August 23, 2023
A look inside the leaked documents of CMMC v2.1
This has certainly been an interesting summer! In July, NIST released SP 800-171r3 ipd, and shortly thereafter, the DoD sent the new CMMC rule to OIRA/OMB for review prior to publication. On August 3, OIRA apparently made a mistake and published the new assessment guides and scoping guides for all THREE levels (yes, this was our first look at CMMC Level 3). The documents were withdrawn less than 24 hours later but I, like many of my colleagues, downloaded them all while still available and have been perusing them intently ever since. The docs were all marked "[DISTRIBUTION STATEMENT A] Approved for public release." so I feel comfortable discussing a few of the highlights here (and you can find lots more discussion on LinkedIn, as well as links to the withdrawn documents which have since been published elsewhere).
I've outlined below a few key points for each level, but first let me say this: these documents are drafts and were published by mistake, so they are not yet the law of the land, and are subject to change. Having said that, however, the DoD wouldn't have sent these draft documents to OMB if they didn't represent what the DoD is thinking. I believe it's important to know what changes may be coming, so as to be prepared. This is particularly important if your organization is ready to make any changes in its CMMC environment, especially to purchase new products or services. I would say that these draft documents, as well as the changes in NIST SP 800-171r3 ipd, should be taken into consideration in this circumstance.
The scoping guide has one surprise, in that "External Service Providers" (ESPs) are now in scope:
In accordance with 32 CFR § 170.19(a)(3), to appropriately scope a CMMC Level 1 self-assessment, the [OSC] should consider the people, technology, facilities, and external service providers within its environment that process, store, or transmit FCI.
What is an ESP? "external people, technology, or facilities that an [OSC] utilizes for provision and management of comprehensive IT and/or cybersecurity services on behalf of the [OSC]."
The L1 Assessment Guide (AG) has been renumbered to match the 15 controls of the Basic Safeguarding Rule (FAR 52.204-21) which is required of all government contractors, not just DoD (presumably in keeping with Executive Order #14028 ("Improving the Nation’s Cybersecurity" forbidding agency-specific cyber security requirements). However, the AG also specifically states that the L1 self-assessment must be performed using the Assessment Objectives (AOs) identified in NIST SP 800-171 (and those controls are mapped in the "Key References" section after each control in the AG).
There are a few unpleasant surprises in L2, mainly in the scoping guide:
(1)Security Protection Assets (SPA), i.e. assets which "provide security functions or capabilities within the [OSC]’s CMMC Assessment Scope," must be assessed against all CMMC security requirements. This is a change from the original scoping guide, which referenced assessment against "applicable" requirements. The specific example given is quite telling:
For example, an External Service Provider (ESP, defined in 32 CFR 32 §170.4) that provides a security information and event management (SIEM) service may be separated logically and may process no CUI, but the SIEM does contribute to meeting the CMMC requirements within the [OSC]’s CMMC Assessment Scope.
(2) Contractor Risk Managed Assets (CRMA) are going to be under greater scrutiny than previously thought. They should now "Prepare to be assessed against CMMC security requirements" (previously noted: "Show these assets are managed using the contractor’s risk-based security policies, procedures, and practices").
(3) ESPs are playing a much larger role in L2. If "data (specifically CUI or Security Protection Data, e.g., log data, configuration data) [resides] on the ESP assets" then that ESP must have a CMMC Level 2 Certification. Again, this is a draft document and this particular situation is thorny, so we hope to have clearer guidance from the DoD once the final rule is published.
Since this is our first look at L3, there aren't any changes of note, but there are nonetheless points of note:
(1) There are no CRMA in the L3 scoping guide.
(2) Specialized Assets (SA) must be assessed against all CMMC security requirements, although "intermediary devices" may help meet requirements:
Specialized Assets are part of the Level 3 CMMC Assessment Scope per 32 CFR § 170. 19(d) (1) Table 4. The OSC should prepare for these assets to be assessed against all CMMC requirements unless they are physically or logically isolated into purpose-specific networks (with no connection to the Internet or other networks). Specialized Assets may have limitations on the application of certain security requirements. To accommodate such issues intermediary devices are permitted to provide the capability for the specialized asset to meet one or more CMMC requirements.
(3) An OSC seeking L3 certification must first obtain L2 certification on the same scope. Since there are no CRMA in the L3 scoping guide, this must be taken into account at L2 for OSCs that ultimately require L3 certification. (However, the L3 scope may be a subset of the certified L2 scope, so theoretically one could have CRMA in the L2 scope outside the L3 subset. We're really splitting hairs now.)
(4) ESPs in scope for an OSC's L3 assessment must be certified at L3, and some of the requirements of L3 may be difficult for all but the largest contractors to do in-house (a SOC operating 24/7, for example).
This is by no means an exhaustive list of the changes from CMMC 2.0 to 2.1, but my focus here is on those changes that may impact an OSC's decisions in the near-term, particularly with respect to changes in its current CUI environment, i.e., you may not want to make any (significant) changes that can be postponed until we have final versions of these documents and clarification on some points.
Need help? You know where to find me!