In this blog, we cover several takeways that we felt were significant. Then, we'll discuss our selected unanswered questions from the October Town Hall meetings.
The CMMC-AB held two Town Hall events in October to address a backlog of questions from the ecosystem.
During the October 12th Town Hall, the Body addressed many administrative questions. But, their queue actually grew longer, receiving over 100 new questions during that meeting.
Members of the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) participated in the October 26th Town Hall. They provided much-needed insight into the current CMMC assessment process ongoing with C3PAOs.
The CMMC-AB also did a better job during this second Town Hall answering questions as they arose in the Q & A Dialog box.
Since participants may not have seen some of those responses, we'll cover several that we felt were significant. Then, we'll discuss our selected unanswered questions from the October Town Hall meetings.
This was the first of two written responses that hint the CMMC-AB has reason to believe DoD will be issuing a final ruling on CMMC by mid-November.
Matthew Travis alluded to this during the meeting when discussing the scheduling of the next Town Hall meeting.
November 30, 2021, is the next Town Hall meeting. But, Travis stated that if DoD issues rule-making before the next scheduled Town Hall, the CMMC-AB may schedule another interim Town Hall.
Here again, Mr. Dalton indicated that CMMC-AB expects DoD to make some type of announcement regarding changes to the CMMC program by mid-November.
This response is less indicative of imminent DoD rulemaking. Yet, it does substantiate that a second Board Member also expects further guidance published in November.
We knew that five C3PAO’s had passed the DIBCAC assessment before the second October Town Hall.
What the DIBCAC was able to inform us during the meeting was that 13 C3PAOs hadn’t made it past the scoping phase and 7 had not made it past their readiness review phase.
Another 7 were under evaluation and one had withdrawn their candidacy after starting the DIBCAC process, giving us a total of 33 candidate C3PAOs referred to them.
The DIBCAC team also outlined their 5-6 week timeframe for the readiness review and assessment process.
If we assume that the first authorized C3PAO (Redspin) was one of the first evaluated by the DIBCAC, then we could say early May 2021 was when they started assessing C3PAOs.
In 5 months, they’ve evaluated, to some degree, 33 C3PAOs. At that rate, it would take 29 months to assess all 192 Candidate C3PAOs currently listed in the marketplace.
The most shocking metric here was that 21 out of 33 C3PAOs didn’t make it through the DIBCAC assessment.
We assume these organizations have more resources and experience in preparing for this certification assessment than an average DIB company. The DIBCAC representatives listed the reasons why C3PAOs had not passed the assessment process:
Unfortunately, the part of the question related to C3PAOs still largely remains unanswered.
Mr. Dalton stated that they needed 150 provisional assessors for pilot assessments in the first year, although the marketplace lists only 119 at the time of this publication. We assume some provisional assessors are still working on their authorization.
The shortfall of assessors was recently discussed in a FedScoop article.
In total, there were over 2,000 registered practitioners listed in the CMMC Marketplace at the time of writing this article.
The prerequisites of 4+ years of cyber experience along with the high cost of completing many levels of training and exams will prevent many registered practitioners from becoming Certified CMMC Assessor for Maturity Level 3 (CCA-3). FedScoop quoted Mr. Travis in the article “We need to do a more aggressive or proactive job of recruiting”.
Again, with only 119 provisional assessors listed in the Marketplace, we assume that at least 30 provisional assessors are currently undergoing their certification.
For anyone that didn’t make it into the provisional assessor program, they will have to take the certified assessor route as shown on the CMMC-AB site.
This question comes from the perspective of an OSC looking to learn as much as possible about the assessment process to better prepare their own organization.
Looking at the roadmap for a CMMC certified professional (CCP), there is no need to be part of an assessment to become certified. The roadmap for a CMMC certified assessor (CCA-1) does require observation on an assessment but this is the last step prior to certification.
Jeff’s answer provided a way for an OSC to take the course and exam for a CCA-1 but never achieve certification as an assessor if the intent was only to better prepare their own organization for an assessment.
Jeff indicated that an OSC could attend a CCA-1 course and take the exam but if they didn’t want to take part in an assessment, they wouldn’t receive a certification as an assessor. Since CCA-1 certification is a prerequisite of the CCA-3 course, the individual wouldn’t be able to take a CCA-3 course without CCA-1 certification. There’s a valid concern here from the OSC standpoint given the significant gap in requirements from ML-1 to ML-3.
