Proposed CMMC 2.0 Rulemaking Highlights for Defense Industrial Base Members
Simplifying What the New CMMC Rule Means for You
The Cybersecurity Maturity Model Certification (CMMC) program was initially launched in September 2020, then in November 2021 the DoD published advanced notice that revisions were coming to the ruling. A little more than two years later, the proposed rule for CMMC 2.0 was published on December 26, 2023, with a 60-day comment period. Much can change between now and completion of the final rule but we feel it is unlikely that requirements that have remain unchanged between CMMC 1.0 and 2.0 will be affected by the review period and that includes many of the core concepts.
The focus of this briefing is to share with companies in the defense industrial base what the newly proposed CMMC ruling includes regarding compliance CMMC Levels 1 and 2, highlighting what’s primarily unchanged from CMMC 1.0 along with what is new. We also include discussion regarding what the new ruling says about using third party services companies to support compliance, what is new with respect to handling operational technology (OT) in a DIB member’s environment and finally new developments affecting OSAs looking to participate in the Joint Surveillance Volunteer Assessments with a qualified C3PAO and DIBCAC. Beyond these topics, there is also much to discuss regarding implications for assessors, instructors, consultants and even the Cyber AB but we will save a discussion of those elements for another time as our top priority is to help companies that must comply understand what the proposed ruling means for them.
After highlighting changes for compliance with Levels 1 and 2, we will discuss how we expect these changes will impact the compliance journey of Organizations Seeking Assessment (OSAs), especially OSAs seeking a Level 2 Certification Assessment.
What we knew
CMMC is still a regulation with three levels. Level 1 outlines requirements for companies that only have Federal Contract Information (FCI) in their possession. Self-attestation of compliance with Level 1 requirements is still sufficient, and compliance scores are still expected to be updated annually in the DoD’s Supplier Performance Risk System (SPRS). The proposed rule estimates that 139,201 companies will be required to complete Level 1 self-assessments in accordance with the NIST 800-171A guidance.
While self-attestation with Level 1 is not new, there is a new requirement that “a senior official from the prime contractor and any applicable subcontractor will be required to annually affirm continuing compliance with the specified security requirements. Affirmations are entered electronically into SPRS.”
There is no specific guidance on how the primes and subcontractors should go about completion of these affirmations or what is sufficient in terms of due diligence but given that many prime contractors have hundreds to thousands of subcontractors, this will significantly increase the burden those companies. At the same time, it is also in line with the requirements of DFARS 252.204-7024 that was published March 22, 2023, and made effective immediately. DFARS 7024 “requires contracting officers to consider SPRS risk assessments, if available, in the evaluation of a supplier’s quotation or offer and consider SPRS supplier risk assessments.”
The language in the proposed CMMC rule reinforces this requirement. We have heard from many SMBs that have been concerned that historically, contracting decisions were made on price alone, and that if they were a first mover on full compliance with cybersecurity investments, they could not afford to be competitive in their bidding process. If confirmation of adequate security becomes a requirement for selection of contractors and the associated costs are factored into all competitive bids, the delta in pricing between proposals for work shouldn’t be associated with cybersecurity costs.
CMMC Level 2
What we knew
CMMC Level 2 addresses requirement for companies with Controlled Unclassified Information (CUI) in their environment. CMMC Level 2 aligns with the NIST 800-171 Rev 2 framework such that companies in possession of CUI must comply with all the control requirements of NIST 800-171 Rev 2.
While DIB members have waited for CMMC to be in effect, compliance with DFARS 25 2.204–7012, also known as DFARS 7012, has been a requirement since 2017. Specifically, DFARS 7012 requires DIB members to comply with the requirements of NIST 800-171 Rev 2. CMMC Level 2 is also aligned with NIST 800-171 Rev 2 but CMMC requires third party assessments of compliance with the regulation where DFARS 7012 requires self-attestation and self-reported scores that have not been consistently verified by either the DoD or by third party assessors.
To comply with CMMC, third party assessments must be conducted every three years by a qualified third-party assessment organization, a C3PAO, who will enter the assessment information electronically into the CMMC Enterprise Mission Assurance Support Service (eMASS), that will electronically transmit the assessment results into SPRS for the OSA. Following the third-party certifications, self-assessments must be performed annually to address changes in compliance and the OSA must update their scores in SPRS accordingly.
