March 16, 2022
Good afternoon, everyone!
Breaking News: Monarch Information Security Consulting was recently named the seventh Authorized CMMC Third Party Assessor Organization (C3PAO). |
The CMMC 2.0 Rumor Mill
The CMMC rumor mill has been more active than usual lately! I’d like to tackle three that I believe are the most injurious to DoD contractors today.
CMMC Is Not “On Hold”
This one has been going around since the DoD’s internal review started last spring, and for some reason it has become more rampant in the past few months, despite all evidence to the contrary. Not only did we get the new Model and Assessment Guides for 2.0, an updated CMMC website, and the long-awaited the Scoping Guides, but we also got new leadership and a new commitment to the program.
In February, responsibility for the CMMC program was moved from the Office of Acquisition & Sustainment to the office of the DoD Chief Information Officer. The DoD CIO immediately announced a series of three “town hall” meetings to update the DIB on the progress of CMMC. You can watch a recording of the third one here.
These town halls gave us new information, like the fact that very few L2 contracts will permit self-attestation rather than third-party assessment, and more discussion of POAMs (still expected to have a max duration of 180 days and not be available for the higher-weighted controls). They also indicated that the DoD is looking at incentives for contractors to officially assess now, rather than later, since the number of C3PAOs available is still limited. One possible incentive mentioned is allowing certifications obtained before final rulemaking to be good for 3 years from the date of final rulemaking, effectively extending the life of the cert by 1-2 years.
The CMMC Program Has Not “Slowed Down”
Again, I don’t quite understand how this rumor is going around, as version 2.0 has actually sped up the whole process! The original 5-year rollout (Walk, Crawl, Run) would have put the CMMC clause in 15 contracts FY2021, 75 in FY2022, 250 in FY2023, 325 in FY2024 and all contracts FY2025. When version 2.0 was released, the 5-year rollout was eliminated, and the DoD announced that the CMMC clause would be in all contracts once the final rulemaking is complete. This is expected to take 9-24 months from the time of the announcement last November. You do the math. My guess is that we’ll see CMMC in all contracts by the end of 2023.
The Documentation Requirements Have Not Gone Away
The documentation requirements of CMMC 1.0 that were removed include the .997, .998 and .999 controls, because these controls were specific to the CMMC (and the DoD is trying to follow the NIST standard as required by Biden’s EO). However, many practices in 800-171 require documentation, and the entire standard is based on your written System Security Plan.
The "Non Federal Organization" (NFO) controls in Appendix E are worth looking at also, as 800-171 is based on the assumption that you already have in place written policies and practice documents for all families of controls of NIST 800-53. These pretty well match the .999 and .998 controls in the old ML3 assessment guide. Finally, many of the assessment objectives cannot be met without written policies and procedures. It has been said that these written documents "won't be assessed per se" but the assessors will be asking to see them, as evidence for meeting assessment objectives.
My Best Advice for Moving Forward
If you have already implemented NIST 800-171, start the official assessment process. When the final rulemaking is done, there will be a rush of contractors for the available C3PAOs. The wait list will be ridiculous. Having your official certification when the contracts start coming out with the CMMC clause will put you light-years ahead of competitors who haven’t certified yet. Why wait?
If you are working on NIST 800-171, keep at it. Don’t pause in your preparations. The DoD isn’t pausing in theirs! Plan to be ready for an official assessment by the end of 2023. Since most organizations take 12-18 months to reach readiness, the time to prepare is NOW.
If you have been thinking CMMC would go away, stop thinking that. Seriously, though many wish it would go away, that’s not going to happen. The DIB is hemorrhaging information to the adversary, and the DoD is serious about stopping it now. And it’s not just DoD, it’s the entire federal government. In the past year, new cyber security requirements have been released, at the very least, by Dept of Energy, Dept of Labor, FTC and the SEC. Congress keeps sponsoring bills requiring cyber security and reporting practices. Non-government entities are starting to ask for cyber security certs in their bid packets as well. This is becoming a factor in vendor selection.
Two Final Points
(1) It is important to remember that while CMMC may “feel new,” it really isn’t – especially that it is now based entirely on the controls of NIST 800-171, which were a requirement for DoD contractors handling CUI as of December 31, 2017. The L1 controls of CMMC are based entirely on the “Basic Safeguarding Rule” (FAR 52.204-21) which applies to all government contractors, not just DoD. The only thing new is that CMMC is forcing everyone to prove (or self-attest) that they have implemented the proper controls to protect FCI/CUI.
(2) Don’t forget about the “security” part of this. Sure, some of the controls in 800-171 seem a bit over the top, but the truth is that most organizations have a real security problem. Cyber crime has exploded in the past two years, and continues to get worse. (Note: Small businesses are not immune, and in fact are often targeted because the bad guys know that SMBs don’t have in-house expertise and often don’t spend the money they should.) Implementing the CMMC controls on your information system will not only protect government information, but will actually improve the overall security posture of your organization! 60% of SMBs go out of business within 6 months of a cyber attack. Stop thinking of cyber security as a cost center; consider the CMMC process an investment in the future of your business.
P.S. – Need help? I’m just an email or phone call away!
Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab. Feel free to share this update!
Sincerely,
Glenda R. Snodgrass
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107
If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!