Ben Franklin once quipped, ““When you are finished changing, you are finished.”
Nothing could ring more true in cybersecurity. Frameworks need to live and breath to respond to evolving threats.
On November 4, 2021 the Department of Defense unveiled an update to the the Cybersecurity Maturity Model Certification framework to streamline compliance, increase flexibility, and lower cost for manufacturers and IT providers.
- Reduce number of levels from Five to Three
- Return to NIST as maintainer of all documents
- Allow level one self-assessments
- Self-assessments require senior level affirmation
- Level Two is Old Level Three and NIST SP800-171 baseline for Controlled Unclassified Information
- Level Two is bifurcated into priortized and non-prioritized contracts
- Prioritized contracts require third party assessments.
- Return of limited time bound POAMS
- Return of limited approved waivers
CMMC 1.0 had five levels. Level One aligned to seventeen controls from NIST SP-800-171 to meet the fifteen safeguards required by FAR 52.204.21 for Federal Contract Information. Level Three, required for CUI, aligned to 110 controls from NIST SP-800-171 and 20 additional controls. Level Five would align to practices selected from NIST SP-800-172.
This model did not work for maturity given the different baselines required for sensitive data. One would not seek a level two certification. In fact, DoD said no bids would even ask for a level two. We also had no classes or assessments for level two or four.
Yet CMMC 1.0 had cummulative levels. Meaning you had to meet all of level one and two to meet level three. This pushed some CUI requirements down to level two which made no sense given lvel three served as the NIST SP-800-171 baseline.
CMMC 2.0 removes the ill-fitted maturity requirements.
Return of National Institute of Standards and Technology
CMMC 1.0 tried to address some of the shortcomings of NIST-SP-800-171. In fact, early on the AB, rumor has it, tried to remove requirements until NARA/ISOO reminded them that the CUI program exists in law and NIST-SP-800-171 provides the baseline. They could only add and not remove.
CMMC 1.0 added twenty additional practices, often referred to the Delta 20s, and made the assumed controls of NIST-SP-800-171 around policy and procedures (an assumption of practices Non Federal Organizations (NFO) just do..they don’t) explict in the process maturity measures.
CMMC 2.0 removes anything unique to CMMC and returns us to just NIST-SP-800-171. Moving forward only NIST will change the requirements. We will see many of the delta 20s making a return, and while policies and procedures do not get explicitly assessed you can not pass an assessment without policy and procedures.
Timeline and Rulemaking
In order to allow for third party assessments under the Defense Federal Acquisition Supplemental regulations the Department of Defense (more likely their lawyers) decided we need to codify this in federal law.
This requires a “harmonization” of rulemaking. First CFR 32, which governs the CUI program needs revision. Then CFR 48, which enables DFARS will get revised.
Federal rule making takes a long time and the DoD estimates suggest 9-24 months. Before contractors breath a sigh of relief they should realize that a 24 month timeframe speeds up the original intent of the five year pilot program.
Once the rule making process gets complete no pilot program will get unrolled because compliance with 171 required since 2017. The rule changing just empowers third party assessments under the DFARS clauses.
CMMC 1.0 did not allow for any open assessment objectives. You had to meet all 305 to get a level three certification.
CMMC 2.0 allows for a set of limited and timebound POAMs.
Before you jump for joy and think you can couch really expensive stuff as an ever ending POA with a never reached milestones you should understand the caveats.
First you need a minimum SPRS score self-assessing or having a third party assess you against the 171a methodology. A cut score still exists. They have lowered the threshold. How far? We do not know, but it won’t be low.
You also can not POAM all the requirements and objectives. 171a breaks scores down into 5, 3, or 1. While official guidance did not get released officials have hinted no five pointers in the POAM. The most expensive stuff gets five points.
You also get 180 days to rectify the POAM. This flexibility saves you nothing. In fact trying to address a five point control in three months may cost you a ton more than good planning.
What does it Mean?
For organizations seeking certification, little. Keep growing the SSP and shrinking the POAM. We always had 171 as a baseline and that did not change. The Interim DFARS clauses 7019 and 7020 did not go away. DFARS clause 7012 did not go away. If you have CUI or FCI on your systems the people, processes, and technology within scope still fall in scope.
For CEO or CIO of organization seeking certification the affirmation requirements increase your personal liability under Fair Clause Claim. In fact both the DoJ and the DoD have highlighted increased focused on the whistleblower elements of the Fair Claims Act. You may find your lawyers, or more likely your Prime’s lawyers demanding a third-party assessment even if you do not hold CUI on a prioritized contract.
Nobody knows what prioritized contracts mean. You cannot plan on what level of level two you will fall under. Plan your self-assessment as if a third-party assessor will come in and verify your results.
If you wanted to join the ecosystem as a Certified CMMC Professional CCP or a CMMC Certified Assessor you may find the market grew instead of the logical conclusion the market contracted with self-assessments.
It makes sense for the DoD to press pause on third party assessments. They have no idea how big the DIB is but they knew the majority would fail a level one, forget a level three assessment. Why make companies pay for a test you know they will fail?
Yet the market for CCPs and CCAs may have grown. While the DoD may not require a third-party assessor you can bet many a Prime contractor will if you want to remain in their supply chain. Further the number of companies who need to self-assess will require more support.
The number of companies needing a third party assessor remains high. The DoD has pinned this number on 30,000-40,000 and the CMMC-AB places it higher. Further, current thinking, likely to change, has any level three company who wants an assessment by the Government against the upcoming tailored controls from 172 must first have a level two assessment from a C3PAO against 171.
In the end, the baseline of NIST-SP-800-171 did not change. Use the next nine to 24 months to grow the SSP and shrink the POAM.