by Ian MacRae
President and CEO, E-N Computers
25+ years experience solving business IT problems in Virginia and Washington, D.C.
This year’s official CMMC conference, CEIC East 2024, presented some great information that I want to share with you. The CMMC Ecosystem Implementation Conference provides an opportunity for newcomers and seasoned practitioners alike to expand their knowledge. The points I share below are those that stand out to me most as a Registered Practitioner that is actively helping clients to achieve CMMC compliance.
QUICK ANSWER:
What do you need to know about this year’s CMMC conference?
CMMC requirements will start appearing in RFPs in December. Even though CMMC Level 2 has 110 controls to meet, there are actually 320 objectives that can be fairly involved to meet. Auditors will look for proof by talking to other employees and asking for demonstrations, and they will expect you to be able to show evidence related to your controls for up to six years. Carefully consider what information you will allow to be accessed from mobile devices and make sure you have policies and systems in place for them. Finally, MSPs are expected to be available for their clients’ audits and certain information can bring their ticketing systems in-scope.
Table of Contents
December 2024 is go-live for CMMC requirements in RFPs
We will start seeing CMMC requirements appear in federal RFPs beginning December 16, 2024. Having the appropriate level of CMMC certification will be a condition of winning these contracts. Not all contracts will have these requirements immediately, but the window of time to get certified without losing out on contracts is narrowing quickly.
NIST 800-171 Rev. 2 is the baseline — for now
As CMMC begins to go into effect, NIST 800-171 Rev. 2 is what auditors will use to assess you. This is good, because Rev. 3 is harder to meet. If you are not already compliant with NIST 800-171 Rev. 2, it’s best to get busy.
If you’re already compliant with these standards, then we recommend you start working toward meeting Rev. 3. It will eventually become the standard for CMMC, so working toward it now will better prepare you for the future.
110 controls, but 320 objectives
A lot of emphasis was put on the fact that the 110 controls of CMMC Level 2 are actually made up of 320 objectives. So one control might have five objectives that you have to meet. Many of the objectives are related to monitoring. You have to be able to demonstrate that you are monitoring. But you also have to be able to show that you have set a baseline, or reference point, to measure against. And you have to be able to show evidence of how you set that baseline. As a result, even a control that looks fairly straightforward can require a decent amount of work.
Retain evidence of your compliance for six years
You will be expected to retain six years of evidence on your controls. It is not enough to show that you are in compliance at the time of assessment. You need to be able to show your compliance over time. It is not the auditor’s responsibility to track this data down; they’re really only responsible for the reports that they have to upload.
What to expect from auditors
Speaking of auditors, we gained further insight into what to expect from the audit process.
- Auditors need you to be believable. They won’t be performing network scans, but they need to be able to believe you and your documentation about the controls you have in place. So be reasonable about your claims. If you say that everyone does something—whether that they use multi-factor authentication, lock their computer when they walk away, escort visitors, or make sure that doors are secured—you better be able to prove it.
- Auditors can ask your employees about your controls. It’s not enough for your CMMC implementation team to know about controls; affected employees also need to understand your new processes and how their work is impacted.
- Auditors can ask you to prove a control works via demonstration. Auditors want to be able to see that controls are more than words on paper, so they may ask you to demonstrate them in action. And yes, this applies to your employees, too.
Overall, this emphasizes the importance of complete documentation as well as clear communication and training for your employees. Thorough preparation is key to having confidence that anyone on your team can talk with an auditor about your CMMC controls.
Mobile device policies need attention
You must manage mobile devices that will transmit, store, or access FCI or CUI. You’ll need to enroll them in mobile device management (MDM) like Microsoft InTune and configure policies for passcode complexity, auto-wipe after failed passcode entries, remote wipe, and app protection policies that prevent saves, screenshots, or clipboard access from protected apps. This applies even for something as simple as allowing people to check email from their phone.
MSPs will be impacted in two big ways
Even though MSPs do not have to be CMMC certified, we are expected to stand in for each client audit whether we are certified or not. This keeps the audit process moving because we’re available to answer questions, explain the controls in place, and provide demonstrations as requested by the auditor.
In addition, it doesn’t take much to bring an MSP ticketing system in-scope: IP addresses and hostnames are enough. For DoD contractors, this means you’ll need documentation on who can access your MSP’s ticketing system, their status as US persons, and what controls are in place to make sure that only authorized users can access it. The alternative is making sure IP addresses and hostnames are not kept in or communicated through the ticketing system, which is impractical and probably more work.
Get ready with CMMC consulting from E-N Computers
E-N Computers is a Registered Practitioner Organization with three Registered Practitioners: Ian MacRae, Thomas Kinsinger, and Jonathan Lambert. We’re actively helping clients work toward CMMC compliance. We will provide the guidance you need to go from determining what is in scope, through implementation and documentation, and all the way to the finish line of a successful assessment. Find out today what you can expect from our ongoing CMMC consulting.
Complimentary review with a veteran engineer
Are you ready for CMMC?
Get a free strategic consultation to start your journey toward CMMC compliance.
