January 31, 2024
CMMC Levels -- What is required?
In my last CMMC Update I discussed the various levels of CMMC: an overview of the three levels, important changes, and who needs which one. Now that you know which level(s) your organization will be required to assess, let's look at the requirements for each one.
Level One (L1) is required of all contractors (except those who only sell COTS or purchases under $10k). Your L1 environment encompasses any information systems that process, store or transmit FCI, and must meet the requirements of FAR 52.204-21, the "Basic Safeguarding Rule" (FAR). This is an important change in CMMC 2.0, for two reasons:
(1) Previously, the requirements for CMMC L1 were a subset of NIST SP 800-171r2 (R2), specifically those 17 controls that align with the 15 requirements of the FAR. In the proposed rule, however, L1 is de-coupled from NIST SP 800-171 and aligns with the FAR. (Although assessment of these controls is done using the assessment objectives in NIST SP 800-171A.)
The controls are currently the same, but this will become important in CMMC 3.0, as NIST SP 800-171r3 (R3) has made modifications to those controls and no longer aligns with the FAR. Re-alignment of L1 with the FAR now will provide continuity when CMMC must be updated for R3, so I think it makes sense.
(2) It's important because everyone subject to CMMC must self-assess and affirm compliance with these controls annually. What does "affirm" mean? That's the next important thing to know about L1:
Affirmation of self-assessment at 100% Any contractor handling FCI must self-assess L1 with all requirements MET (no POAMs allowed for L1) at least annually, and record the results in SPRS. Further, compliance must be affirmed by a "senior official who is responsible for ensuring OSA compliance with CMMC Program requirements":
Affirmation statement attesting that the OSA has implemented and will maintain implementation of all applicable CMMC security requirements for all information systems within the relevant CMMC Assessment Scope at the applicable CMMC Level. (§ 170.22(2)(ii))
Personal affirmation has been added because DOD knows that many contractors have entered incorrect (inflated) scores into SPRS, and they want someone (in authority) to be personally responsible for these entries. The DoJ has been stepping up their FCA activities, and DoD/DIBCAC have been cooperating and providing evidence.
Level Two (L2) is based on NIST SP 800-171r2 (R2), "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." When the CMMC rule takes effect, all contractors who handle CUI will immediately be required to report and affirm a L2 self-assessment in SPRS. A limited number of POAMs may be allowed (no more than 22 total, one-pointers only and no L1 requirements) but must be closed within 6 months.
Of course, some contracts will require a L2 certification from an authorized C3PAO. DoD has indicated that there will be a phased rollout of contracts requiring L2 certification. Theoretically that provides some relief and a bit more time, but the reality is that prime contractors will be driving this bus, not the DoD, and they have already been pushing hard for subs to be compliant well before the deadline.
Level Three (L3) is based on a subset of the controls of NIST SP 800-172 ("Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171"). L3 requires an official L2 certification with no open POAMs before a L3 assessment can take place. L3 assessments will be conducted only by DIBCAC, not C3PAOs.
And of course, at all three levels, flowdown applies. In my opinion, contractor flowdown will be the most important factor in the speed at which compliance is required. If the primes you work for most often have already been pressuring you to close POAMs and update your SPRS score, you can bet they'll be pushing hard for L2 certifications as soon as those are available.
Meanwhile, if you need help with your CMMC preparation, you know where to find me!
How old is your SPRS self-assessment score? Might want to review this. |
Want more information? Check out my upcoming virtual CMMC workshops: (Early Bird price ends Friday) | |
Wednesday, February 28, 2024 |
Tuesday, March 5, 2024 |
Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107
If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!