CMMC Updates (August 21st)
Jan 2020 – Accreditation Body selected and begins accepting auditor applications.
June 2020 – Auditors are assessing contractors en masse.
Oct/Nov 2020 – CMMC starts hitting RFPs.
Updates on CMMC Levels –
Level 1 will be equivalent to the type of security you should have on your home network.
Any organization that handles CUI will be a Level 3.
Multi-factor authentication will be a Level 2 requirement.
Only the most sensitive programs will require Level 4/5, for example Hypersonics.
Level 4/5 will be incredibly expensive.
As the model stands today, level 3 requirements will feel very similar to NIST SP 800-171 v1.
Accreditation Body –
The non-profit entity that will “certify the certifiers” is now being referred to as the Accreditation Body. In a departure from previous plans, the CMMC team is reviewing the legality and benefit of assigning this role to a commercial entity already established in the standards/compliance industry.
Auditor Certification –
An organization that seeks to become and auditor will be certified at the organizational level, not the individual/employee level. It is expected that organizations will have their own requirements for hiring auditor staff (e.g. CISA, CISSP, etc).
CMMC v0.4 Release –
Version 0.4 of the model is set to be released to the public in mid-September on the CMMC site. As is common with special publications and standards, public comment will be sought and incorporated into future revisions. Version 1 is on schedule for release in January 2020.
Desk Books –
The CMMC team intends to develop a series of “Desk Books” to give concrete expectations for each CMMC Level. These desk books will come in two
flavors: Contractors and Auditors.
For contractors, the desk books will spell out specifically what is required to obtain certification at a specific level, plus implementation examples where appropriate (e.g. multi-factor). These desk books are meant to provide contractors with “answers to the test” so there will be no surprises during an audit.
On the auditor side, these books will clearly state what should be evaluated and how. This will ensure audit results are trustworthy regardless of the source.
The CMMC team encourages and expects contractors to use the Desk Books and self-assessment tools to prepare for an audit. Having self-assessment results prepared will save time and reduce the cost of an audit.
The CMMC team is having conversations about creating/leveraging small-business assistance programs to aid small businesses. Currently, there is nothing concrete and no guarantees regarding assistance will be made. This assistance would be different than the “security is an allowable cost” changes discussed previously.
In short, POA&Ms don’t exist here. There is no CMMC Level 1+ or Level 2/3 gray area. When a contractor is audited, they will be certified at a specific level. Even if the contractor exceeds Level 1 but falls short of Level 2 by a single requirement, a Level 1 Certification will be awarded. This is the direct result of the POA&M problem with NIST 800-171 / DFARS 252.204-7012. Contractors with 3 year old POA&Ms are “technically compliant”.
The CMMC team is working closely with other standards/framework entities (e.g. FedRAMP) to determine what/if reciprocity would look like. These conversations will lead to a list of existing accreditations that satisfy specific CMMC levels.
CMMC Consortium –
A governing body/consortium will be established to guide CMMC into the future. Members will likely include ISACA, CMMI, and industry partners. Consortium members will be prohibited from functioning as auditors.
Certification Renewal –
Originally, certification renewal was expected to be every two years. This has now changed to once a year and seems likely to remain so.
Emerging Threats –
The CMMC team is still exploring options for rapidly modifying the model to adapt to emerging threats. Additionally, methods of distributing information on threats to certified contractors are being considered.
Subcontractor Flow Downs –
New positions such as Acquisition Security Analyst and Acquisition Intelligence Analyst will be created to better position Program Managers to evaluate the CUI requirements and appropriate contractor CMMC Levels for a contract. When a prime submits a proposal, it will be the responsibility of the prime (with acceptance of the contacting officer) to appropriately establish the CMMC Level to flow down to subcontractors. This will primarily be determined by whether the subcontractor requires access to the CUI held by the prime. Proposals will need to contain a list of subcontractors along with their certified CMMC Level, plus the CMMC Level the prime expects will be needed to perform the activities being delegated to the sub. There may be challenges initially as contracting officers and primes work through this process, and it is expected that a standard process for CMMC Level Flow Down will ultimately emerge.
DoD 5000 –
DoD 5000 is being rewritten so the acquisition force understands what CUI is and how to convey needs appropriately through RFPs.
CMMC beyond DoD –
The CMMC team expects/hopes that this model will eventually go government wide. Further, they would be very happy to see it adopted as an official ISO-9000 style standard.
Validating Certification –
At this time, the CMMC team expects validation of certification to be done by the Contracting Officer during proposal review. In practice, this may translate to CMMC Certification/Audit Deliverables/System Security Plan submission with a proposal. This process is not set in stone at this time. The government is still considering whether a “Clearing House” for contractor certification levels will be deployed. If deployed, this system may contain assessment results or evidence for each contractor. ComplyUp is being evaluated as a potential vendor for this system.
Contractor/Auditor Adjudication –
The government will craft some sort of adjudication process where disagreements over audit results can be reviewed.
Public List of Auditors –
The CMMC team has not yet decided if it will centrally host a list of Auditors (similar to FedRAMP 3PAOs).
Conflict of Interest –
Large organizations with distinct divisions cannot perform audits of themselves. Organizations cannot function as both the technical consultant and auditor for a client.
CMMC Support on the Hill –
CMMC is perceived as a positive in Congress, and the program has been up-funded several times in its short existence. Support for CMMC is bi-partisan and unlikely to diminish regardless of the next election cycle.