This is week’s update is pretty short. The DFARS Interim Rule is still the biggest news.
Other topics are the new DoD CUI website which has great resources for contractors, and word-of-mouth updates on the CMMC-AB’s registered practitioner and C3PAO programs.
CMMC Registered Practitioner
Per CMMC-AB support email:
Everyone who completed Registered Practitioner Training should have gotten a CMMC-AB Code of Professional Conduct to sign by this point. Initial ETA was week of October 1st. Note: I got notification today at 3:30pm about signing the CoPC. Check your spam folders if you don’t see anything in the next 24 hours.
The CMMC-AB timeline for background checks is to start gathering required information by mid-October 2020.
Thanks to Daniel Bjorklund (a Registered Practitioner candidate) for this update.
DFARS Interim Rule published – effective November 30, 2020
As expected, the Interim Rule added CMMC requirements with a five-year rollout.
Unexpectedly, it also enforces compliance with the current DFARS 252.204-7012. If a defense contractor subject to DFARS 252.204-7012 doesn’t submit a self-assessment with a compliance score to the DoD, they will not be eligible for new contracts after November 30th.
It does not appear that historical submissions (such as self-attestations that the company is 100% compliant) will transfer to the system that contract officers check.
If your company is subject to DFARS 252.204-7012 and has contracts coming up for renewal or bid, you need to submit a DoD self assessment against NIST SP 800-171.
Read this article for more information and process to submit a self-assessment: DFARS 252.204-7012 or 252.204-7021 enforces NIST 800-171
An analysis by Robert Metzger’s practice group: DFARS: Assessing contractor implementation of cybersecurity requirements (DFARS Case 2019-D041)
DoD CUI Program website
This new website from the DoD has great resources for handling Controlled Unclassified Information, such as links to the official policies and guidance for how a contractor can mark and label CUI properly.
Level 1 companies not participating?
Poll from the CS2 Virtual Summit on October 6, 2020: Cloud Security and Compliance Series
In my own conversations with the community, I’ve come to the conclusion that there just isn’t much interest in the CMMC from “Level 1” companies. Almost every single contact I’ve had is from a “level 3+” company with DFARS 252.204-7012 (Controlled Unclassified Information).
Possible reasons for this disparity:
- Level 1 companies aren’t concerned or are unaware
- Level 1 companies aren’t talking to cybersecurity experts
- Almost every current contractor has the DFARS 252.204-7012 clause in their contracts (hmm…)
Many contractors subject to DFARS 252.204-7012 don’t know if they have CUI on their networks. The government hasn’t labeled any files or documents. The contractors are typically afraid to ask their contract officers, because this would indicate that they haven’t been protecting the data.
This is one way that CMMC could actually help many contractors – by requiring contract officers to consider whether the contract actually includes CUI before they assign Level 3.
C3PAO requirements updated
It appears that the C3PAO page on the CMMC-AB website has been updated slightly.
It has a category called “Requirements Awaiting More Details”
ISO 17021 Certification
Says “Do not engage in the 17021 certification process before the detailed requirements…for the CMMC Standard [are] published on this website”
Amira’s thoughts – as the owner of a very small cybersecurity consulting company, ISO 17021 certification is my biggest risk / cost to be able to qualify for C3PAO. I’ve heard estimates of $32,000 initially, and $10,000 annual renewal, with an average 1-year timeframe to attain certification. So if I follow the CMMC-AB’s guidance to not engage, then I am looking at being ISO 17021 in late 2021 or 2022 (if I can afford $32,000).
There also appear to be fundamental issues with the structure of the CMMC-AB ecosystem and ISO 17021 certification.
Update: Per comment from Giustino Fumagalli below, achieving ISO 17021 as a very small company is impossible. Also the word “certification” on the CMMC-AB C3PAO page is inaccurate.
Obtain a CMMC C3PAO ML-3 certification
At first I thought this was a new program, but on second look, it is the OSC-type CMMC Level 3 assessment, possibly by the provisional assessors, or by the DoD? Not new.
“Foreign ownership considerations are under exploration for all C3PAOs.”
This looks new. I’m not sure what to think about it yet.
Source: CMMC-AB page on C3PAOs
What are your thoughts? Heard anything useful to the community? Comment below!