January 24, 2024
How old is your SPRS self-assessment score? Might want to review this. |
CMMC Levels -- Where are you?
As I wrote in my January 3 CMMC Update, the proposed CMMC 2.0 rule has a lot to unpack. I've previously written about the timeline and next steps, and last week, in my comments, I discussed my concerns with the increased scope, and thus cost, involved with the new rule's treatment of "Security Protection Data" (SPD), "External Service Providers" (ESPs) and "Cloud Service Providers" (CSPs).
This week I want to discuss the various levels of CMMC, since the proposed rule made some changes to both L1 and L2, and introduced us to L3. I'll provide an overview of the three levels, important changes, and who needs which one.
One point of note before we begin: the proposed rule for CMMC 2.0 is tied specifically to NIST 800-171r2 (R2). That's the current version. As you know, however, the final public draft of 800-171r3 (R3) was released in November, and the final is expected in April/May. Ultimately the CMMC Model will have to be updated to align with R3 (presumably this will be CMMC 3.0, but it's still a ways off).
Changes to the levels
The most important change is that the three levels of CMMC are no longer "cumulative," as they were originally conceived. Each one now has its own security requirements, based on different standards. L1 and L2 are now completely standalone assessments, while L3 requires a L2 cert. This means that even if you achieve a L2 or L3 certification, you will still need to self-assess and affirm compliance with L1 for your FCI environment each year. More below.
Security requirements for each level
Level One (L1) is now based on FAR 52.204-21, "Basic Safeguarding of Covered Contractor Information Systems." (FAR). These security requirements have been in force for all US government contractors -- not just DOD -- since May 16, 2016.
Level Two (L2) is based on NIST SP 800-171r2 (R2), "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." These security requirements have been in force for all DOD contractors since December 31, 2017.
Level Three (L3) is based on a subset of the controls of NIST SP 800-172 ("Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171"). L3 requires an official L2 certification (with no open POAMs) before a L3 assessment can take place.
Which level will your organization need to assess?
Remember that the security standards for DoD contracts are data-centric, i.e. the type of data you handle determines which security standard applies. CMMC deals with basically two types of information:
Federal contract information (FCI) means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see paragraph (e) of this section) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.
Who needs CMMC L1? Everyone who handles FCI. The only exemptions to CMMC L1 are for commercial off-the-shelf or commercially available off-the-shelf (COTS) (products that are ready-made and sold "as is" -- think toilet paper, staplers, office furniture, cleaning supplies) and micro-purchases under $10,000 (can be higher in certain emergency situations). So, I'm guessing that everyone reading this will require CMMC L1.
Who needs CMMC L2? Everyone who handles CUI. There are no exceptions to this.
Who needs CMMC L3? Well, we don't yet know exactly, but we have two clues:
(1) 800-172 states that it is applicable to "the components of nonfederal systems that process, store, or transmit CUI associated with a critical program or a high value asset or that provide protection for such components." What exactly is "a critical program or a high value asset"? Most people agree that weapons systems will fall into this category. Beyond that, we have only one other clue:
(2) DIBCAC High Assessments. I have heard from several different people that an organization that has undergone a DIBCAC High Assessment will most likely need L3 certification.
What is involved at each level?
Now that you know which level your organization will need to assess, it's time to look at what is involved in assessing each level. I think I'll tackle that one next week.
Meanwhile, if you need help with your CMMC preparation, you know where to find me!
How old is your SPRS self-assessment score?Remember back in Oct/Nov 2020 when everyone was scrambling to calculate a self-assessment score and enter it into SPRS? Have you continued working on your implementation of 800-171 and periodically updated your score in SPRS? Don't forget this part: The new DFARS provision 252.204-7019 advises offerors required to implement the NIST SP 800-171 standards of the requirement to have a current (not older than three years) NIST SP 800-171 DoD Assessment on record in order to be considered for award. If you entered a score into SPRS when that rule first came out, and haven't updated it, you are now past the 3-year period and no longer eligible for new contract awards. So maybe you need to dust off that self-assessment, update it with the additional work you have done on meeting these requirements, calculate a new score and enter it into SPRS as soon as possible. Back to top |
Want more information? Check out my upcoming virtual CMMC workshops: (Early Bird pricing now in effect) | |
Wednesday, February 28, 2024 |
Tuesday, March 5, 2024 |
Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107
If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!