Is CMMC dead? Why the delays?

a desert, deserted and barren

Is CMMC dead?

A vocal group of CMMC denouncers has attracted press attention for their claims of fraud at the CMMC Accreditation Body and Department of Defense.

In April, the Government Accountability Office conducted meetings to review CMMC. During these meetings, stakeholders, industry competitors, and defense industrial base companies provided feedback about their frustrations.

Concerns that CMMC is “dead” were recently buoyed by DoD spokespeople no longer participating in industry conferences at their previous rate.

This opinion article is inspired by multiple organizations reaching out to last month literally asking, “Is CMMC dead?”

What is causing concern?

CMMC stakeholders have gotten concerned about the fate of CMMC because of changes in leadership at Department of Defense Acquisition & Sustainment, missed deadlines, and lack of the usual reassurances by CMMC leadership.

  • The CMMC Project Management Office (PMO) has been very quiet over the last two months regarding CMMC (greatly reduced public appearances and statements).
  • The monthly CMMC-AB Town Hall was skipped in May.
  • Mr. Jessie Salazar (Deputy Assistant Secretary of Defense for Industrial Policy) has assumed oversight of the CMMC program.
  • The CMMC Scoping Guide was not released by the CMMC PMO. It was expected in May.
  • The CMMC Final Rule is not released by the CMMC PMO. It was expected in May or early June.
  • C3PAOs have not been provided guidance about how to organize and report assessments. This was expected in April.
  • Licensed Training Publishers have not been given the final version of their curriculum by the CMMC PMO. This was expected last year.

While no one except the U.S. Government knows the exact direction that CMMC is moving, these delays point more to bureaucracy and loss aversion (and maybe burnout) than the CMMC going away.

If CMMC was dead, we would see these signs:

  1. Members of the CMMC-Accreditation Body (the private sector organization in charge of managing CMMC Third Party Assessor Organizations) would resign in protest or quit.
    • This has not happened.  The CMMC-AB is not showing signs of dismantlement. The CMMC-AB is adding new positions.
  2. DIBCAC assessments of candidate C3PAOs would stop.
    • These assessments are a major burden on DIBCAC’s schedule so I would expect this to be the #1 sign if CMMC is being dismantled.
    • C3PAO assessments by DIBCAC are continuing.
  3. High level government would not be releasing executive orders and holding congressional hearings about the criticality of cybersecurity. They would not be mentioning CMMC in a favorable way during those conferences.

So is CMMC dead?

Almost certainly not. Or at least it is an extremely well kept secret.

The United States desperately needs a comprehensive strategy for cybersecurity. Cybersecurity and supply chain risk is obviously a priority for the administration based on the release of Executive Order 14028. CMMC’s basic concept (third party auditors, emphasis on repeatable processes, and increasing security levels that can be progressed through) is a good one.

I’m very sure that something named CMMC will continue to exist and become enforced across the Department of Defense, and probably the entire Federal Government. But right now, the program suffers from a lack of official guidance and resources.

Will CMMC change significantly?

Change to the CMMC is very likely and should happen.  In its current form, the CMMC is unforgiving of complex networks used for manufacturing or development, has a huge documentation burden, and lacks risk acceptance.

In May, we started hearing rumors that the DoD will allow very limited Plan of Action items (also known as unimplemented requirements). Considering that the CMMC Level 3 is currently a 705 question test which requires a perfect score to pass, anything to make it easier will be a huge benefit to industry.

Why is the CMMC roll-out taking so long?  Look to the C3PAOs.

At the heart of the CMMC is the “CMMC Third Party Assessor Organizations” or C3PAOs.  C3PAOs are the only entities that are authorized to enter into contracts with defense contractors to perform assessments.

The DoD has required that C3PAOs meet several stringent requirements before they can start work. These requirements are causing major delays due to dependency bottlenecks which cannot be solved by the C3PAOs.

1) C3PAOs must pass a CMMC assessment by DIBCAC, but supply is limited

C3PAOs are required to pass a CMMC Maturity Level 3 certification for their own information system, and if clouds are used to store, process, or transmit assessment data, to use FedRAMP High authorized clouds.

Bottleneck: At current staffing levels, DIBCAC appears to be only capable of performing about 20-30 CMMC assessments per year, out of the 450+ companies that have applied to become C3PAOs.

2) Staff need Tier 3 background checks

C3PAOs are required to have 4+ assessors on staff with a Tier 3 background adjudication (this is like a SECRET clearance investigation but does not grant a clearance). Back-office governance staff are required to have a Tier 3 as well if they will be reviewing or handling assessments. IT staff that have access to assessment data need Tier 3 background checks as well according to the CMMC-AB Statement of Work, but this doesn’t seem to be well understood.

