CMMC-AB November 30 Town Hall: Key Takeaways and Unanswered Questions

Town Hall Overview

On November 30, 2021, the CMMC-AB held a scheduled Town Hall meeting to update the CMMC Ecosystem and defense industrial base (DIB).

We’ll cover the highlights and questions raised on this Town Hall. It leads up to the news of the Department of Defense (DoD) releasing the guidance and documentation on the CMMC assessment scoping.

The agenda for the Town Hall included…

• An update from the CMMC-AB CEO, Matthew Travis
• A Training and Certification update from Kyle Gingrich
• Input from the CMMC-AB Industry Advisory Group (IAG), represented by Allison Krache Giddens

Matthew Travis started his update by addressing refunds for members of the ecosystem affected by the proposed changes of CMMC 2.0.

Credits for Exam Vouchers

Since Level 1 will now be self-assessed, there will be no Level 1 Assessors.

The CMMC-AB offered multiple options for those individuals who already put resources into Level 1, before the CMMC 2.0 changes…

• A full refund of any assessment vouchers ($275 value)
• Keeping the funds with the CMMC-AB and reallocating them towards either CMMC certified assessor (CCA) exam costs or to retain as a credit on their account for future credentials or maintenance fees

Choosing to keep the funds with the CMMC-AB comes with an incentive. Doing so boosts the credit from $275 to $350.

The CMMC-AB asked assessor candidates to decide by Christmas, 2021 how they would like to appropriate the refund or credit.

C3PAO Assesment Vouchers

Early on into the launch of CMMC 1.0, the CMMC-AB planned to charge C3PAOs for each assessment. As such, they sold vouchers to candidate C3PAOs that would cover these future assessment fees.

Mr. Travis didn’t think that this was in line with the role of the CMMC-AB. So, they’ve decided to refund any vouchers and have done away with those fees altogether.

Renewals

Any Registered Practitioners or Registered Provider Organizations that joined before December 1, 2020, had their renewal date extended to December 1, 2021.

The CMMC-AB entertained refund requests from this group of consultants based on the changes announced in 2.0. But Mr. Travis pointed to the refund policy on their website. It limits refunds to non-application fees paid within the past 30 days if approved by the CMMC-AB.

The slide also noted that the CMMC-AB would defer renewals for Provisional Assessors and C3PAOs. These would exist until assessments under the Interim program begin.

On Proposed Changes in CMMC 2.0

Level 1 - Self Attestation

Mr. Travis gave his thoughts on some of the concerns raised about the changes announced in CMMC 2.0.

On the transition of Level 1 back to self-attestation, Mr. Travis stated that he believes organizations may still hire consultants to oversee their self-attestation. He maintains this suggestion. Even given the risk of false claims acts and the new requirements to have a senior executive sign off on these self-attestations.

The CMMC-AB has discussed the potential to offer an optional certification assessment for OSCs at Level 1 using a C3PAO. In this case, the results would stay valid for 3 years instead of the annual self-attestation.

Level 2 - Bifurcation

Mr. Travis shared his perspective on the bifurcation. Specifically towards the contracts at Level 2 into self-assessed vs third-party assessment.

He views it as a potential mechanism to manage the scalability of the ecosystem, much like the initial crawl, walk, run phased CMMC 1.0 rollout.

The bifurcation enables the management of the demand for certification assessments until the supply of certified third-party assessment organizations is enough.

Level 3 - Government Certifications

Mr. Travis clarified that the CMMC-AB believes that organizations seeking a Level 3 certification will first need to achieve a Level 2 certification.

The Level 2 process needs to happen through a C3PAO before submitting for a Level 3 certification with the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Training and Certification Updates

The CMMC-AB continues to move forward with the training and certification efforts within the ecosystem.

The Certified CMMC Professional (CCP) training courses available today are foundational. They draw on content from the CMMC framework as well as the beginning training for assessors.

Training Documentation

At the time of this Town Hall, DoD was still updating all documentation of CMMC 2.0.

At the end of the same week, DoD released some of the updated documentation. It gave a target release date of mid-December for delivering the remaining documentation.  

Exams & Objectives Blueprint

The launch of CMMC 2.0 delayed CCP exams until the CMMC-AB updated the training to reflect changes made in the new release.

Once they receive the new CMMC 2.0 documentation, the CMMC-AB will be updating the CCP objectives blueprint and publishing new exam dates.

Beta Training

The CMMC-AB will present the realigned 2.0 version back to DoD for approval. Once approved, they will produce delta content and an online training module for CCP to bridge the gap to 2.0.

