What is the current status of the CMMC?
The “DFARS Final Rule” is expected within the next month.
The DFARS Final Rule will change the following DFARS clauses from interim to final versions. The language in each clause may be changed to clarify or resolve problems identified during the interim phase. Once a clause is in “final” version, it becomes very difficult to change the language or remove the clauses later. These DFARS clauses were released in interim version effective November 30, 2020.
252.204-7019 – Requires cybersecurity self-assessment score to be uploaded in order to be eligible for contracts with the DFARS 252.204-7012 clause. This is a self-assessment against the requirements in NIST SP 800-171, which is the current cybersecurity requirement for defense contractors with Controlled Unclassified Information.
252.204-7020 – Re-states portions of 7019, requires contractor to provide access for the government to perform cybersecurity audits on demand.
252.204-2021 – Requires CMMC certification in order to be awarded contracts with this clause. This clause is expected to be gradually added to contracts over a 6+ year period.
CMMC scoping guidance is expected imminently.
According to rumor, the DoD is in the final review of the CMMC Scoping Guide. This is expected to be a definitive source that describes what systems must be assessed for certification and which systems can be skipped. It is likely to describe how sensitive data and specific DoD contracts are used to identify the scope of assessment.
We hope that the scoping guidance will address the following questions:
- Whether certain types of operational networks such as factory equipment and development networks have less requirements or are “out of scope” entirely.
- Whether all CMMC requirements apply to all systems equally, or if certain requirements are expected to apply to specific types of systems. For example, it is very difficult to apply requirements for antivirus scanning or multi-factor authentication to systems like printers.
- Whether systems assessed need to be in-use for client contracts, or if “a single laptop locked in a safe” can be used for CMMC Level 3 certification.
- Whether systems with Federal Contract Information must be included in the assessment if a contract requires CMMC Level 3.
One or two C3PAOs are close to being “Approved” to perform assessments.
It appears that two C3PAOs have passed their CMMC Maturity Level 3 assessments by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). One has been announced officially by the CMMC-AB, and one is still pending final review.
The C3PAOs still need to go through some additional review by the Department of Defense before being authorized to perform CMMC assessments. This is expected to complete very soon.
The first formal CMMC assessments should be starting in the next few months.
Expect only a handful of assessments to be conducted at first due to major bottlenecks for C3PAOs and assessors. These assessments will likely be prioritized to companies that are bidding on a CMMC pilot contract, or companies that provide support to bidders (such as external service providers and cloud vendors).
What contracts include CMMC right now?
At this time, there is only one contract approved to include CMMC. The Immarsat Broadband Global Area Network (BGAN) and Global Xpress (GX) contract is hosted by the Space Force and includes DFARS 252.204-7021. The Request for Information (RFI) for this contract states that “CMMC Level 3 certification will be required of the apparent awardee, prior to award, for this procurement.”
A key insight from this RFI is that “CMMC complements DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which implements NIST SP 800-171 requirements”. This indicates that the 252.204-7012 clause is not being replaced by CMMC.
The DFARS 252.204-7012 clause notably has language which requires the use of FedRAMP authorized clouds for the storage, processing, or transmission of Controlled Unclassified Information. The clause requires reporting of security incidents to the Department of Defense. And it requires the contractor to protect information systems containing Covered Defense Information according to NIST SP 800-171, which has 110 security requirements.
New FAQs released by CMMC-Accreditation Body
The Frequently Asked Questions published by the CMMC Accreditation Body have been updated and organized into topic groups, such as Assessors, Registered Provider Organizations, Assessment Process, Policy and Procedure.
A noteworthy addition is two FAQs about the assessment process. These paragraphs are must-reads for C3PAO candidates searching for information about how to perform assessments.
The FAQ also discusses documentation requirements for CMMC Level 3. It states that “Procedures and policies need to be based on your business processes, not the CMMC model domains and practices. They should ACCOUNT for the domains and their operational requirements, but there is no requirement to have them for each control, practice, or domain.” This is somewhat contradictory to lessons learned from a C3PAO assessment performed by the DIBCAC, in which the C3PAO candidate reported that their documentation needed to address every assessment objective (this is significantly more granular than each control, practice, or domain). We are not sure who is wrong here: if it is a misreport by the C3PAO, if DIBCAC is seeking a higher standard of documentation than they should, or if the FAQ is inaccurate.
April Town Hall and DIBCAC presentation about C3PAO assessments
The April 2021 Town Hall video included a presentation by DIBCAC about their assessments of candidate C3PAOs. It gave important information about expectations for documentation and inheritance of cybersecurity from external service providers. I recommend watching at least 19:00 – 36:28 for this presentation.
Executive Order: Improving the Nation’s Cybersecurity
The executive order issued by Biden on May 12, 2021 is very impactful to defense contractors and cybersecurity as a whole. It is very specific to supply chain risk. Topics addressed in the executive order are:
- Tracking and preventing compromises of upstream source code which are used by multiple programs.
- Adoption of zero trust architecture by the government.
- Increased capabilities for cloud provider cybersecurity assessments, specifically the FedRAMP program.
- Sharing cyber threat information between the government and IT service providers.
- Improving and standardizing incident response by the US Government.
- Improving detection of cybersecurity vulnerabilities and compromises on Government networks.
CMMC C3PAO Stakeholder Forum
More than 120 representatives from C3PAOs have joined the CMMC C3PAO Stakeholder Forum. This is an industry group which organized to facilitate communication, education, and professional practices among its members. The current focus is on advocacy for C3PAOs and our potential clients so that the CMMC program is successful. All members must work for a C3PAO or be a representative of the CMMC-AB or DoD. For more information about the charter and how to join, refer to the C3PAO page on this website.
What is your take?
Please sign up for our newsletter for timely updates about CMMC and DFARS 252.204-7012 . You can unsubscribe at any time.
V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of the C3PAO candidate Kieri Solutions LLC. She specializes in CMMC preparation and DFARS 252.204-7012 compliance, and designing secure and resilient enterprise systems for private sector and the DoD. She is the chief editor for cmmcaudit.org, a public resource for news and informational articles about the Cybersecurity Maturity Model Certification.