it’s a journey. CMMC COMPLIANCE

Cybersecurity threat risk is on the rise and leaving no industry untouched in its path.
The Department of Defense (DoD) has taken measures to implement the Cybersecurity Maturity Model Certification (CMMC).

What this means for Suppliers
CMMC will soon be required for any suppliers doing business with the Department of Defense
to comply with DFARS Clause 252.204- 7021 and NIST SP 800-171.

CMMC 2.0
Early in November 2021, CMMC 2.0 was announced, and the changes are significant.
What has changed? What hasn’t changed?
For some companies, the key question may be:
What actions should the Defense Industrial Base (DIB) take as it awaits final rules, pilot programs, and clarification on
what systems will require third-party audit and what self-attestation may look like for other systems?

The Defense Industrial Base (DIB) has been preparing for CMMC since the framework concept was
announced in mid-2019. Contractors and subcontractors engaged in proactive mapping and re-mapping,
planning, and implementation of cybersecurity controls as updated versions of CMMC were released
every few months, culminating in the release of Version 1.02 in March 2020. Internal audits have been
conducted, POAMs have been carefully planned and updated, and SSP’s have been refined in an effort
to meet the stringent requirements of the framework’s looming third-party audits and maintain eligibility
to bid on Federal contracts and subcontracts. Then came the announcement of CMMC 2.0

NOTABLE CHANGES
Levels and Processes
The CMMC 2.0 model structure is vastly different from previous versions (“CMMC 1.0”).  Rather than five levels, ranging from “Basic Cyber Hygiene” to “Advanced/Progressive”, the model has been streamlined to only three levels:  Foundational (Level 1), Advanced (Level 2), and Expert (Level 3).

Further, the maturity processes found in CMMC 1.0 (Performed, Documented, Managed, Reviewed, and Optimized) have been removed altogether in 2.0.

Controls
Higher levels of CMMC 1.0 included a number of “unique” requirements.  These have been removed in 2.0, creating a model that is more definitively aligned with Federal Acquisition Regulation (FAR) rules and NIST publications.

• Level 1 (Foundational) – FAR 52.204-21 controls
• Level 2 (Advanced) – NIST SP 800-171 controls
• Level 3 (Expert) – Subset of NIST SP 800-172 controls

Plan of Actions & Milestones
Perhaps one of the most worrisome aspects of CMMC 1.0 was the non-allowance of Plans of Action and Milestones (POAMs).  While the specifics of the limited allowance of POAMs in CMMC 2.0 have yet to be revealed, the burden on DIB companies to complete 100% implementation of the CMMC requirements seems to have been lifted, and many are breathing sighs of relief.

Third-Party Audit verses Self-Attestation
Further sighs of relief can be heard pending details on levels and systems that can certify to CMMC 2.0 by way of self-attestation.  Whereas CMMC 1.0 required third-party assessment at all levels, CMMC 2.0 only requires third-party assessments for higher priority systems and program.

WHAT HAS NOT CHANGED
The Objective
Despite the major structural changes to the framework, the objective remains the same: To protect Controlled Information through the enhanced cybersecurity posture of the DIB.

Alignment to FAR and NIST
CMMC was meant to be the tool for verifying DIB compliance to key legislation surrounding the security of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Whether some of the changes found in CMMC 2.0 compromise the accountability factor of the framework or not, the need for the DIB to proactively implement and enhance the cybersecurity controls set out in FAR and NIST has not changed in the least. Cyber-attacks continue to grow in number and sophistication, and the threat of compromised information continues to be of rising concern.

Under CMMC 2.0, the foundational level continues to mimic the minimal requirements found in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, in the areas of Access Control, Identification and Authentication, Media Protection, Physical Protection, and Systems and Communications Protection.

As mentioned earlier, Level 2 (Advanced) has been streamlined to include only the 110 controls from NIST SP 800-171, and Level 3 (Expert) is aligned with a subset of controls from NIST SP 800-172.

Evidence-Based Assessments
Whether conducting an internal self-assessment, or contracting an assessment from a professional service provider, OSC’s will want to ensure their statements of compliance are validated by substantial evidence. Guidance for conducting risk assessments can be found in NIST SP 800-30, Guide for Conducting Risk Assessments, and NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information. Evidence may include policies and procedures, system security plans, configuration settings, authorization records, asset lists, and audit logs and records, among others.

The Need for Forward Movement by the DIB
Although the inclusion of CMMC as a requirement in Federal contracts and subcontracts seems to be further out in time than previously thought, planning and implementation of controls applicable to the systems in scope of Covered Information should not be postponed. Compliance to FAR and NIST has been required for a number of years, and accountability through the DoD Assessments in SPRS remains. Further, the need to deliberately and proactively safeguard Covered Information amidst sophisticated and ongoing attempts to compromise our nation’s security is more prominent than ever.