DFARS & CMMC: Internal vs. External Cyber Reviews

Compliance with DFARS and CMMC is essential for any contractor or subcontractor hoping to work with the DoD. But compliance is not a one-and-done proposition. You will need to renew your CMMC certification every three years, as well as annually self-affirming your compliance. Maintaining compliance beyond certification requires effort and commitment. To ensure your efforts are keeping you compliant, you will need to perform periodic reviews, which can be conducted either internally within your own organization or led by an external third-party, and there are benefits and drawbacks to each.

Internal Reviews

Internal reviews are performed by employees of your organization. The reviewers should have some knowledge of the systems and processes they are reviewing. Ideally, they will be independent of the departments or groups being reviewed, although not all businesses—particularly small and medium-sized companies—have the resources to support an internal, independent review team.

In any case, you should approach an internal review as you would an external one. Before starting, plan your approach and identify the participants, the systems to be reviewed, and the scope of the review. The reviewers must strive to be objective while performing their work, adopting the point of view of the DoD. Upon completion, a report should be issued, indicating which requirements continue to be met and identifying any gaps or vulnerabilities, which then need to be addressed in a plan of action.

Benefits of internal reviews:

• Cost is lower, as you are making use of your own people and resources, so you can review more frequently, and you can be flexible as to the schedule and scope.
• Internal reviewers will have greater understanding of your systems and business processes, which can expedite the review.
• Internal reviewers proactively identify gaps and vulnerabilities so you can address them on an ongoing basis, rather than waiting until you are ready for recertification.
• Periodic internal reviews demonstrate your commitment to cybersecurity and ongoing compliance and helps you build a culture of security and compliance within your organization.

Drawbacks of internal reviews:

• Because of their familiarity with the systems being reviewed, internal reviewers need to guard against bias, lack of objectivity, and the tendency to overlook deficiencies.
• Not all organizations have the resources or regulatory expertise to conduct comprehensive reviews; reviewers must ensure they truly understand the requirements and the documentation needed to support their findings.
• Internal reviews alone cannot prove compliance; nevertheless, it can be a valuable tool to help you prepare for formal assessment.

External Assessments and Reviews

External assessments and reviews (or mock assessments) are performed by professional assessors outside of your organization. These assessors will not be as familiar with your systems as your own employees are, but they provide valuable expertise and knowledge of the regulatory requirements being assessed.

When engaging an external assessor, look for an authorized C3PAO or RPO with CMMC Certified Assessors (CCAs) and confirm they are listed in the Cyber AB Marketplace. If you are ready for recertification, you will need to engage a C3PAO who has not previously performed consulting services for you. If you are looking for a consultant to perform a review that will help you prepare for recertification, you can use a C3PAO or an RPO. Either way, you want an organization that has expertise with CMMC and NIST SP 800-171, and has performed assessments against those requirements. You should also review the credentials of the assessors and other professionals who will be working with you.

As with internal reviews, you can make the most of the engagement by planning ahead, clearly identifying the scope of the assessment, the systems involved, and the personnel who will work with the assessment team. During the assessment or review process, make sure your employees are available to cooperate with the assessors, answering questions or providing documentation or demonstrations as needed. The assessment team will provide a final report identifying met requirements and gaps, which you must address with a POA&M, including the date when you expect to bring each requirement into compliance.

Benefits of external reviews and assessments:

• CMMC Certified Assessors who work for C3PAOs or RPOs bring expertise your own personnel may lack, and ensure an impartial and objective review of your systems and security measures; this improves your likelihood of ongoing compliance.
• Conducting reviews with an external professional demonstrates your strong commitment to cybersecurity and may give you greater credibility with your customers and a competitive advantage when seeking contracts.
• External assessors will provide you with feedback on how your cybersecurity posture compares against industry standards, and you can use the review results as a benchmark for continuous improvement.
• Now that CMMC is in effect, external assessment will be imperative for formal recertification.

Drawbacks of external assessments and reviews:

• Cost is higher when engaging an external organization, but proactive internal and external reviews can actually help mitigate costs in the long run; other mitigation strategies include implementing continuous monitoring and improvement, aligning your business processes to FAR and DFARS requirements, careful research when choosing an assessor, and thorough preparation for the review.
• External assessments and reviews can require significant time commitment and disrupted business operations; careful planning can also help in this respect.
• External assessors will not be familiar with your systems and processes; you will want to make sure knowledgeable personnel from your own organization are closely involved in the process.
• Limited availability of C3PAOs and RPOs can cause bottlenecks and delay your certification, so the sooner you begin your search for a qualified provider, the better.

Which Type of Review Is Better?

The answer is both!

Since each type of review has its strengths and challenges, ideally you will make use of both types. Internal reviews can (and should) be done more frequently; and, if necessary, you can limit the scope of a review to a particular area of concern each time. However, CMMC will require an annual affirmation of compliance, so it is recommended you do a complete internal review at least once a year. The thoroughness and expertise of an external assessment or review is also necessary, especially when you are preparing for recertification. You will need an external assessment every three years at a minimum, but more frequent external reviews will also benefit you. The more frequently you conduct each type of review, the more confidence you can have in your cybersecurity posture and the greater likelihood of your maintaining compliance; although, of course, you need to balance these considerations against your available time and resources. By strategically implementing both review and assessment types, you can use the results of your internal reviews to ensure your systems are robust and compliant, positioning you for quick and efficient external reviews and assessments when needed.

CyberNINES can help you with both types of assessments. As an authorized C3PAO, we can perform external reviews and assessments, as well as offering tips and advice for how to best conduct your own internal reviews. Contact us and see how we can help.

Resources

• https://dodcio.defense.gov/CMMC/About/
• https://cyberab.org/Catalog#!/c/s/Results/Format/list/Page/1/Size/9/Sort/NameAscending
• https://cyberab.org/Member/C3PAO-1045-Cybernines-Llc
• https://info.cybernines.com/demystifying-cmmc-compliance-your-guide-to-cmmc-compliance
• https://blog.cybernines.com/a-defense-contractors-guide-to-cmmc-dfars-and-far-requirements
• https://blog.cybernines.com/maintaining-compliance-post-cmmc-certification
• https://blog.cybernines.com/compliance-isnt-optional-but-overspending-is.-heres-how-to-avoid-it