There are several different types of cybersecurity assessments. For CMMC, there are at least two assessments that an organization will need to undergo: a basic readiness assessment and a certification assessment from a Certified Third-Party Assessor Organization (C3PAO). Basic readiness assessments are the initial evaluation a contractor performs to comply with the DFARS Interim Rule and to begin the remediation process.
A cybersecurity assessment looks at your company’s cybersecurity controls and vulnerability mitigation capabilities. Assessments include testing an organization’s readiness against known and new vulnerabilities, as well as its business processes. Overall, security assessments help track the systems, applications, and network flaws and help implement defensive controls and keep the policies up to date.
How to Get a CMMC Readiness Assessment
There are two main methods to perform a readiness assessment, the first being self-assessment tools as spreadsheets or web apps. Be careful to thoroughly research web apps that store your information as online data is more susceptible to hacking. CMMC self-assessment web apps must be FIPS compliant.
Completing a self-assessment as anyone other than a knowledgeable cybersecurity professional may be less expensive in the short-run, but is likely to take a lot of time to complete and be less accurate.
Assessments by a Cybersecurity Service Provider
Contractors may also request a more thorough and accurate assessment performed by a cybersecurity service provider. This process may require a few hours of meeting with a designated employee over a few days so that the cybersecurity professional performing the assessment has access to the necessary system information.
The cost of assessments may range from $5,000 to $50,000 depending on the company’s size and scope. While paying for an assessment may cost more in the short term, it will save contractors work hours and is a great choice when an accurate score is needed quickly to maintain contract eligibility.
Different contracts require different levels of confidence that a company can safeguard the controlled unclassified information (CUI) they create, store, or transmit. To ensure this confidence, the DoD issued a regulation in 2020 that requires contractors to submit a score attesting to their compliance with NIST SP 800-171 cybersecurity requirements (the basis for CMMC requirements).
The DFARS Interim Rule requires existing or prospective contractors to submit their current basic assessment compliance score into the Supplier Performance Risk System (SPRS). Because of the requirement, many also refer to these scores as “NIST scores” or “SPRS scores.”
Levels of Readiness Assessments
Basic assessments are sufficient for most contractors’ information systems in regards to the Interim Rule requirement. However, there are other types of assessments the DoD requires under certain circumstances to gain confidence in a contractor’s security status: medium or high assessments.
- Basic – Contractor self-assessment results in a confidence level of ‘Low’ in the resulting score because of its self-generated score. Summary level scores should be documented in SPRS system.
- Medium – DoD personnel can conduct a medium-level assessment by reviewing plan descriptions to determine how well they meet NIST SP 800-171 requirements. It employs Section 6 of the Assessment Methodology and yields a “medium” level of confidence.
- High – Similarly, DoD personnel can conduct the highest level assessment onsite or virtually at the contractor’s physical location. Section 6 and Annex B are used in both virtual and onsite tests.
These assessment types are found in the DoD’s assessment methodology.
What Is A Gap Analysis?
Besides compliance scores, another result of assessing your compliance is a gap analysis. A gap analysis identifies an organization’s gaps in compliance and advises them on how to remediate each control successfully. As opposed to a risk assessment, which tends to be forward-looking, a gap analysis examines the current state. The results of a gap analysis can be used as an action plan, or roadmap for remediation.
A gap analysis is performed after a self or basic assessment, depending on which one comes first. Some self-assessments available on the market will provide a gap analysis along with the assessment results.
Request your CMMC 2.0 self-assessment tool and learn what gaps in compliance your company has.