What’s new for Level 2
A small percentage of companies with CUI in their environment might qualify for self-attestation of their compliance with Level 2. Specifically, it is anticipated that 4000 companies will be eligible for self-assessment while 76,598 are expected to be subject to third party assessments by qualified C3PAOs. Whether a company is eligible for a Level 2 self-assessment will be stated in DoD program contracts. Accordingly, we anticipate that companies with multiple contracts are likely to require an assessment even if one contract allows for self-assessment.
Another difference between CMMC 1.0 and CMMC 2.0 is that selected security requirements are eligible for having a Plan of Action and Milestone (POAM) that must be closed within 180 days of assessment. While this was expected to be part of the proposed ruling, we got specific guidance in section 170.21 related to what controls are eligible for POAM during an assessment (and implicitly, a clear understanding of what controls are not eligible for POAM):
“An OSA is only permitted to have a POA&M for CMMC Level 2 if all the following conditions are met:
- The assessment score divided by the total number of security requirements is greater than or equal to 0.8;
- None of the security requirements included in the POA&M have a point value of greater than 1 as specified in the CMMC Scoring Methodology set forth in § 170.24, except SC.L2-3.13.11 CUI Encryption may be included on a POA&M if it has a value of 1 or 3; and
- None of the following security requirements are included in the POA&M:
(A) AC.L2-3.1.20 External Connections (CUI Data).
(B) AC.L2-3.1.22 Control Public Information (CUI Data).
(C) PE.L2-3.10.3 Escort Visitors (CUI Data).
(D) PE.L2-3.10.4 Physical Access Logs (CUI Data).
(E) PE.L2-3.10.5 Manage Physical Access (CUI Data)”
A third new requirement for CMMC Level 2 in the proposed rule, consistent with requirements for companies that must comply with Level 1, is that “a senior official from the prime contractor and any applicable subcontractor will be required to affirm continuing compliance with the specified security requirements after every assessment, including POAM closeout and annually thereafter.” Again, we anticipate that this added requirement may have the effect of reducing contract bid variability based on differences in investment levels in cybersecurity if implementation of a baseline of effective controls is required of all contractors.
Other Elements of the CMMC Ruling That Impact OSAs
Before we jump into what the new ruling means for OSAs and how they should prepare, there are a couple of additional sections of the new ruling that will impact how OSAs approach preparations, specifically, new information regarding the role of third party managed services companies, how to manage OT in a covered environment and additional information about the JSVA program.
As noted above, the 234-page document also covers a lot of details regarding how the rule will impact the entire ecosystem including how instructors, assessors, C3PAOs, prime contractors, the Cyber AB and the DoD will play parts in CMMC’s success, but we are not covering those topics in this briefing.
Third Party Managed Services Companies
In consideration of third-party tools and vendors that are compliant with CMMC regulations, the ruling notes that the OSA may “use a Federal Risk and Authorization Management Program (FedRAMP) Moderate (or higher) cloud environment to process, store, or transmit CUI in execution of a contract or subcontract with a requirement for CMMC Level 2 under the following circumstances:
- The Cloud Service Provider’s (CSP) product or service offering is FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline in accordance with the FedRAMP Marketplace; or
- The Cloud Service Provider’s (CSP) product or service offering is not FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline but meets security requirements equivalent to those established by the FedRAMP Moderate (or higher) baseline.
- In accordance with § 170.19, the OSC’s on-premises infrastructure connecting to the CSP’s product or service offering is part of the CMMC Assessment Scope. As such, the security requirements from the CRM must be documented or referred to in the OSC’s SSP.
New language is included in the ruling to cover the meaning of equivalency. “Equivalency is met if the OSA has the CSP’s System Security Plan (SSP) or other security documentation that describes the system environment, system responsibilities, the current status of the Moderate baseline controls required for the system, and a Customer Responsibility Matrix (CRM) that summarizes how each control is MET and which party is responsible for maintaining that control that maps to the NIST SP 800–171 Rev 2 requirements.”
Similarly, the regulation also states that “If an OSA utilizes an ESP, other than a Cloud Service Provider (CSP), the ESP must have a CMMC certification level equal to or greater than the certification level the OSA is seeking.” This answers a big question that many OSAs have been asking – your external service provided needs to be at least as secure as you are and appears to remove the possible burden of expecting all ESPs to be FedRAMP compliant.
Specialized Assets, which are assets that can process, store, or transmit CUI but are unable to be fully secured, including: Internet of Things (IoT) devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), are to be documented in the OSA’s Systems Security Plan but CMMC assessors are not expected to assess them against the CMMC controls.
