The Value of Using RPO in Cybersecurity Compliance
The Department of Defense and its network of 300,000 contractors, also known as the Defense Industrial Base (DIB), are attractive targets for hackers, malicious nation states, and advanced cybersecurity threats as they evolve.
To secure its extensive supply chain, DoD this year announced that contractors will no longer be permitted to self-attest to their cybersecurity compliance. Instead, DoD will require an accredited third party to certify contractors at one of five levels of cybersecurity compliance.
Certification is Mandatory for Contract Work
The new Cybersecurity Maturity Model Certification (CMMC) was launched in January 2020 to better protect sensitive data housed in defense contractors’ information systems. The new model is complex, encompassing 17 domains, 171 practices, and 43 capabilities across five certification levels, which range from Basic Cyber Hygiene to Advanced/Progressive Cybersecurity. A variety of regulatory agencies’ requirements must be met at each level.
By year-end 2020, certain DoD Requests for Proposals (RFPs) will require all bidding contractors to meet Basic certification. This will be followed closely by a phased implementation plan in which certification—at the appropriate level for the individual organization—is mandatory in order to bid on any DoD contract.
Complexity and Urgency are Key Factors
One of the earliest actions taken by the DoD in preparing for the seismic shift from contractor self-attestation to third-party certification was establishing the Registered Provider Organization (RPO) program.
Registered Provider Organizations are authorized to assist contractors in preparing for their new certification and CMMC compliance. The initial call for qualified candidates went out earlier this year, and in recent months the Accreditation Body for CMMC has been evaluating applicants for RPO status.
Given the complexity of the new CMMC standard, and the accelerated timeline for implementation, the vast majority of defense contractors will require expert assistance in meeting all CMMC requirements. As an aid, the first RPOs have been accredited as of December 2020.
The CMMC Accreditation Body authorizes RPOs to represent themselves as familiar with the basic constructs of the CMMC standard, to provide CMMC consulting services, to list in the CMMC marketplace, and to display the official logo. RPOs must also train and maintain Registered Practitioners within their organizations and abide by the Code of Professional Conduct.
24By7Security was among the first cybersecurity firms to earn RPO status, having successfully developed a CMMC Readiness Service to thoroughly prepare contractors for the certification audit. The audit, or CMMC assessment, is mandatory to ensure a contractor meets all requirements before being awarded certification by the CMMC Accreditation Body.
CMMC Readiness Service
When the CMMC program was released in January, the 24By7Security team began studying every aspect of the standard, gaining important expertise in the five certification levels and their multilayered requirements.
“Our goal was to develop a CMMC Readiness Service that would successfully prepare DoD contractors for compliance and certification,” said Rema Deo, CEO and Managing Director of 24By7Security. “This was by far the most comprehensive readiness program we have ever created, and the research and development effort was exhaustive.”
With an accelerated CMMC rollout schedule affecting 300,000 defense contractors, time was of the essence.
Exhaustive Development Work Invested
As part of an intense three months of development work, 24By7Security evaluated how best to implement 17 essential practices from the FAR 48 CFR 52.204-21. This part of the Code of Federal Regulations specifies the Basic Safeguarding of Covered Contractor Information Systems, which are owned or operated by contractors to process, store, or transmit Federal contract information. This standard is the basis for CMMC Level 1 certification.
Level 2 development required 24By7Security staff to become thoroughly knowledgeable of an additional 55 practices, most based on the NIST SP 800-171 standard. Staff also became completely familiar with an additional 58 practices for Level 3 certification, 26 more for Level 4, and 15 additional practices required for certification at CMMC Level 5. The requirements at each level are cumulative. Extensive notes were taken throughout each analytical step, and knowledge was routinely shared in the team’s R&D meetings.
Once the extensive requirements of CMMC had been thoroughly researched, understood, and documented, the team was able to develop a four-phase, ten-step plan for preparing contractors for certification. The 24By7Security plan, branded CMMC Readiness Service, was carefully designed to avoid waste and error and to be completed in a reasonable timeframe.
