In part one of this blog, we discussed the first four categories of the Department of Defense’s (DoD) strategic intent for enhancing CMMC -- focus, clarity, alignment, and cost -- and how those categories relate to contractors in the Defense Industrial Base. If you haven’t already read it, here is a link to part one of this two-part blog series on CMMC 2.0.
In continuation, we will continue discussing the remaining four categories into which the DoD efforts to revise and supplement the CMMC program fall:
We’ll also detail some next steps Organizations Seeking Certification (OSC) can take while preparing for CMMC 2.0.
As a reminder before we delve back into these categories, the underlying requirements in NIST SP 800-171 have not changed and still must be implemented; CMMC 2.0 represents very little tangible change to a company that handles and manages Controlled Unclassified Information, or CUI. With that, let’s continue.
As mentioned in the previous blog, CMMC 2.0 allows for self-assessments by companies that do not handle information critical to national security (level 1 and a subset of level 2). The other subset of level 2 that does handle CUI critical to national security will require third-party assessments. Currently, those third-party assessment companies will be CMMC-AB accredited CMMC Third Party Assessment Organizations (C3PAOs). For those companies operating overall programs and acquisitions related to national security, government-led assessment teams from the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will run level 3 assessments.
All self-assessments will be conducted in accordance with forthcoming CMMC assessment guides, and those scores will be uploaded to the Supplier Risk Performance System (SPRS), much like self-assessment scores pursuant to DFARS 252.204-7019 are calculated in accordance with NIST SP 800-171A and the DoD Assessment Methodology. External assessment results will be captured and uploaded to a special enclave of the Enterprise Mission Assurance Support Service (eMASS) tool, which is already
commonly used across the federal ecosystem.
The DoD will be increasing department oversight of the overall CMMC 2.0 program by shifting oversight responsibility from the Office of the Undersecretary of Defense for Acquisition and Sustainment to the DoD Chief Information Officer. The DoD has a strong desire to create higher accountability for professional and ethical standards across the CMMC ecosystem – a point of emphasis throughout the last nine months even while the CMMC 2.0 program was first being internally reviewed at the Pentagon.
The most encouraging change under CMMC 2.0 is the re-authorization of Plans of Action and Milestones (POAM) for documenting and managing open issues and unimplemented controls.
CMMC 1.0 famously burned much of its early goodwill by removing the ability to have open POAM items on assessment day. While re-authorizing POAMs greatly reduces the burden faced by companies in the DIB, it is not without limitations. The DoD will specify a baseline number of requirements that must be met prior to award, and any unmet requirements will have clearly defined timelines for implementation (not to exceed 180 days based on the most recent information). Additionally, the “highest weighted” requirements will not be permitted to remain on a plan of action.
This likely means that the “5 point” controls contained in the DoD Assessment Methodology will be included in the mandatory minimum baseline. Although with CMMC 2.0 POAMs are back, companies should plan accordingly – six months isn’t much time.
The DoD will carve out a limited duration waiver process requiring approval by DoD senior leadership on a case-by-case basis. This process would waive the entire CMMC requirement rather than specific, individual security controls. The DoD has emphasized that waivers will be incredibly limited and require the pertinent DoD program office to submit a justification package and risk management plan. Although having the wavier process is a vote of confidence in the viability of the new CMMC program, it is highly unlikely that it will be widely available for the average company in the Defense Industrial Base.
Next Steps for Organizations Seeking Certification (OSC)
Now that we have discussed all eight strategic intent categories, we’ll go over some things OSCs can be doing right now during the interim rulemaking process.
- If they have not already, OSCs need to implement NIST 800-171 controls, as the underlying requirements have not changed.
- Familiarize themselves with CMMC 2.0’s new level 1, 2 and 3 (formerly 1 through 5).
- Identify and scope the type(s) of data they handle: FCI, CUI, CDI, CTI, ITAR, etc.
- Remember, any company that handles CUI in the course of doing business will now be at least CMMC 2.0 Level 2.
- Review the released scoping guide and forthcoming self-assessment guides relevant to their CMMC level.
- Review any previous POAMs or create new ones, ensuring they meet the DoD’s 5 point controls.
Overall, CMMC 2.0 introduces many significant and beneficial changes compared to CMMC 1.0 without changing the underlying requirements in NIST SP 800-171. If a company handles and manages CUI, then CMMC 2.0 represents very little tangible change. The biggest question will be whether or not the CUI with which you work places you in the subset of Level 2 that requires external assessment. Other than that, a well-planned approach to system and security architecture would not vary much at all before CMMC 1.0, during CMMC 1.0, or currently as we begin to operate under CMMC 2.0.