June 2, 2022 Update on CMMC
OSIbeyond’s Cybersecurity team have been diligently monitoring the latest Cybersecurity Maturity Model Certification (CMMC) development ever since the DoD announced the suspension of CMMC 1.0 and the release of CMMC 2.0 and now there are updates to the timeline for CMMC cybersecurity initiatives.
We have compiled a detailed timeline of the most recent developments over the last several months to bring you up to speed with where the CMMC program currently resides. Contact us at the end with any questions.
Stay up to date by joining our newsletter for our future updates on CMMC 2.0.
Updated Timeline for Cybersecurity Maturity Model Certification (CMMC)
- November 2021
- CMMC 2.0 model is introduced and is streamlined to three versus five levels
- Eliminates CMMC 1.0 Levels 2 and 4: Developed as transition levels and were never intended to be assessed against
- Retains three levels, directly linked to specific data types & existing regulations:
- Level 1 – for companies with FCI only that must protect it per FAR 52.204-21; this information requires protection but is not critical to national security
- Level 2 – for companies with CUI covered by the existing DFARS 252.204-7012/7019/7020 requirements
- Level 3 – for programs involving the most sensitive CUI, expected to be a very small subset of contractors.
- Provides allowance for temporary, limited POAM items, and an even more limited option for potential waiver of requirements.
- Requirements are near replicas of those in NIST SP 800-171 and NIST SP 800-172
- Eliminates all CMMC unique practices and maturity processes. However, the removal of these should not be taken to mean that the level of documentation required to support compliance has been meaningfully reduced!
- Level 3 will use a subset of NIST SP 800-172 requirements
- Introduction of bifurcation at Level 2/CUI:
- The intent was to have more critical/prioritized acquisitions require third party assessment, while all others may do a self-assessment.
- The criteria to decide how contracts may be bifurcated does not exist publicly, appears to be up to the discretion of DOD on a per-contract basis.
- CMMC 2.0 model is introduced and is streamlined to three versus five levels
- February 2022
- DOD CISO David McKeown stated in a town hall webinar that when DOD began to look at the bifurcation of contracts in more detail, it was difficult to see how any contractor with a multiple contract portfolio could self-assess, so it was likely all contractors would need to be third party assessed at Level 2/CUI. This statement effectively nullified the existing expectation that a significant percentage of contractors in possession of CUI would be able to self-assess for CMMC 2.0 Level 2.
- May 2022
- After the walk back of bifurcation & self-assessment, there remain glaring issues with the scale of the assessment ecosystem (C3PAO’s and Assessors)
- There are currently 14 authorized C3PAO’s, but DOD has not given final approval and necessary access to permit assessments to begin. This C3PAO count does not align well with the 80,000 to 300,000 companies that may require assessment.
- At an industry event, Stacy Bostjanick (Chief of Information and Policy, Office of the DOD CIO) provided some more info on CMMC rollout/rulemaking.
- To address the C3PAO capacity concern, it appears that when the new CMMC rule goes into effect, all contractors will be required to self-assess on new contracts effective immediately, with third party assessments ramping over time.
- The new self-assessment will be very different to the current SPRS self-assessment. Details are not final, but our expectation is that:
- Attestation must be by a C level or other executive in the organization.
- Attestation will be that the company is 100% compliant with CMMC.
- 180 Day POAM for items that have a 1 or 3 point 800-171 DODAM score will be permitted.
- No 5-point items may be in POAM.
- DOD is aware of possibility that companies will not follow up on their POAM’s.
- KO’s will be able to use their enforcement toolset (withholding of payment, stop work orders etc.) if timeline is not met.
- Details are murky but it seems like the SPRS system will be used for this. Instead of a simple score they will ask more detailed questions. Requiring contractors to provide a list of un-met requirements with planned date of implementation would make sense.
- Attestation will have to be made on an annual basis
- Contractors should think carefully about the implications of attesting 100% compliance through SPRS and then later being unable to successfully complete a C3PAO or DIBCAC assessment.
- New Interim rule to implement CMMC will be published for public comment sometime March-May 2023.
- It is unlikely the rule will be altered based on public comment.
- Rule will probably go into effect 60 days after published for comment.
- Most likely, any new contract starting mid 2023 will require the attestation.
- Based on what we saw with the original DFARS 7019/7020 “SPRS Score” rollout, Primes will be rapidly requesting this attestation from subcontractors to identify those that require replacement due to inability to meet CMMC requirements.
CMMC Timeline Unanswered Questions
There are however significant unanswered questions that remain, particularly around how to manage assessment of contractors that work with cloud-based security tools, Managed Services Providers (MSPs), Managed Security Services providers (MSSPs) and other cloud hosted systems that may store or impact CUI.
We expect many of these questions to only be resolved once assessments begin and set precedent for how a given situation is to be handled. The C3PAO Stakeholder Forum (Positions – C3PAO Stakeholder Forum (c3paoforum.org)) has published material addressing some of these questions.
In addition, contractors with international locations may have data protection, export and sovereignty requirements that conflict with each other. C3PAO’s will become aware of these situations during assessment and additional guidance is required from the DOD on how they are to be managed.
Download our CMMC eBook for more information on certification!
DoD Contractors Guide to CMMC Certification.
What Should Contractors Do Right Now?
Contractors should expect to see a CMMC requirement for new business starting mid 2023.
However, it can take 6-12 months or longer for an organization to become compliant, depending on size, complexity, and available resources.
We are now getting close to that 12-month window. While some aspects of how CMMC will be implemented are still unknown, the actual requirements are set (NIST SP 800-171), have been largely unchanged since 2017 (DFARS 252.204-7012), and are not going to change in any significant way between now and mid-2023.
Waiting until the end of this year, or until rulemaking is complete to begin serious work towards implementing NIST 800-171 will likely result in a contractor being ineligible for contract awards starting mid 2023.
It is our professional recommendation that contractors who currently do business with the DoD begin aligning their environment with NIST 800-171 now, to be ready when the requirements are added to new contracts. Organizations who fail to be prepared risk losing contracts or being at a competitive disadvantage when bidding on new business.
Need Help Getting Started?
OSIbeyond’s Cybersecurity Compliance team is ready to assist your organization in becoming CMMC 2.0 compliant. Our process starts with a Risk Assessment against NIST 800-171 to identify the gaps in your environment along with a System Security Plan (SSP) and Plan of Actions and Milestones (POAM).
Contact us today to discuss how we can help your organization prepare for CMMC 2.0.