It’s reasonable for an OSC to want to know to what level of detail assessors check for when evaluating ML-3 practices, processes, procedures, and plans. Based on Mr. Dalton’s answer, if an OSC did want to pursue CCA-3 training, the process would require their staff to first become certified on a CCA-1. This would include performing an assessment observed by an AB Staff member or independent senior assessor contracted by the AB.
So what is the difference between the L1 and L3 classes? We’ll have to move this over to the unanswered questions section because Mr. Dalton didn’t provide an answer.
CMMC will require any contractor or subcontractor dealing with Federal Contract Information for the DoD to have a Maturity Level 1 (or higher) certification before the award of any contract containing DFARS clause 252.204-7021. Until this DFARS clause appears into a contract that you take part in, adherence to FAR 52.204-21 is self-attested.
The DIBCAC representatives at the October Town Hall clarified that the policies don’t need to be a one-to-one match to the seventeen domains.
It’s possible to have more or fewer policies as long as they meet the assessment objectives for each domain and it’s clear to an assessor how the policies govern each required domain.
998 Procedures are the documented processes used to carry out the practices. Each practice (130 for ML3) must have a documented process that meets the three assessment objective requirements (documenting & followed; specify the activities required to carry out the policy; reviewed and updated).
997 are plans that detail the implementation of policies. Since the DIBCAC representatives clarified that policies don’t need to be a one to one match to the seventeen domains, it’s possible to have more or fewer plans, as long as they meet the assessment objectives for each domain and it’s clear to an assessor how the plans govern each required domain.
The annual renewal fees listed on the CMMC-AB website are as follows:
A June 2021 article from National Defense quoted Stacy Bostjanick, Director of CMMC Policy in the Office of the Undersecretary of Defense for Acquisition and Sustainment “You could include up to [CMMC] Level 3 in your indirect rates. So, you don’t get a direct charge to do it, but you do get to recoup the cost over time; you have to spread it across all of your business.” This helps address how prime contractors can pass the cost along but suppliers are still beholden to their contracts and relationships with their primes.
There is a delineation between Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC will require all companies doing business with the federal government that have FCI to get an ML1 certification (or higher).
They must receive their certification before the award of a contract containing the DFARS 252.204-7021 clause.
We estimate 50,000 companies within the Defense Industrial Base have CUI. CMMC will require all companies doing business with the federal government that have CUI to get an ML3 certification (or higher).
They must receive their certification before the award of a contract containing the DFARS 252.204-7021 clause.
There has been considerable discussion about this question and the DoD has yet to provide a clear answer.
The answer may also depend on whether the covered information system manages CUI today or anticipates handling CUI in the future.
We cannot see any scenario in which an OSC would consider their SSP as CUI if they are only seeking an ML1 certification and have no plans on working with CUI in the future.
There’s precedent for considering non-federal SSPs CUI.
For example, the SSP Template available for download from the FedRamp website comes with cover markings for CUI.
Paragraph H of DFARS 252.24-7012 states “the Government shall protect against the unauthorized use or release of information... derived from information obtained from the contractor under this clause that includes contractor attributional/proprietary information...the Contractor shall identify and mark attributional/proprietary information”.
There were fewer questions and more accolades from the ecosystem in the Q&A Dialog Box compared to the last several Town Hall meetings.
Participation from the DIBCAC eased some of the ecosystem's concerns that the DoD was not invested in CMMC and provided some solid technical guidance. We will stay on top of any future developments forthcoming in November.
In nec dictum adipiscing pharetra enim etiam scelerisque dolor purus ipsum egestas cursus vulputate arcu egestas ut eu sed mollis consectetur mattis pharetra curabitur et maecenas in mattis fames consectetur ipsum quis risus mauris aliquam ornare nisl purus at ipsum nulla accumsan consectetur vestibulum suspendisse aliquam condimentum scelerisque lacinia pellentesque vestibulum condimentum turpis ligula pharetra dictum sapien facilisis sapien at sagittis et cursus congue.
Convallis pellentesque ullamcorper sapien sed tristique fermentum proin amet quam tincidunt feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
Feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
Feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
Vel etiam vel amet aenean eget in habitasse nunc duis tellus sem turpis risus aliquam ac volutpat tellus eu faucibus ullamcorper.
Sed pretium id nibh id sit felis vitae volutpat volutpat adipiscing at sodales neque lectus mi phasellus commodo at elit suspendisse ornare faucibus lectus purus viverra in nec aliquet commodo et sed sed nisi tempor mi pellentesque arcu viverra pretium duis enim vulputate dignissim etiam ultrices vitae neque urna proin nibh diam turpis augue lacus.