CMMC News and Recommendations

Latest CMMC Updates

May 2021

CMMC AB is working on becoming ISO 17011:2017

  • This certification requires the competence, consistent operation and impartiality of accreditation bodies assessing and accrediting conformity assessment bodies.
  • Looks like this will address ethics questions from the past year and signals more transparency into the CMMC-AB ecosystem.

DTS RECOMMENDS: C3PAO’s that pass he DIBAC assessment will be “authorized” to conduct Certification Assessments. They will be “certified” once CMMC-AB obtains ISO 17011.

DCMA is auditing the initial round of C3PAO’s using CMMC ML-3

  • The criteria DCMA is using for the certification of C3PAO’s is expected to be the same criteria C3PAOs will use when conducting assessments of Organizations Seeking Certification (OSCs).

DTS RECOMMENDS: These early around give a glimpse into CMMC assessments. Here’s what we have learned:

  • Your understanding of the requirements is a big deal to DCMA when doing the assessment.
  • All documentation must be assessment ready, not in draft. They thoroughly read the documentation!
  • Companies will need to complete a self-assessment using the CMMC Assessor’s Guide and document your findings.
  • No Plans of Action can be open.
  • Procedures must be repeatable and adequate to implement each practice, and practice objectives must be met.
  • If using cloud services, a Cloud Customer Responsibilities Matrix is needed to outline how the cloud provider helps meet the requirements of CMMC.
  • Problem areas: CMMC .997, .998, & .999 require documentation.

There is an opportunity to perform a “remediation assessment” if you don’t pass some controls

  • This certification requires the competence, consistent operation and impartiality of accreditation bodies assessing and accrediting conformity assessment bodies.
  • Looks like this will address ethics questions from the past year and signals more transparency into the CMMC-AB ecosystem.

DTS RECOMMENDS: You’ll have just 90 days to do this if granted. However, if the majority of controls for a level are not passed, a remediation assessment will likely not be granted.

Assessments will take a hybrid approach (90% virtually, 10% physical)

  • There are some controls that require a physical inspection.
  • DIBCAC does a risk analysis before traveling, and have noticed the risk has gone down significantly as the use of PPE, company policies, and vacation rates have increase.
  • If a physical inspection cannot be done, DIBCAC will handle on a case-by-case basis.

DTS RECOMMENDS: Don’t assume you won’t get an assessor who shows up on site. Be ready for virtual interaction but also site visits.

February 2021

  • The final CMMC Rule will be coming out sometime between April – July 2021
  • Certified Assessor will not be available until Summer/Fall 2021. The Licensed Training Providers were just recently approved and are ramping up their training program. The first training programs are expected to be available in April 2021.
DTS RECOMMENDS: If you haven’t begun preparing for your CMMC assessment in earnest, you risk missing key deadlines for new contracts. Contractors needing a CMMC certification for a pilot program award in FY2021 will be eligible for an assessment from a Provisional Assessor with proper documentation provided to the CMMC-AB.
  • DFARS Provisions 252.204-7019 & 252.204-7020 are only applicable to contractors required to implement the NIST SP 800-171 standards per DFARS Provision 252.204-7012.
DTS RECOMMENDS: Contractors should look in Section L of their contracts to see if it includes 7012. Provisions 7019 and 7020 are not retroactive on current contracts but will apply on contract options and recompetes.
  • The CMMC Pilot Program (Year 1 CMMC Contracts) will include contracts from:
  • Army, Navy, Air Force, Missile Defense Agency, Defense Logistics Agency
  • The Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD (A&S)) is exploring opportunities to pursue CMMC pilots outside of the DoD to include: GSA, DHS, and possibly the Department of Interior
DTS RECOMMENDS: CMMC is still a DoD program but they are “welcoming participation” from other agencies. This news makes it even more of an imperative for contractors to have a long-term cybersecurity strategy in place – AND to forecast and budget for continuous upgrades and training to mature their practices. Until October 1, 2025, CMMC requirements will only be included in new acquisitions with the approval of OUSD(A&S)/OCISO(A&S).

A final tip…

When searching for Cyber Security Consultants and C3PAOs, ensure that you are selecting yours from the CMMC-AB Marketplace. There are many “poser” marketplaces out there, especially for C3PAOs, and contractor companies are not getting what they’re paying for.

Insights

ArticleLatest News
Overcome human nature with a “lock the door” mentality The ‘human factor’ has been recognized as the weakest link in creating safe and secure…

READ MORE

Open quote

Cybersecurity isn’t simply about rule-following. Done right, it can be a catalyst for opportunity and business growth.

Close quote