization’s environment and whether policies, procedures and processes are in place to track, monitor and ensure that data is not stored out of scope; an incomplete understanding of where FCI and CUI exist could result in a scope problem later.
• Conduct inquiry of operations, product management, project/customer-facing/contract teams and/or service delivery leads to validate where FCI and CUI exists and compare those results to the known inventory.
• Provide recommendations to improve current FCI and CUI tracking and monitoring practices.

Phase two

When internal audit and management are comfortable with the scope, the organization now should focus on performing a gap assessment of the 130 practices and three processes required for CMMC Level 2. It should also confirm that business processes are ready to handle changes that might result from CMMC.

Gap assessment

Keep in mind that of CMMC Level 2's 110 practice requirements all are derived from the NIST SP 800-171 framework.  A self-assessment was previously required and is the subject of the DFARS 252.2047019&7020 clauses.

• Review mapping of existing controls to the CMMC model and identify any gaps.
• Review available evidence in support of the 130 practices and test whether the practices are designed and operating effectively; where issues are identified, provide recommendations for remediating the gaps.
• Compare those gaps and associated scoring that management reports under the new requirements of DFARS 252.204-7019&720.
• CMMC will require contractors to communicate a unique identifier that represents the system used to perform on the contract. This constitutes a statement to the government that if inaccurate could subject the contractor to the False Claims Act. The company should be confident that the CUI data stays within the boundary of those systems that are certified. 

Supply chain

CMMC requirements also extend to an organization’s subcontractors.

• Understand the organization’s efforts to risk rank subcontractors and teaming partners by those that would cause the greatest concern if they fail to achieve CMMC.
• Evaluate management’s efforts to determine and monitor subcontractors’ progress and readiness to meet CMMC requirements.
• Review the organization’s readiness to monitor the existence of CMMC-related clauses and flow down those requirements.

Bid and proposal

CMMC will affect how an organization responds to a request for information (RFI) or request for proposal (RFP).

• Assess the organization’s plans to respond and address RFI and RFP requirements pertaining to CMMC.
• Ascertain implications of CMMC on the bid and proposal process, including how to:

1. Determine whether the project scope and/or proposed solution (i.e., the content of an RFP submission) aligns with the current CMMC scope; if it doesn't, the organization may need to adjust its CMMC scope and get recertified and/or change the proposed solution to better align with the environment that has already been certified
2. Estimate and include costs related to CMMC
3. Ensure protocols are in place to effectively team with prime contractors and subcontractors that have met the required CMMC level to win the contract

• Document results and any recommendations for enhancing the bid and proposal process to meet CMMC expectations.

Phase three

Once the organization has a solid understanding of where it stands in regard to its practices and business processes, internal audit can review and provide feedback in a real-time fashion on the remediation plan.

Remediation

(Based on the results of the initial gap assessment)

• Review and provide feedback on management’s plan to close existing gaps
• Provide advice and feedback to encourage management’s efforts to formalize processes and controls and make them habitual and systematized
• Make independent assessments and provide assurance to executives and the governing board related to the organization’s CMMC compliance efforts

Phase four (ongoing)

Finally, the organization should remember that after it achieves its desired level of CMMC maturity, it must work to stay there, which is where the objective perspective of internal audit or a third party could be of continuing help. As stated above, the CMMC rule will require a senior official from the organization to affirm continued compliance annually after certification. This requirement is similar to how a CFO and other executives need to comply with 302 certification related to internal controls over financial reporting as part of Sarbanes Oxley compliance. Like internal audit frequently does with the 302 requirement they could provide comfort to that senior official and the rest of executive management that the organization is maintaining compliance with CMMC requirements.

Continuous monitoring

As organizations change and grow, so does their technology and those types of changes will affect their CMMC status.

• Act as (or assist in identifying) the responsible party to monitor and maintain the CMMC practice requirements through a regime of regular testing; for example, establish a rotational program where a portion of the 110 practices of Level 2 are assessed during the year to provide confidence that the required practices remain in place and/or detect issues early
• Assist management as they consider or endeavor to reach the next CMMC level
• Provide feedback on solicitations and proposals where the scope might not ideally align to the scope from the CMMC certification
• Address CMMC-related risks in teaming or joint business offerings or with subcontractors as risks arise

Regardless of what avenue the organization takes in preparing for CMMC, management should understand that as CMMC presents a key risk, government contractors should expect to engage internal audit or some other objective oversight function in obtaining and maintaining CMMC compliance. Internal audit should be ready by either developing or engaging a strong capability related to CMMC so it can provide effective support as outlined above or similarly. If the organization fails to achieve the required CMMC level on its first try, it may need to go to the back of the line to get a second assessment, delaying the possibility of being awarded certain contracts. On the other hand, if the organization makes effective use of its available objective resources and achieves CMMC early, it will have an advantage over competitors and may even win additional work.

However the organization decides to prepare, it should not underestimate the weight of the CMMC assessment and, if it needs to work with a third party, the organization should make sure that third party has experience with not only cybersecurity, but also government contracting, and most helpfully with CMMC directly. Knowing the CMMC rules and regulations as well as the broader business implications of government contracting can help avoid unnecessary risk and expensive delays.