CMMC News Roundup September 28 2020

CMMC news September 28 2020

Hello all,

Big news this last two weeks. In particular, the DFARS rule for CMMC abruptly changed course. It looked like it was delayed for months, but then (I think?) it got approved on an interim basis, to go into effect around November 27, 2020.

DFARS Interim Rule Added – enforces assessments

Federal Register Publication for CMMC DFARS Rule

Don’t skip this link.. IMO it is the most important news in the last year for the CMMC.

Super quick non-lawyer review of the DFARS interim rule:

We can submit comments on the rule change by going to http://www.regulations.gov and searching for “DFARS case 2019-D041” or emailing osd.dfars@mail.mil with subject line “DFARS Case 2019-D041”.

Assessments results will be stored in a DISA system (SPRS) https://www.sprs.csd.disa.mil. DoD components are expected to check this system for assessment scores and validate the bidder’s assessment is less than 3 years old. Note: Per Vince Scott (Defense Cybersecurity Group, Inc.), the SPRS is available to contractors through the Procurement Integrated Enterprise Environment (PIEE). See his comment below for full details.

It talks about the CMMC levels and phased rollout through 2025. This statement should help give companies time to get certified: “In order to implement the phased rollout of CMMC, inclusion of a CMMC requirement in a solicitation during this time period must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment”

It says that the rule amends DFARS subpart 204.73 “Safeguarding Covered Defense Information and Cyber Incident Reporting”. The new coverage “directs contracting officers to verify in SPRS that an offeror has a current NIST SP 800-171 DoD Assesesment on record, prior to contract award” if the contract has DFARS 252.204-7012 in it. *** To me, this reads like it amends the current requirement, and is not part of the ‘phased rollout’. That makes this an immediate action item for basically all DIB. How do you read it? ***

CMMC certification would be required at time of award, not at time of proposal submission. This is a change.

Contract officers are also instructed to include a few new clauses about allowing government assessors access, requiring subcontractors to meet the assessment requirements too, and submitting company assessments to the SPRS system.

I recommend following Robert Metzger (he is an attorney specializing in CMMC and DFARS) on LinkedIn for updates and shares on this topic.

Certified Assessor Training in development

The CMMC-AB authorized 11 organizations as “Licensed Partner Publishers”. These organizations are starting to develop courses on the Certified Professional / Certified Assessor track.

For more information and exclusive update from Infosec Institute, check our Auditor Training Resources page

Each LPP is also listed on the CMMC-AB marketplace.

Provisional Assessor update

Several Provisional Assessors have posted on LinkedIn that they completed their exams and are official. No word on whether any assessments have been started.

Per Matt Gilbert (a provisional assessor candidate), in mid September: “The class is completed and yes we have an exam to take this week.  Assuming we pass we will be official provisional assessors next week.  Then it is up to the DoD to authorize us to proceed and start taking on provisional assessments.  Exact format (i.e. are we open to any OSC requesting vs. matched or allocated by AB) and details (i.e. for credit or not and level 1 only or more) are TBD.” 

Registered Practitioners path started

RPs were recently given access to web-based training created and hosted by the CMMC-AB as part of their $500 initial fee. If you signed up for RP, you should have gotten an email last week. Contact CMMC-AB support if not.

More information here: Review of CMMC Registered Practitioner Training

Certified Assessors – no news

I’ve had a bunch of contacts from folks who registered on the Certified Assessor track, asking if they missed a message or notification. No, you haven’t. At least if you have, you are in good company with the rest of us.

The CMMC-AB seems to feel that since they don’t have the CA track ready, there is nothing to announce or message about. It is logical, but still frustrating. If you applied and have questions, feedback, or concerns, I recommend submitting a support request to them (check the cmmcab.org website for link). Turnaround is about 3 days in my experience.

Oxbridge paper about accreditation body lessons-learned

Oxbridge published a paper about organizational lessons-learned from other certification bodies (such as CMMI) and identified problems with how the CMMC-AB has been put together. While generally negative, it has valuable insights. Page 8 provides an action plan:

  1. AB certifies C3PAOs
  2. A different organization certifies assessors
  3. A different organization certifies training providers
  4. No certification or restrictions for publishers(I agree, passing the exam and background requirements should be the only roadblock. Otherwise, caveat emptor for the rest of the marketplace.
  5. No certification or restrictions on training providers, let the training provider perform their own quality assurance.
  6. No registered practitioners, since this is definitely a pay-for-marketing situation

https://www.oxebridge.com/downloads/OPINION%20PAPER%20-%20CMMCAB%20AND%20CMMC%20SCHEME%20-%20r0final.pdf


Hope this all helps! Good luck to everyone in their assessment and compliance journeys.

-Amira Armond

President, Kieri Solutions LLC

5 thoughts on “CMMC News Roundup September 28 2020

  1. Vince+Scott says:

    On the 204.73 implmentation timeline. Yes I agree with you and read that as the 171 reporting is effective immediately. Actually, it is already a requirement deeply buried in the bureaucracy. Just no one is checking for it. This mandates contracting officers check that the already mandated self assessment is actually posted.

  2. Vince Scott says:

    Thanks for posting Amira!
    On SPRS. See this comment from the DoD 171 Assessment Guide.
    • Document your Basic (self) NIST SP 800-171 DoD Assessment score in Supplier Performance Risk System (SPRS). A Procurement Integrated Enterprise Environment (PIEE) account with a SPRS “Cyber Vendor” role will be required to enter Basic Assessment information into SPRS. This role may be requested through PIEE.

    So the answer to your question is via PIEE which contractors do have access to already.

    That assessment guide can be found at: http://dodprocurementtoolbox.com/cms/sites/default/files/resources/2020-09/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.docx

Leave a Reply

Your email address will not be published. Required fields are marked *