This training will be available to any individual registered within the ecosystem. That includes registered practitioners, provisional assessors and instructors, and those in CCP training.

The Defense Industrial Base Perspective

Allison Krache Giddens, President of aerospace manufacturer Win-Tech, Inc and an inaugural member of the CMMC-AB Industry Advisory Council, provided a refreshing perspective to the CMMC-AB when asked for her opinion on the release of CMMC 2.0.

General Feelings on CMMC 2.0

Allison commented, “Since so many of us were waiting for so long for some sort of information, my initial reaction was a relief, but it was just because we were getting answers.” She continued,  “Overall, the radio silence hurt the mission since there were so many organizations who interpreted the silence as complacency to those that weren’t taking the time to improve security.”

On January 31, 2020, DoD released the official version 1.0 of CMMC.

On March 23, 2020, DoD signed the Memorandum of Understanding (MOU) creating the CMMC-AB.

Since then, the only progress towards implementing CMMC through rulemaking has been the Interim DFARS Rule 2019-D041 published on September 29, 2020. It required contractors with DFARS clause 252.204-7012 to upload a self-assessment of NIST SP 800-171 controls.

There weren’t any public announcements on DoD’s implementation of CMMC until November 4, 2021. On that date came the announcement of a new strategic direction in CMMC 2.0.

Concerns of CMMC 2.0

Mr. Travis asked Allison her thoughts on whether prime integrators would likely be asking their suppliers to achieve a third-party certification over a self-attestation. She commented, “I think it really will depend on the prime and what level of risk they are willing to accept... As a small business, the dollars associated with a third-party assessment are not insignificant.”

Another concern for Allison was the bottleneck of assessors, “If primes and the DoD do push for that third-party assessment piece of the puzzle, I think we’re going to start seeing that bottleneck concern sooner rather than later.”

“Ultimately, the things that give me pause on 2.0, I think there might be some false hope out there that since the Delta 20 are gone, things are cheaper and easier. I don’t think that’s necessarily the case.” She continued, “Additionally, I don’t feel as though we have a clear picture on CUI and the delineation between those at level 2” She was referencing the proposed bifurcation of self-assessments versus third-party assessments in CMMC 2.0.

In the initial release of CMMC, Maturity Level 3 contained 130 practices. The majority of them came from NIST SP 800-171 but the Delta 20 practices didn’t.

The introduction of CMMC 2.0 reverted the practice requirements for contracts. Specifically, those involving controlled unclassified information (CUI) to only those controls specified in NIST SP 800-171. Thus leading to the dropping of the Delta 20 from the framework, for now.

There has been some recent news indicating that NIST was preparing to update the NIST SP 800-171 revision 2 soon. So, some of the practices within the Delta 20 may reappear within the next framework release. NIST updated the underlying SP 800-53 to revision 5 in September 2020.

On November 23, 2021, Inside Cybersecurity published a story after interviewing Ron Ross, a Fellow at NIST and one of the authors of SP 800-171. The story revealed that NIST will be updating SP 800-171. It's going to make sure the controls derived from NIST 800-53 R5 still meet the moderate impact requirements.

Benefits of CMMC 2.0

On the positive side, the inclusion of a Plan of Action & Milestones (POA&M) was a good starting point. It allows for some baby steps, according to Allison. A lot of OSCs recognized that perfect wasn’t going to happen and this helps OSCs better prioritize time and resources.

Allison believes that practices with higher scores (5) will not be permissible to be on a POA&M.

But contractors will have up to 180 days to remediate some of the lower score practices.

On the concept of waivers, Allison’s perspective was that the DoD may accept the risk for some CUI on prioritized contracts. This could happen to accommodate sole-source manufacturers who are unlikely to pay for an assessment.

Mr. Travis asked Allison what types of incentives she would like to see considered and implemented for OSCs who voluntarily submit to a third-party assessment before the official rollout of CMMC 2.0.

Here is the wish list Allison provided…

• DoD pays for the assessment (not a reimbursement)
• Offering an extended validity date on the certification and grandfathered for any changes
• Extended time allowance for time-bound POA&Ms
• Offering dual certification (for example ISO 27001 at the time of CMMC award)

When asked how CMMC 2.0 has changed the way Wintech has prepared for their certification, Allison responded “It has allowed us to put the foot on the accelerator on a few initiatives...we opted to put time and resources towards improvements that would be good for Wintech regardless of the framework, particularly documentation and continuous employee training because neither are wastes of time if you do them right.”