Ten Steps in Four Phases
The four phases of the CMMC Readiness Service developed by 24By7Security include gap assessment, remediation, audit and certification, and ongoing optimization.
The ten steps of the certification readiness process begin with identifying a contractor’s appropriate level of cybersecurity certification within the new model. This includes documenting their current cybersecurity state, as well as documenting the gaps between their current state and their optimum cybersecurity level.
Subsequent steps include preparing a comprehensive plan to address the identified gaps, and executing the plan to remediate those gaps.
Once completed, a Certified Third Party Assessor Organization is identified and scheduled to conduct the audit and certify the contractor.
Other steps entail preparing the required volumes of policies and procedures, and performing vulnerability assessments, penetration testing, and similar services to test the contractor’s procedures and cybersecurity protections against the new CMMC requirements.
Recognizing the complexity of the certification model and variety of regulatory requirements in play, 24By7Security developed a proprietary programmatic tool that accounts for all elements required by the complex model. This tool enables the CMMC Readiness Service to be performed consistently and thoroughly, and thereby helps contractors to achieve certification readiness very efficiently.
To ensure that the proper level of cybersecurity is maintained by contractors seeking and achieving certification, the tenth and final step of the CMMC Readiness Service involves monitoring contractor security controls and optimizing them throughout the certification’s three-year lifespan. In this way, contractors will be able to maintain compliant defense contractor status and successfully renew their certification.
Immediate Assistance Now Available to DoD Contractors
The intensive planning, research, and development initiative completed by the 24By7Security team enabled the CMMC Readiness Service to be launched earlier this year, in April 2020, for the benefit of contractors desiring to be leaders in CMMC compliance.
24By7Security has unmatched experience in developing security frameworks that enable organizations to meet and maintain cybersecurity compliance requirements. The CMMC Readiness Service is an outstanding example of such a framework. As a respected cybersecurity firm with dozens of certifications and multiple industry and professional awards, 24By7Security has conducted more than 1,000 security assessments against a variety of regulatory requirements.
”We are proud to be named a Registered Provider Organization in this inaugural year, with the CMMC Accreditation Body’s validation of our experience and expertise,” said Sanjay Deo, President and Founder of 24By7Security, Inc. “We are fully equipped, and now fully authorized, to assist defense contractors in successfully preparing to pass the required CMMC assessment.”
Undergoing CMMC Assessment
In addition to selecting qualified candidates to serve as Registered Provider Organizations (RPOs), the CMMC Accreditation Body is in the process of identifying Certified Third Party Assessor Organizations (C3PAOs), who will be authorized to audit and certify DoD contractors against the CMMC requirements. Only a Certified Assessor organization employing individuals who are Certified Professionals may conduct a CMMC audit.
Once identified and authorized by the CMMC Accreditation Board, a third-party assessor is able to connect with organizations seeking certification, schedule the required assessment, and conduct the assessment through Certified Assessor-led teams.
As a Registered Provider Organization, 24By7Security is able to assist contractors in locating authorized C3PAOs when they are ready to be audited.
Recognizing the severe effects of potential hacks into government information systems, in January of 2020 the Department of Defense announced that the current cybersecurity self-attestation protocol, essentially an honor system, would be replaced with a formal framework of cybersecurity requirements for DoD contractors. The complex new framework offers five levels of certification against a variety of regulatory requirements and standards.
The CMMC Accreditation Body is assisting contractors by authorizing Registered Provider Organizations and Certified Third Party Assessor Organizations to work with contractors to prepare for certification. Registered Provider Organizations can assist contractors in achieving compliance to the CMMC requirements before they undergo the CMMC assessment, which will result in contractor certification if completed successfully.
Defense contractors may begin their compliance work immediately with 24By7Security, which has been named a Registered Provider Organization.