On November 30, 2021, the CMMC-AB held a scheduled Town Hall meeting to update the CMMC Ecosystem and defense industrial base (DIB). Here are the key takeaways.
On November 30, 2021, the CMMC-AB held a scheduled Town Hall meeting to update the CMMC Ecosystem and defense industrial base (DIB).
We’ll cover the highlights and questions raised on this Town Hall. It leads up to the news of the Department of Defense (DoD) releasing the guidance and documentation on the CMMC assessment scoping.
The agenda for the Town Hall included…
Matthew Travis started his update by addressing refunds for members of the ecosystem affected by the proposed changes of CMMC 2.0.
Since Level 1 will now be self-assessed, there will be no Level 1 Assessors.
The CMMC-AB offered multiple options for those individuals who already put resources into Level 1, before the CMMC 2.0 changes…
Choosing to keep the funds with the CMMC-AB comes with an incentive. Doing so boosts the credit from $275 to $350.
The CMMC-AB asked assessor candidates to decide by Christmas, 2021 how they would like to appropriate the refund or credit.
Early on into the launch of CMMC 1.0, the CMMC-AB planned to charge C3PAOs for each assessment. As such, they sold vouchers to candidate C3PAOs that would cover these future assessment fees.
Mr. Travis didn’t think that this was in line with the role of the CMMC-AB. So, they’ve decided to refund any vouchers and have done away with those fees altogether.
Any Registered Practitioners or Registered Provider Organizations that joined before December 1, 2020, had their renewal date extended to December 1, 2021.
The CMMC-AB entertained refund requests from this group of consultants based on the changes announced in 2.0. But Mr. Travis pointed to the refund policy on their website. It limits refunds to non-application fees paid within the past 30 days if approved by the CMMC-AB.
The slide also noted that the CMMC-AB would defer renewals for Provisional Assessors and C3PAOs. These would exist until assessments under the Interim program begin.
Mr. Travis gave his thoughts on some of the concerns raised about the changes announced in CMMC 2.0.
On the transition of Level 1 back to self-attestation, Mr. Travis stated that he believes organizations may still hire consultants to oversee their self-attestation. He maintains this suggestion. Even given the risk of false claims acts and the new requirements to have a senior executive sign off on these self-attestations.
The CMMC-AB has discussed the potential to offer an optional certification assessment for OSCs at Level 1 using a C3PAO. In this case, the results would stay valid for 3 years instead of the annual self-attestation.
Mr. Travis shared his perspective on the bifurcation. Specifically towards the contracts at Level 2 into self-assessed vs third-party assessment.
He views it as a potential mechanism to manage the scalability of the ecosystem, much like the initial crawl, walk, run phased CMMC 1.0 rollout.
The bifurcation enables the management of the demand for certification assessments until the supply of certified third-party assessment organizations is enough.
Mr. Travis clarified that the CMMC-AB believes that organizations seeking a Level 3 certification will first need to achieve a Level 2 certification.
The Level 2 process needs to happen through a C3PAO before submitting for a Level 3 certification with the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
The CMMC-AB continues to move forward with the training and certification efforts within the ecosystem.
The Certified CMMC Professional (CCP) training courses available today are foundational. They draw on content from the CMMC framework as well as the beginning training for assessors.
At the time of this Town Hall, DoD was still updating all documentation of CMMC 2.0.
At the end of the same week, DoD released some of the updated documentation. It gave a target release date of mid-December for delivering the remaining documentation.
The launch of CMMC 2.0 delayed CCP exams until the CMMC-AB updated the training to reflect changes made in the new release.
Once they receive the new CMMC 2.0 documentation, the CMMC-AB will be updating the CCP objectives blueprint and publishing new exam dates.
The CMMC-AB will present the realigned 2.0 version back to DoD for approval. Once approved, they will produce delta content and an online training module for CCP to bridge the gap to 2.0.
This training will be available to any individual registered within the ecosystem. That includes registered practitioners, provisional assessors and instructors, and those in CCP training.
Allison Krache Giddens, President of aerospace manufacturer Win-Tech, Inc and an inaugural member of the CMMC-AB Industry Advisory Council, provided a refreshing perspective to the CMMC-AB when asked for her opinion on the release of CMMC 2.0.
Allison commented, “Since so many of us were waiting for so long for some sort of information, my initial reaction was a relief, but it was just because we were getting answers.” She continued, “Overall, the radio silence hurt the mission since there were so many organizations who interpreted the silence as complacency to those that weren’t taking the time to improve security.”
On January 31, 2020, DoD released the official version 1.0 of CMMC.
On March 23, 2020, DoD signed the Memorandum of Understanding (MOU) creating the CMMC-AB.
Since then, the only progress towards implementing CMMC through rulemaking has been the Interim DFARS Rule 2019-D041 published on September 29, 2020. It required contractors with DFARS clause 252.204-7012 to upload a self-assessment of NIST SP 800-171 controls.
There weren’t any public announcements on DoD’s implementation of CMMC until November 4, 2021. On that date came the announcement of a new strategic direction in CMMC 2.0.
