CMMC News and Recommendations

Latest CMMC Updates

November 2021

DoD released a statement regarding updates to the CMMC model on November 4, 2021.

DoD is calling this CMMC 2.0 and has stated it will not become effective until the rule making process for title 32 CFR and title 48 CFR are complete. Until that time, the Department is suspending all CMMC Piloting efforts and will not approve inclusion of a CMMC requirement in DoD solicitations. The current chatter is this will take anywhere from 9-24 months.
DTS RECOMMENDS: While this update is a change, it’s clear CMMC is not going away. On the surface, it appears the DoD is attempting to mitigate the potential loss of SMB DIB contractors by relaxing the initial implementation of CMMC. They may eventually reinstate the CMMC specific practices and maturity processes, as well as the certification requirement later.

Continue moving forward toward compliance with all controls with NIST SP 800-171 controls and all associated documentation including establishing maturity in the procedure-related controls for 800-171.

It’s critical for SSPs and POA&Ms to be accurate and to report cyber incidents in a timely manner if your contract(s) require self-attestation.

September 2021

DoD is still reviewing comments from the interim. The final DFARS CMMC rule and an update to the CMMC Model is expected are expected in November/December 2021.

As we wait, remember that C3PAO’s must be CMMC certified at the highest level they are working to perform assessments.
  • CMMC is the first-time cybersecurity professionals are being required to document their processes and practices with a high level of detail. It has always been considered a best practice but never required.
  • The devil is in the details of the policy and processes: You need to say what you do, do what you say, and be able to prove it.
  • CMMC certification involves the entire company – assessors will interview all departments and all levels during the assessment. For example, Finance may be interview and asked, how do you know you’re budgeting enough for cybersecurity?
  • Complexity will likely impact cost, not necessarily the size of the company. A 20-person manufacturing company that has schematic CUI being accessed on the manufacturing floor by automated manufacturing devices, and users as well as other specialized systems, will likely cost more than a 250-person company whose core business is general consulting, mainly produces and stores CUI documentation, and stores it in the cloud.
  • We recommended conducting a full information management team review and SMEs of the objective evidence for each CMMC control before the assessment.
DTS RECOMMENDS: We recommended conducting a full information management team review and SMEs of the objective evidence for each CMMC control before the assessment.
Ensure the cybersecurity team, whether internal or external, has the full support of senior leadership and their willing to help implement the cultural changes needed for CMMC certification.

CMMC Certification & Training Updates

Although three C3PAO’s are approved, meaning they have passed their DIBCAC assessment, they are not yet authorized to conduct certification assessments. The CMMC-AB needs to check all admin requirements of the C3PAO’s and still needs to give DoD the final program materials and get them integrated into the DoD eMass system. eMass is the system that with track certification assessments. After these steps are taken, the C3PAO’s will be authorized to conduct assessments.
  • CMMC Certified Professional (CCP) Training requirements have been defined. The CMMC-AB can now move forward with creating content for the Licensed Publishing Partners and Licensed Training Providers to train CCPs. Passing the CCP is exam is the first step toward and is required to become a Certified Assessor.
  • The CCP beta test period will start around November 9, 2021, and the official exam is expected to be offered in February 2022.

The CMMC-AB has set up an Industry Advisory Council (IAC) to serve as a check-and-balance for the AB’s practices and costs.

  • There are 17 members on the inaugural council, including those representing SMBs.
  • There are also committees within the council, including a committee focused on SMBs.
  • Their goal is to provide meaningful feedback to the CMMC-AB and represent what the intent of the DIB actually is.
Speaking of cost, we’ve found many people make assumptions about cost and whether something is too expensive before looking into it. We know “expensive” is relative to a person or business given many unique factors. Either way, we recommend that businesses take time to find out the costs to make a more informed decision before deciding it’s too expensive. Our 3-part sales process typically takes a total of 90 minutes.
  1. Initial Discussion
  2. Questionnaire & Scoping Review
  3. Remediation/Gap Analysis Proposal

May 2021

CMMC AB is working on becoming ISO 17011:2017

  • This certification requires the competence, consistent operation and impartiality of accreditation bodies assessing and accrediting conformity assessment bodies.
  • Looks like this will address ethics questions from the past year and signals more transparency into the CMMC-AB ecosystem.
DTS RECOMMENDS: C3PAO’s that pass he DIBAC assessment will be “authorized” to conduct Certification Assessments. They will be “certified” once CMMC-AB obtains ISO 17011.

