July 26, 2021
Good morning, everyone!
Should we be swimming or treading water?
I’ve read a lot of chatter in various online forums lately about “the future of CMMC” – Is it going away? Is it going to be modified significantly? Should we be working on compliance now or waiting to see what happens? When a client asked me these very questions last week, I decided it would make a good newsletter.
First, I do not believe that the CMMC is going away. The current ransomware crisis and recent nation-state actions have federal government officials wound up to an extent I can’t recall seeing in my lifetime. Biden's Executive Order was the first major shout-out, and it just keeps coming. Last week, the draft National Defense Authorization Act (NDAA) for Fiscal Year 2022 was released. It has the word "cyber" in it 19 times, including an early mention:
Our national security rests on our ability to attain and maintain an asymmetric military advantage. Our supremacy in the seas, in the skies, in space, in cyberspace, and on land must be protected....
and an entire section entitled "Superiority in Cyberspace" outlining ways to improve the nation's cybersecurity posture. Remember, the Defense Industrial Base is critical to the nation's security. This is not going away.
To be honest, I think there's a good chance the CMMC will become the basis for a government-wide cyber security certification standard, and it will certainly undergo some changes along the way. I think it will be modified to better accommodate cloud solutions, and that zero-trust will become part of the model.
Second, I think (hope!) we will get a lot more info in the next 3 months. I just read last week that the CMMC-AB is about to train another group of provisional assessors, doubling the total available in the next four months. Three C3PAOs have now been authorized.
So, as an OSC (Organization Seeking Certification – that’s you!) what should you be doing right now? Swimming hard for the CMMC shore, or treading water to see what happens?
My advice: Improve your cyber security by fulfilling obligations that pre-date CMMC:
(1) Every federal contractor, whether DoD, GSA or other, has been required to meet FAR 52.204-21 (the "Basic Safeguarding Rule") since June 2016, and frankly that's just basic cyber hygiene, so make sure you have all 15 of those controls fully implemented (they match the 17 controls of CMMC ML1).
(2) If you handle CUI, you should continue working on full implementation of NIST 800-171 and the additional requirements of DFARS 252.204-7012. All DoD contractors who handle CUI were required to reach this goal by December 31, 2017. A few comments:
(a) For now, it's probably okay to handle the big/expensive/difficult things with POAM, until we get better scoping advice, but you should be knocking out everything that is feasible.
(b) It my understanding that if you record a self-assessment score of 50 or greater in SPRS, you may be subject to a "Medium" assessment (where DIBCAC calls you up, wants to read your SSP, will ask you questions about it and possibly ask for supporting evidence). If you record a score of 70 or higher, you may be subject to a "High" assessment (where DIBCAC actually shows up with a team of assessors and does a full-blown assessment). You don't want to be caught short if your number comes up.
(c) Go ahead and review the 20 delta controls in CMMC ML3, as frankly some of those really are good practices and should have been included in NIST 800-171.
(d) Make sure your SSP & POAM are strong, accurate and up-to-date. Remember the DoD 800-171 Assessment Methodology states:
“The absence of a system security plan would result in a finding that ‘an assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012.’”
So you literally cannot self-assess and record a score in SPRS if you do not have an SSP.
(e) Start work on documenting your practices simply as a matter of course -- e.g., when you run your periodic check to be sure all software is up to date on all devices, write down or type up a simple bullet list of the steps that you take to do that. This becomes a practice document that will demonstrate your maturity when you do eventually assess CMMC, and it doesn't take long to record it as you go along.
So, as Dory would say, Just keep swimming! 😁 Have a good week!