Bottleneck: The only assessors available right now are the 140 or so Provisional Assessors.  C3PAOs have not been allowed to submit their other staff for Tier 3 background checks. There has been no news that any Tier 3 background checks have completed for any Provisional Assessors. Therefore, only the Provisional Assessors who already had clearances (this was not a factor in selection) are eligible to handle assessments. The first several authorized C3PAOs will probably use up all available cleared provisional assessors.

3) C3PAOs need procedures

The DoD is requiring that C3PAOs prove they have procedures to perform assessments before they are approved.  Obviously this is important – assessment organizations need to know how to perform their job!

Bottleneck: The problem is that expectations for assessments are normally provided by an oversight organization like the DoD or the CMMC Accreditation Body, but C3PAOs have not yet been given guidance. For example, candidate C3PAOs have not yet been provided the CMMC Assessment Process (CAP) or guidance about how to perform the following key activities:

  • How to get C3PAO staff submitted for Tier 3 background checks
  • How to register a new assessment contract with either the DoD or CMMC-AB.
  • How to officially update a client’s certification status if they pass an assessment.
  • How detailed an assessment is expected to be, such as how many samples to review in larger organizations.
  • How to get clarification on technical questions from an authority (such as the DoD) if existing guidance does not address a client situation.
  • Is the C3PAO at risk of lawsuit for an adverse decision?

Where does that leave Defense Contractors?

If you aren’t ready for your CMMC assessment (almost no contractors are ready), these delays give you more time. This is a good thing. Lessons learned and precedents from the slow rollout will build knowledge about what is needed to pass a CMMC assessment.

For example, very few organizations understand the requirements for inheriting cybersecurity from their cloud providers or Managed Service Providers. As assessments are performed (and failed or passed), the community will start to understand what it takes to be CMMC Level 1 or CMMC Level 3.

Plan to spend some time in June/July to understand major changes due to be released by the DoD, specifically the DFARS Final Rule and the CMMC Scoping Guide. Subscribe to the newsletter here for official links, statuses, and analysis as they are released.

Amira Armond is the chief editor for Amira is also the president of Kieri Solutions, a candidate C3PAO pending assessment of their information system.

8 thoughts on “Is CMMC dead? Why the delays?

  1. Jay says:

    Why dont they just use the RMF process?
    Its already built, is using the same controls ( just names them differently), and already has orgs being assessed.

  2. Brent Watson says:

    I still don’t understand the time wasted on trying to shorehorn 800-53 to 800-171 to try to make something fit for the private sector. The NIST CSF already sets a framework for best practices and maturity levels. The CIS Critical Controls provided an easier path to cyber resilience than 800-171. HITRUST CSF does both… Recreating the wheel may create some delays. The DOD has never had a successful financial audit, yet it is designing an audit methodology? Don’t get me wrong, I like requiring vendors to validate their supply-chain and cybersecurity practices, I just have concerns about the underlying CMMC frameworks (HITRUST has been around since 2009!).

  3. Mark Fowler says:

    Thanks, Amira for your insight into what’s “under the covers” at CMMC Advisory Board. I agree that it is a good sign that CMMC-AB is adding permanent positions, but this also shows a lack of maturity inside the organization.

    I wish we could get a definitive answer as to when sub-contractors are expected to have a CMMC Level 3 assessment in hand. At this time, I can’t see any more than just a handful of organizations receiving their Level 3 assessment, and all of those are likely to be C3PAOs.

    We appreciate you’re going “out there” and getting us an insider’s perspective!

  4. Thomas Nohs says:

    Thank you Amira,

    The information is invaluable. Being able to share information with the clients is important. As you mentioned in your article, giving the clients more time to get prepared is critical and needed.

    I like the idea of some kind of POAM. Even at 100% there is always change.

  5. Randy A Renk says:

    Well Done Amira….

    Your case is very compelling..but the conclusion seems to support the idea that we will see something far different than CMMC…Perhaps sticking with the NIST 800-171 and -172 combination …tailored & validated by each Program’s contracting officer would be scalable…at least until the DoD “matures”…

    It is their best chance at tackling the problem of protecting CUI…

    Besides…such an approach would reflect the spirit of EO 13556 and 32 CFR 2002

  6. Vince Scott says:

    Thanks Amira! Nicely written. Concur completely with your fundamental presumption that CMMC will stay, but be modified. Look forward to seeing the updates as they come out.

Leave a Reply

Your email address will not be published. Required fields are marked *