DCMA is auditing the initial round of C3PAO’s using CMMC ML-3

  • The criteria DCMA is using for the certification of C3PAO’s is expected to be the same criteria C3PAOs will use when conducting assessments of Organizations Seeking Certification (OSCs).
DTS RECOMMENDS: These early around give a glimpse into CMMC assessments. Here’s what we have learned:
  • Your understanding of the requirements is a big deal to DCMA when doing the assessment.
  • All documentation must be assessment ready, not in draft. They thoroughly read the documentation!
  • Companies will need to complete a self-assessment using the CMMC Assessor’s Guide and document your findings.
  • No Plans of Action can be open.
  • Procedures must be repeatable and adequate to implement each practice, and practice objectives must be met.
  • If using cloud services, a Cloud Customer Responsibilities Matrix is needed to outline how the cloud provider helps meet the requirements of CMMC.
  • Problem areas: CMMC .997, .998, & .999 require documentation.

There is an opportunity to perform a “remediation assessment” if you don’t pass some controls

  • This certification requires the competence, consistent operation and impartiality of accreditation bodies assessing and accrediting conformity assessment bodies.
  • Looks like this will address ethics questions from the past year and signals more transparency into the CMMC-AB ecosystem.
DTS RECOMMENDS: You’ll have just 90 days to do this if granted. However, if the majority of controls for a level are not passed, a remediation assessment will likely not be granted.

Assessments will take a hybrid approach (90% virtually, 10% physical)

  • There are some controls that require a physical inspection.
  • DIBCAC does a risk analysis before traveling, and have noticed the risk has gone down significantly as the use of PPE, company policies, and vacation rates have increase.
  • If a physical inspection cannot be done, DIBCAC will handle on a case-by-case basis.
DTS RECOMMENDS: Don’t assume you won’t get an assessor who shows up on site. Be ready for virtual interaction but also site visits.

February 2021

  • The final CMMC Rule will be coming out sometime between April – July 2021
  • Certified Assessor will not be available until Summer/Fall 2021. The Licensed Training Providers were just recently approved and are ramping up their training program. The first training programs are expected to be available in April 2021.
DTS RECOMMENDS: If you haven’t begun preparing for your CMMC assessment in earnest, you risk missing key deadlines for new contracts. Contractors needing a CMMC certification for a pilot program award in FY2021 will be eligible for an assessment from a Provisional Assessor with proper documentation provided to the CMMC-AB.
  • DFARS Provisions 252.204-7019 & 252.204-7020 are only applicable to contractors required to implement the NIST SP 800-171 standards per DFARS Provision 252.204-7012.
DTS RECOMMENDS: Contractors should look in Section L of their contracts to see if it includes 7012. Provisions 7019 and 7020 are not retroactive on current contracts but will apply on contract options and recompetes.
  • The CMMC Pilot Program (Year 1 CMMC Contracts) will include contracts from:
  • Army, Navy, Air Force, Missile Defense Agency, Defense Logistics Agency
  • The Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD (A&S)) is exploring opportunities to pursue CMMC pilots outside of the DoD to include: GSA, DHS, and possibly the Department of Interior
DTS RECOMMENDS: CMMC is still a DoD program but they are “welcoming participation” from other agencies. This news makes it even more of an imperative for contractors to have a long-term cybersecurity strategy in place – AND to forecast and budget for continuous upgrades and training to mature their practices. Until October 1, 2025, CMMC requirements will only be included in new acquisitions with the approval of OUSD(A&S)/OCISO(A&S).

A final tip…

When searching for Cyber Security Consultants and C3PAOs, ensure that you are selecting yours from the CMMC-AB Marketplace. There are many “poser” marketplaces out there, especially for C3PAOs, and contractor companies are not getting what they’re paying for.

Insights

Article
When the Department of Defense released a Proposed Rule for the Cybersecurity Maturity Model Certification (CMMC) program, it intended to shore up the Defense Industrial…

READ MORE

Open quote

Cybersecurity isn’t simply about rule-following. Done right, it can be a catalyst for opportunity and business growth.

Close quote