In closing, Allison remarked that “by releasing CMMC 2.0, DoD shared a little bit on their priorities and their focus which allows us to marry what we’re doing now with what is being expected of”.

Question and Answer Session

• Question: Do DIB companies have an option to certify before CMMC 2.0 rulemaking using the 1.0 framework?
• Answer: No. When authorized, C3PAOs will assess OSCs using the CMMC 2.0 standard. They use it during the interim voluntary period and post rulemaking (pending any changes made to the model during rulemaking).
• Question: If CMMC 2.0 is mainly NIST SP 800-171 do we still need to have RPOs provide consulting services and gap assessments?
• Answer: There was never any requirement to use RPOs but it was always helpful to have outside opinions.

• Question: Are DIB companies able to bypass level 2 and go straight to level 3 and get a free DIBCAC assessment?
• Answer: No, before engaging the DIBCAC you must receive a level 2 certification through a C3PAO. The DIBCAC will only perform a delta assessment of the level 3 controls from NIST SP 800-172.

• Question: When will DoD be releasing further documentation on CMMC 2.0?
• Answer: This documentation wasn't available at the time of this meeting on November 30, 2021. However, on December 3rd, the DoD released the scoping guides and provided future release dates for the updated guides.
  

• Question: How will suppliers know if they need to have a third-party assessment?
• Answer: Mr. Travis referenced the answer provided by Buddy Dees on the November 9th, 2021 Town Hall meeting. Reiterating that these criteria for bifurcation are still undetermined. He stated the current guidance is that if your contract is “operationally supportive in nature, tied to warfighting, the war-fighter, weapons systems, or operational issues” then that is more likely to require third-party certification.
• Question: How has the release of CMMC 2.0 affected the timeline for CCP exams?
• Answer: Exams won’t occur until DoD releases the updated documentation. The CMMC-AB and DoD will need to agree upon the updated objectives blueprint beforehand. The CMMC-AB can work with their third-party exam development partner to update the item pools and add new questions.
• Question: As we move closer to a FAR CUI rule, has the CMMC-AB engaged with other executive branch agencies outside of DoD? Or, is there any sign that CMMC may expand to the wider federal government?
• Answer: Mr. Travis responded that they want to see CMMC grow. Thus, they would welcome seeing it expand to other branches of the US government and our allied nation partners. But, those actions would be their decision and right now the CMMC-AB’s only priority is to assist DoD in the successful implementation for them.
• Question: Is DoD still requiring suitability for assessors?
• Answer: Yes, as of right now, none of the suitability requirements have changed.
• Question: Will the changes allow the DIBCAC to speed up certification of C3PAOs?
• Answer: CMMC 2.0 includes an increased budget for DIBCAC to scale enough to increase their throughput.

Answering Unanswered Questions

• Question: NIST SP 800-171 was only for Information Technology (IT) systems.  CMMC was to include Operational Technology (OT) systems.  Does CMMC 2.0 include OT?

This question was not addressed in the Town Hall but the subsequent scoping guidance released by DoD does answer this question. There are four categories of assets considered within scope (OT systems are specialized assets)...

• CUI Assets - that process, store, or transmit CUI
• Security Protection Assets - provide security functions to the CMMC assessment scope
• Contractor Risk Managed Assets - not physically or logically separated from CUI assets but do not process, store, or transmit CUI because of security policies, procedures and practices in place.
• Specialized Assets - may or may not process, store, or transmit CUI (includes government property, IoT devices, OT, restricted information systems and test equipment

For specialized assets, such as OT, the OSC should document the asset in their inventory network diagram and system security plan. If they are appropriately documented they will not need to comply with other CMMC practices outside of NIST SP 800-171A 3.12.4.

• Question: Is there a recording available of the November 9th meeting with the DIBCAC?

The CMMC-AB did not record the event at the request of the DoD but we posted a copy of the meeting on YouTube for those who may have missed it. We apologize for the sound quality in advance.

• Question: When can we expect to see a complete draft of CMMC 2.0?

Per the updated guidance, DoD will release the Level 1 Self-Assessment Guide no later than December 10, 2021. The Level 2 Assessment Guide will come soon after in mid-December 2021.

• Question: Any guidance coming out on the CMMC 2.0 compliance cost?

We did address the cost of CMMC certification in a previous blog.

• Question: When scoping systems for CMMC assessments, do you include information that is on a FedRamp High environment?

An external service provider can be within the scope of a CMMC assessment if it meets CUI asset criteria. You should evaluate the shared responsibility matrix to identify inherited security.