Mr. Travis asked Allison her thoughts on whether prime integrators would likely be asking their suppliers to achieve a third-party certification over a self-attestation. She commented, “I think it really will depend on the prime and what level of risk they are willing to accept... As a small business, the dollars associated with a third-party assessment are not insignificant.”
Another concern for Allison was the bottleneck of assessors, “If primes and the DoD do push for that third-party assessment piece of the puzzle, I think we’re going to start seeing that bottleneck concern sooner rather than later.”
“Ultimately, the things that give me pause on 2.0, I think there might be some false hope out there that since the Delta 20 are gone, things are cheaper and easier. I don’t think that’s necessarily the case.” She continued, “Additionally, I don’t feel as though we have a clear picture on CUI and the delineation between those at level 2” She was referencing the proposed bifurcation of self-assessments versus third-party assessments in CMMC 2.0.
In the initial release of CMMC, Maturity Level 3 contained 130 practices. The majority of them came from NIST SP 800-171 but the Delta 20 practices didn’t.
The introduction of CMMC 2.0 reverted the practice requirements for contracts. Specifically, those involving controlled unclassified information (CUI) to only those controls specified in NIST SP 800-171. Thus leading to the dropping of the Delta 20 from the framework, for now.
There has been some recent news indicating that NIST was preparing to update the NIST SP 800-171 revision 2 soon. So, some of the practices within the Delta 20 may reappear within the next framework release. NIST updated the underlying SP 800-53 to revision 5 in September 2020.
On November 23, 2021, Inside Cybersecurity published a story after interviewing Ron Ross, a Fellow at NIST and one of the authors of SP 800-171. The story revealed that NIST will be updating SP 800-171. It's going to make sure the controls derived from NIST 800-53 R5 still meet the moderate impact requirements.
On the positive side, the inclusion of a Plan of Action & Milestones (POA&M) was a good starting point. It allows for some baby steps, according to Allison. A lot of OSCs recognized that perfect wasn’t going to happen and this helps OSCs better prioritize time and resources.
Allison believes that practices with higher scores (5) will not be permissible to be on a POA&M.
But contractors will have up to 180 days to remediate some of the lower score practices.
On the concept of waivers, Allison’s perspective was that the DoD may accept the risk for some CUI on prioritized contracts. This could happen to accommodate sole-source manufacturers who are unlikely to pay for an assessment.
Mr. Travis asked Allison what types of incentives she would like to see considered and implemented for OSCs who voluntarily submit to a third-party assessment before the official rollout of CMMC 2.0.
Here is the wish list Allison provided…
When asked how CMMC 2.0 has changed the way Wintech has prepared for their certification, Allison responded “It has allowed us to put the foot on the accelerator on a few initiatives...we opted to put time and resources towards improvements that would be good for Wintech regardless of the framework, particularly documentation and continuous employee training because neither are wastes of time if you do them right.”
In closing, Allison remarked that “by releasing CMMC 2.0, DoD shared a little bit on their priorities and their focus which allows us to marry what we’re doing now with what is being expected of”.
This question was not addressed in the Town Hall but the subsequent scoping guidance released by DoD does answer this question. There are four categories of assets considered within scope (OT systems are specialized assets)...
For specialized assets, such as OT, the OSC should document the asset in their inventory network diagram and system security plan. If they are appropriately documented they will not need to comply with other CMMC practices outside of NIST SP 800-171A 3.12.4.
The CMMC-AB did not record the event at the request of the DoD but we posted a copy of the meeting on YouTube for those who may have missed it. We apologize for the sound quality in advance.
Per the updated guidance, DoD will release the Level 1 Self-Assessment Guide no later than December 10, 2021. The Level 2 Assessment Guide will come soon after in mid-December 2021.
We did address the cost of CMMC certification in a previous blog.
An external service provider can be within the scope of a CMMC assessment if it meets CUI asset criteria. You should evaluate the shared responsibility matrix to identify inherited security.
In nec dictum adipiscing pharetra enim etiam scelerisque dolor purus ipsum egestas cursus vulputate arcu egestas ut eu sed mollis consectetur mattis pharetra curabitur et maecenas in mattis fames consectetur ipsum quis risus mauris aliquam ornare nisl purus at ipsum nulla accumsan consectetur vestibulum suspendisse aliquam condimentum scelerisque lacinia pellentesque vestibulum condimentum turpis ligula pharetra dictum sapien facilisis sapien at sagittis et cursus congue.
Convallis pellentesque ullamcorper sapien sed tristique fermentum proin amet quam tincidunt feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
Feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
Feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
Vel etiam vel amet aenean eget in habitasse nunc duis tellus sem turpis risus aliquam ac volutpat tellus eu faucibus ullamcorper.
Sed pretium id nibh id sit felis vitae volutpat volutpat adipiscing at sodales neque lectus mi phasellus commodo at elit suspendisse ornare faucibus lectus purus viverra in nec aliquet commodo et sed sed nisi tempor mi pellentesque arcu viverra pretium duis enim vulputate dignissim etiam ultrices vitae neque urna proin nibh diam turpis augue lacus.