November 17, 2021
Good afternoon, everyone!
More information on CMMC 2.0
Last Tuesday the CMMC-AB held a town hall meeting with guests from the DoD. More news came out, worth sharing. My key takeaways: (quotes are summarized/paraphrased from my notes, as there is no recording of this town hall for reference)
Relieving the compliance burden for small businesses
This was clearly a priority, and allowing self-attestation for Level 1 is a huge step in this direction. Reducing the documentation burden for Level 2 (previously ML3) will also help small businesses tremendously. (Notice that I said “reducing” not “eliminating” – more on that below.)
Why the 20 “delta” practices and maturity processes were dropped
In the town hall meeting, the DoD explained that they plan to work with NIST to have these practices and processes added to 800-171. So the new Level 2 mirrors 800-171 and Level 3 mirrors 800-172. Why is this important? It appears that the goal is to avoid having agency-specific requirements, which aligns with Biden’s Executive Order on Improving the Nation’s Cybersecurity released on May 12. Eliminating the agency-specific requirements also makes the CMMC more attractive as a government-wide standard.
This makes a lot of sense to me, and I’m happy to think that these practices will be added to 800-171 at some point. Hint: there’s no reason you can’t go ahead and add these practices to your information security program now! They are worth doing.
More clarity on POAMs
POAMs will be allowed in certain circumstances (never for the highest-weighted controls in 800-171) and for a period of 180 days after the contract award. If your POAMs aren’t closed within this time frame, the contracting officer can implement normal remedies for failure to meet contract requirements. “A subset of controls we feel need to be in place for any company that holds CUI (the highest-weighted ones) must be implemented. A certain minimum score will be established.” More on that coming later, I guess.
Waivers will be rare.
Only on a “very limited basis” for “certain mission critical acquisitions.” Waivers require senior DoD leadership approval, to make certain they are not overused. Waivers must be requested by the government program office, not the contractor, and must include “risk mitigation strategies.”
Attestation creates accountability
This is why attestation by a senior official of the company is required for annual self-attestation. The DoD is really tired of contractors ignoring cyber security requirements.
DoD will be renegotiating the contract with CMMC-AB
More oversight seems to be the goal here. It will be interesting to see how this works out.
Written practices and processes aren’t going away
There was a fair bit of discussion on this topic, and some things said by DoD are important:
- Even with the practices taken out of the model, “companies will have to have processes in place to put their practices into effect.”
- ”They need to still have those policies and processes moving forward.”
- ”NIST will be the driver” but DoD really wants to see their maturity processes included in a future version of 800-171
As a footnote to this, remember that many practices in 800-171 require documentation, and the entire standard is based on your written System Security Plan. The "Non Federal Organization" (NFO) controls in Appendix E are worth looking at also, as 800-171 is based on the assumption that you already have in place written policies and practice documents for all families of controls of NIST 800-53. These pretty well match the 999 and 998 controls in the old ML3 assessment guide. Finally, many of the assessment objectives cannot be met without written policies and procedures. It was said that these written documents "won't be assessed per se" but the assessors will be asking to see them, as evidence for meeting assessment objectives.
Contracts with CDI will require a certified assessment.
In the town hall meeting, examples of L2 contracts allowed to self-attest included uniforms and boots. Third-party assessment will be required for systems with "information critical to national security" and most people in the industry seem to agree this means Controlled Defense Information, including Controlled Technical Information (CTI), nuclear, and anything export controlled (ITAR/EAR). So, if you have contracts with the 7012 clause and you handle this type of data, you should continue working on your plan for an official assessment.
The pilot program has been dropped.
What does this mean? Most people expect the CMMC clause to be included in all contracts once the rulemaking process is finished in 9-24 months. At a minimum, I think it will be included in all CUI contracts, especially those handling CTI, nuclear and/or export-controlled data.
Remember to Just Keep Swimming! Close those POAMs, update your SPRS score, work on your written policy and practice documents as you go along. Written documentation only makes a company stronger, enabling repeatable processes.