June 2, 2021
Good afternoon, everyone!
Biden’s EO, Salazar’s testimony and the future of the CMMC
Three events in the past few weeks are speaking volumes about the future of the CMMC. Let’s take a quick look at these events, consider some possible implications and explore how they may impact your current CMMC preparation.
First, the testimony of Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy (a recent Biden appointee), before a Senate committee on May 18. During this testimony, Mr. Salazar revealed:
“the Department [of Defense] has numerous programs and thousands of personnel working to improve the cybersecurity posture of the [Defense Industrial Base]. I have recently assumed oversight of one key component of this expansive effort: the Cybersecurity Maturity Model Certification program (CMMC)…. [S]ecurity is foundational to acquisition and should not be traded along with cost, schedule, and performance.”
Moving oversight of the CMMC to the level of Mr. Salazar’s position is widely interpreted to mean the DoD is firmly committed to the CMMC. It’s not going away, even with the change in administration.
Mr. Salazar also referenced the “more than 850 comments in response to the DFARS interim rule establishing CMMC” and indicated that the DoD is “currently working with internal stakeholders on adjudicating these inputs.” What does this mean? Attorney Robert Metzger (a co-author of MITRE's Deliver Uncompromised report), believes that “significant changes” may be coming.
The second major event to consider is the DoD's internal review of the CMMC program, initiated in March and recently completed. Also on May 18, Senator Munchin stated the DoD review is going to lead to changes to the CMMC program, based on information he has received from Deputy Defense Secretary Kathleen Hicks.
What might those changes be? Keep reading.
Finally, the May 12 release of President Biden’s “Executive Order on Improving the Nation’s Cybersecurity.” is likely to impact the CMMC as we know it. Following are the provisions of this EO that I consider key to the CMMC:
Section 2(h): “Standardizing common cybersecurity contractual requirements across agencies will streamline and improve compliance for vendors and the Federal Government.” The following sections describe a process for “agency-specific cybersecurity requirements” (like the CMMC) to be reviewed, and sent to the FAR Council for inclusion in an updated FAR, at which point “agencies shall update their agency-specific cybersecurity requirements to remove any requirements that are duplicative of such FAR updates.”
It has been speculated by many that the CMMC would eventually be adopted by the entire federal government for all its contractors (DHS has already indicated its plan to adopt CMMC when the ecosystem is sufficiently robust to handle the additional workload, and GSA has referenced CMMC in two of its contract vehicles). It seems entirely possible that this EO will lay the groundwork for making that happen.
Section 3(a) states in part that “The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services” — what does this mean for the CMMC?
(1) The CMMC Model currently doesn’t address Zero Trust Architecture (ZTA), and yet this is the new focus of the federal government’s cybersecurity plan. The DoD has been talking about ZTA for at least a year (and released a Zero Trust Reference Architecture document in February), yet the CMMC is built on NIST 800-171 (circa 2013-2016). Expect the CMMC Model to be modified to include ZTA at some point in the near future. (This sounds like a good topic for a future CMMC Update -- "What is ZTA?")
(2) The DoD has been encouraging contractors to create a “secure enclave” for CUI, and many are choosing to do so in the cloud. With the push for all federal agencies to move to “secure cloud services” I would expect this trend to extend even farther within the DIB.
Remember, though, that creating a CUI enclave in the cloud is not a “Get Out of CMMC Free” card — under the shared responsibility model of the cloud, you will still be responsible for a large portion of the CMMC practices, and you bear responsibility for proving your inheritance of the practices covered by the cloud service provider (CSP). (I’ll talk more about that in my next CMMC Update.)
Section 3(d) requires federal agencies to “adopt multi-factor authentication and encryption for data at rest and in transit” so I think we can forget about those practices being dropped from future versions of the CMMC Model (frankly I never thought they would be dropped, but many have hoped).
Section 3(f) directs the GSA to begin “modernizing FedRAMP” and concludes with “identifying relevant compliance frameworks, mapping those frameworks onto requirements in the FedRAMP authorization process, and allowing those frameworks to be used as a substitute for the relevant portion of the authorization process, as appropriate.” In practical terms, what does this mean? I don’t think we know exactly, but there has been a lot of chatter about reciprocity between CMMC, FedRAMP, various ISO standards, etc., so I think that’s part of it. Also, I wouldn’t be surprised to learn that open POAMs will no longer be allowed in FedRAMP after this modernization process takes place. POAMs are history. Hopefully this process will also give greater clarity as to which FedRAMP controls can be inherited for CMMC compliance, or perhaps it might be that FedRAMP will be converted to the updated CMMC Model (which will include ZTA)? Time will tell.
So what does all this mean for your CMMC preparation? Well, I would say three things:
(1) Keep closing those open POAMs! The CMMC is not going away, and if you’ve covered the basics before the next version is released, you’ll have much less left to do.
(2) Avoid any major changes to your network configuration that might be difficult or expensive to undo, especially big purchases. Metzger thinks a new version of the CMMC Model with “significant changes” may come out this fall. If true, it could possibly change your current plan for achieving compliance. Stay flexible.
(3) Work on your documentation! That’s not going away either, and it takes time to produce. Develop your employee training programs. Document your practices. Write down policies. Develop that process maturity you will have to demonstrate for your official CMMC assessment.
Finally, keep reading my CMMC Updates! Have a great week.