What exactly is “certified” when you go through a CMMC or Joint Surveillance assessment, or when you self-assess your environment and report it to the DoD? What does it mean when you want to bid on contracts using this certification?
Disclaimer: I’m not a lawyer. This is not legal advice. I don’t have special insight into the Department of Defense’s thought processes. Just doing my best to connect the dots for everyone, as best as I can.
What prevents a defense contractor from getting a single laptop CMMC certified, then using that cert to win tons of contracts?
Ironically, there is very little official information about this topic. Here is what we have so far –
Wait. Isn’t there just one “certification”?
Why is the article talking about self-assessments as a certification? Isn’t the only type of certification a CMMC Level 2 Certification performed by a C3PAO?
Actually, no. The CMMC Proposed Rule discusses self-assessments as a form of self-certification which makes a contractor eligible to win contracts requiring a CMMC self-assessment. In fact, the way the rule is written, the words “self assessment” are interchangeable with “certification”, which is a little bit weird, but it seems to work legally.
So for the purposes of this article, we are lumping CMMC self-assessments, CMMC Level 2 Certification assessments, and Joint Surveillance / DIBCAC High assessments together.
CMMC Scoping Guide
The CMMC Scoping Guide for Level 2 talks about categorizing assets (people, physical facilities, technology, external systems) to determine which requirements are assessed against them. The guide uses proximity to CUI as a primary method of determining if an asset is in-scope. In other words, if CUI is on an asset, then it needs to be very secure. If an asset is connected enough to CUI to be used to compromise it, that asset needs varying levels of security.
Contract Clauses and CMMC Certification
As part of specific DoD contracts, contractors agree to perform a self-assessment of the contractor information system used to handle CUI related to performance of that specific contract.
SPRS and CMMC Certification
Contractors are instructed to record their self-assessment score into the Supplier Performance Risk System, for review by the DoD. This score is connected to a specific contractor information system with the following references:
- CAGE code(s) that use the system. Each CAGE code uniquely identifies a contractor and a location of performance. Since information systems can extend across multiple locations (site to site VPNs!), there may be more than one CAGE code.
- The name and version of the System Security Plan(s) that describe the contractor information system. The plan itself can be referenced to find the name of the information system, the network diagram, the data flow diagrams, and a description of the components and systems included in the information system. If the DoD thinks that a contractor is handling CUI on an uncertified information system, they are likely to ask to see this version of the plan.
So how do we trace a certification to the actual system?
Right now, this is the best answer for what system is “certified” when you get CMMC assessed or a Joint Surveillance assessment.
The information system 👉
that was described in your System Security Plan 👉
that you named in your SPRS entry 👉
that is connected to one of your CAGE codes 👉
that you listed as a location of performance when you bid on the contract.
How to trigger a False Claims Act
If you use your certification / Joint Surveillance / self-assessment as a qualification to win a contract, then you are obligated to keep that contract’s CUI on the assessed system during the performance of the contract.
Specifically, you should keep the contract’s CUI on systems that you listed as “CUI Assets” per the scoping guide.
What is the standard remedy for companies that don’t? Ye olde False Claims Act.
Does the C3PAO maintain records of the assessment scope?
Yes. Absolutely.
The C3PAO, if they are doing their job, should be retaining high-level records describing the scope that they assessed. This can include network diagrams, data flow diagrams, and summary information about your environment. These are kept as part of the Assessment Plan, Assessment Report, and potentially the CMMC Certificate file itself. We don’t know yet what a CMMC Certificate will look like, but many C3PAOs have requested that the certificate includes a scope description.
Why does the C3PAO retain records about the scope they assessed? Because they don’t want to be blamed for certifying a system that they didn’t actually assess. Many assessors are concerned that they would be held accountable if a contractor is breached for a system that the assessor said was secure.
That scenario is scary enough to our risk-averse security friends… imagine if assessed companies outright lied about their scope, saying that it is much smaller than it actually is? Unless someone at the company starts blabbing during the assessment, the assessor won’t know what they aren’t told about. The only protection for the assessor is documentation showing what the assessor WAS told about. This is why C3PAOs will retain records about what was in-scope for their assessment.
Does the DoD maintain records of the assessment scope?
The DoD has said they intend to host a system called eMASS which will consolidate assessment records. At the least, the assessment records (assessment plan, assessment report, detailed findings) from the C3PAO will be uploaded into eMASS. eMASS may also get a copy of the System Security Plan or asset inventory lists which describe the environment and what was in-scope in great detail. This would need to be determined further by the DoD.
A small rant about DFARS cybersecurity and false claims
I really hate the idea of bad-actors being rewarded while good businesses put in the effort and pain of doing compliance right. But that is the current state of things while we wait for CMMC.
Years of ineffective oversight of DFARS 252.204-7012 has artificially removed (though competition) most of the companies who were trying to comply with their contract terms.
The companies that took their contractual obligations for cybersecurity seriously had higher bids and higher costs than peers. Guess what happens when you’ve got higher bids? You don’t win them. Over the 7+ years since DFARS 252.204-7012 was released to contracts, I am convinced that the conscientious companies were driven out of the market because their bids and costs were too high. 😢
CMMC is supposed to fix this issue. Third party certifications required for all bidders of contracts will level the playing field, allowing cybersecurity to be incorporated in the price without causing loss of competitiveness.
For this to work, we need to ensure that certifications include a description of the scope assessed, and that phony, unused, and non-functional systems are not rewarded with contracts.
Amira Armond is the President and Quality Manager for Kieri Solutions, an Authorized C3PAO. Kieri Solutions provides CMMC preparation and Authorized C3PAO assessment services. Check their services out at https://www.kieri.com