As many know, the CMMC Proposed Rule was published in the Federal Register on December 26th, 2023. After an initial review there was a lot of thought and effort put into drafting the proposed rule, which I will attempt to unpack into simple terms and information for those reading this blog post.
The 234-page document starts out with a current requirements section beating on that drum of complying with DFARS 252.204-7012 and development of a System Security Plan (SSP) with appropriate policies and procedures to comply with NIST SP 800-171. Then it moves into the introduction of DFARS 7019, 7020, and 7021 and what each clause introduced. I won’t bore you with the details of each clause and history lesson that follows but keep 7021 in the back of your mind for now. We’ll get to that one later.
Level 1
The first area that is tackled is Level 1 requirements and implementing the 15 security requirements under the FAR clause 52.204-21. The self-assessment under this requirement based on the proposed rule must be performed annually and entered in the Supply Performance Risk System (SPRS). Plan of Action and Milestones (POA&Ms) are not allowed for Level 1. Another new item is the requirement for a senior official from the prime contractor and any applicable subcontractor will be required to annually affirm continued compliance with the requirements. Whelp, there you have it folks. Someone in senior leadership is going to be on the hook for your official affirmation that you are complying with all your requirements. If I’m senior leadership, I’ll want to see proof that everything we’re attesting to is accurate before I affirm the results for submission.
Level 2
Here’s where it gets tricky, and you will want to pay attention to contracts once CMMC starts to phase in. Bi-furcation is back, long live bi-furcation, or so you think. Dependent on the contract you may have the option to perform a self-assessment at Level 2 for CMMC, but here’s the kicker. How many primes or subcontractors are only going to bid on CMMC contracts that call for only Level 2 self-assessment? Based on one of the tables in the document only 2% of contracts will have self-assessment as an option. If you happen to participate in any of those contracts how many of your other contracts will have Level 2 certification as a requirement? If I was a gambling man, I’d say a good bit more. Either way you slice it you will either submit your score into the SPRS or your C3PAO will submit your information into the Enterprise Mission Assurance Support Service (eMASS) which in turn will push your score up to the SPRS. POA&Ms are allowed, but with limitations. None of the requirements included in your POA&M can have a point value great than 1 as specified in the CMMC Scoring Methodology with the exception of SC.L2-3.13.11 as long as the point value is 1 or 3 with the following requirements not being allowed in the POA&M:
- AC.L2-3.1.20
- AC.L2-3.1.22
- PE.L2-3.10.3
- PE.L2-3.10.4
- PE.L2-3.10.5
POA&Ms must be closed within 180 days of the assessment. Oh, and a senior official will still have to provide an affirmation. Seems to be a trend with the affirmation requirement. May as well make sure your senior official is part of the assessment.
Level 3
We’ll keep Level 3 at a high level since many organizations will be focusing on the Level 2 area, but there are clarifications that were speculated early on that have come to light. Yes, organizations that will be looking to achieve Level 3 certification will need to obtain Level 2 certification first. Once that process is completed then the request would be made to the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to perform a Level 3 assessment which is based on NIST SP 800-172 guidelines. The same submission process for Level 2 certification will occur with DIBCAC entering the score into eMASS and a senior official of your organization affirming the results.
Assessor Qualification
The assessor pool is going to take a large leap once rule making is complete and in practice with the 3-assessment requirement to become a Certified CMMC Assessor (CCA) removed and replaced with experience and certification requirements. CCA’s must have the following:
- 3 years of cybersecurity experience
- 1 year of assessment or audit experience
- One baseline certification aligned with either of the following:
- IAT Level II from DoD Manual 8570
- Intermediate Proficiency Level for Career Pathway Certified Assessor 612 from DoD Manual 8140.03
Lead CCA’s must have 5 years of cybersecurity & management experience along with 3 years of assessment or audit experience.
Reciprocity
Not much news here outside of the official documentation that any DIBCAC High Assessments with a perfect score as of the effective date of the rule is eligible for CMMC Level 2 Certification that will have a validity period of 3 years from the date of the original DIBCAC High Assessment.
External Service Providers
There is likely to be a lot of grumbling here from external service providers (ESP) that support the Defense Industry Base (DIB), but there will be an equal amount of cheering from those that foresaw this coming. I think the document says it best so here you go, “If an OSA utilizes an ESP, other than a Cloud Service Provider (CSP), the ESP must have a CMMC certification level equal to or greater than the certification level the OSA is seeking.”. That means that if an ESP is supporting DIB that covers both Level 2 and Level 3 they will need to obtain Level 3 certification in order to continue to support their Level 3 DIB clients.
Closing
There is a lot more information covered in the proposed rule, which many of my colleagues in the industry will unwrap for you in the weeks ahead. Once revisions to the DFARS 252.204-7021 have been completed that will start the commencement of Phase 1 roll out period for CMMC which will take place over the course of 2 ½ years. KTL is there to support our DIB clients and will continue to keep bringing you information and value as it is released.
Want to learn more about CMMC? Register for our upcoming webinar by clicking here.