However, when a CMMC Level 2 Certification Assessment is performed as a precursor to a CMMC Level 3 Certification Assessment, the IOT and OT (and all other Specialized Assets) should be assessed against all CMMC Level 2 security requirements as described in § 170.18(a)(1). For CMMC Level 3, an OSC’s IoT or OT located within its CMMC Assessment Scope are assessed against all CMMC security requirements unless they are physically or logically isolated”.
We find this to be in line with the asset categorization but possibly a bit surprising given that OT can expose other assets to vulnerabilities if compensating controls are not effectively implemented.
Joint Surveillance Voluntary Program
The JSVA program is the program in place for companies that wish to put a stake in the ground as early adopters of CMMC. Effectively an authorized C3PAO works with the DIBCAC team to perform an assessment equivalent to a DIBCAC high NIST 800-171 assessment. It was expected that companies who engage in this program to get assessed early would be rewarded by having their ‘CMMC Certified for three years’ clock begin to count down at the point where the CMMC ruling takes effect.
However, new qualifications are being imposed. Specifically, an OSC must achieve a perfect score of 110 without any open POAMs to be eligible for conversion to CMMC certification. Further, the time until the next third-party assessment is due begins from the point of completion of the JSVA engagement/DIBCAC High assessment. These two additional qualifications were unexpected.
What Do Changes to CMMC Mean for OSAs
Now that we have covered the highlights from the newly proposed regulation, what does this mean for OSAs and how do you prepare for an assessment? The Coalfire Federal team has been helping companies prepare for NIST 800-171 and CMMC compliance for years. Our team has analyzed the proposed CMMC ruling in depth and considered how we would change the advisory services we offer to companies looking to achieve compliance. There isn’t a great deal that would change in our advice to clients looking to prepare.
Step one is to designate one or more champions of the program. One of the biggest mistakes we have seen to date is having the wrong people in charge of ensuring CMMC compliance. Having a professional project manager or member of your contracts/legal team in charge will likely result in frustration for all parties because a certain level of understanding of the cybersecurity requirements is necessary to digest and implement the advice that our team can provide toward meeting compliance requirements. The former clients that have met with the greatest success designated a point person who was primarily a cybersecurity person who also had good project management skills and could delegate to personnel in other parts of the organization where possible.
Once you have the right people in place to manage your compliance efforts, the next step is to go through an exercise to understand where all your FCI and CUI lives in your environment, including identification of any assets that could but are not intended to process FCI and CUI as well as identifying how that data is shared and managed by third party vendors. For companies that Coalfire Federal assists, this is the first step we go through in the gap analysis. It is a critical step to ensuring that controls that are put in place are effective and that no holes are left in your systems security plan. It is also helpful toward helping you potentially reduce your overall footprint. For example, it is not unusual for our clients to determine that they can reduce the places that data is stored or the number of people who need to access CUI which reduces the overall cost of compliance in the end.
Once an FCI/CUI boundary is established through a proper scoping exercise and all the appropriate assets are effectively documented, then you can begin the process of analyzing your compliance against each of the controls and sub controls. The newly proposed CMMC ruling provides new guidance on treatment of OT and External Service Providers and what controls are eligible for POAMs that should be factored into preparations but little else effects how OSAs should prepare for an assessment. The heavy lifting is still understanding what data exists in your organization, what assets and people touch that information and what steps your organization takes toward preparing for an assessment.
Another bit of advice we always give to our clients is to make sure you ask questions of the contractors higher on the supply chain that flow down the requirements to you. Former clients have met with success in reducing their burden simply by having open and honest communications.
CMMC Rulemaking Timeline
CMMC Release Date
As the CMMC landscape evolves with the proposed 2.0 ruling, ensuring your organization is on the right track for certification is crucial. Coalfire Federal, with years of expertise in guiding companies through NIST 800-171 and CMMC compliance, stands ready to assist you.
Why Choose Coalfire Federal?
- Proven Track Record: Our team has a successful history of helping organizations like yours achieve and maintain compliance.
- In-Depth Analysis: We’ve thoroughly examined the proposed CMMC 2.0 ruling, adapting our advisory services to provide the most relevant guidance for your compliance journey.
- Dedicated Champions: Designate a cybersecurity professional with project management skills to lead your compliance efforts, ensuring effective communication and implementation.