CMMC Model v2.0 has been Released

 
 

DoD Announces CMMC 2.0: “Ok, ok… we’ll only audit some of you.”

 
 

Published:
Nov. 5th, 2021

On November 5th, 2021, the Department of Defense released its plans to modify the CMMC program. The changes, which many view as a win for DIB small businesses, has been branded CMMC 2.0.

 
 

Changes to the Model

One of the first notable changes is a reduction in levels.

CMMC originally contained 5 levels.
Version 2.0 reduces the total to 3 levels.
Level 1 remains unchanged as “basic cyber-hygiene”. Level 2 is now the complete requirement-set of NIST 800-171 (replacing the original CMMC Level 3). And Level 3 now represents some amalgamation of the former Levels 4 and 5.

It’s likely most contractors that handle CUI/CDI will now be aiming for Level 2.

CMMC 2 Levels
 
 

Level 1        CMMC 2.0 Level 1

Level 3        CMMC 2.0 Level 2

Level 5        CMMC 2.0 Level 3

 
 

Changes to the Requirements

Under the new model, the additional 20 ( “delta” ) practices that did not exist in NIST 800-171 have been removed.
This should slightly reduce the dollars and hours it takes to achieve compliance with CMMC level 2.

DoD has also stated it plans to remove the processes side of CMMC altogether (cue angelic singing).
CMMC v1.0’s processes were essentially a list of must-have policies and procedures. This doesn’t necessarily mean CMMC 2.0 will not require documented policies of some sort, but more focus will be placed on implementation of the practices.

Lastly, POAMs are back.
That’s right, you can now get by with deficiencies, provided you have documented, detailed plans to correct those deficiencies. There’s mention of a list of requirements that POA&Ms won’t be accepted for as well as a time limit, but the specifics have not been provided.

 
 

Changes to Certification Award

 
 
CMMC Version 2

Levels 1 and 2 of the new model will no longer require every contractor to undergo a 3rd party audit.

This is arguably the biggest change in CMMC 2.0.

 
 

This means that many DIB companies need only self-attest that they’ve effectively implemented CMMC requirements, similar to the current DFARS 800-171 clause. Those self-attesting will still need a System Security Plan, Plan of Action and Milestones and an up-to-date SPRS score. CMMC 2.0 will require contractors to formally self-attest annually, though we’re unsure what exactly that process will look like.

It’s worth noting that some Level 2 contractors will still need to undergo an audit, specifically if their contract exposes them to critical national security information. All level 3 contractors will need to undergo an assessment led by the government itself.

 
 

What We Don’t Know

 
 

Timeline

CMMC 2.0 won’t be a contractual requirement until the Department progresses through the rulemaking process and codifies CMMC 2.0 in DFARS. This process can take 9-24 months.

Some sort of incentive program is being constructed to encourage organizations to start early, but no details are provided at this time.

 
 

CMMC AB’s Role

Under CMMC 1.0, the CMMC Accreditation Body was tasked with overseeing CMMC audits and auditor training. Last week, the government indicated it was renegotiating its contract with the AB. If the AB remains involved in CMMC, we expect their role to be reduced as the government becomes more involved in the execution and operation of the program.



“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base,” Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy said in a release. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”

 

CMMC Update: April 2

 
 

CMMC Update: April 2

 

Published:
Apr. 2nd, 2020

 

CMMC timeline and Covid-19

While the COVID-19 pandemic has most of us working from home and pushing deadlines back, the OUSD and CMMC AB assure us that they are still, very much, pushing forward.

“We’re doing our absolute best to stay on track because even though we are in horrible times, we have to have continuity of care, the mission is important,” Arrington said of keeping on track.

She went on to say “From where I sit right now, it’s important that we save lives first and foremost. Bottom line is you can replace anything but a human life, but understand that our adversaries, at the same time, will take advantage…so we need to be as aggressive as possible.

No Stopping Anytime Sign
 
 

CMMC Accreditation Body signs MOU with DoD

And the proof is in the pudding. The CMMC Accreditation Body signed an MOU (memorandum of understanding) with DoD in late March. This means that DoD officially recognized the non-profit organization as the CMMC Accreditation Body. The CMMC AB stated that they could start training auditors as early as May as they move forward.

Their newsletter comments that they have “created committees and established initial functional and conceptual baselines for defining and implementing an adaptable and scalable ecosystem that supports the CMMC standard.  This ecosystem is currently projected to begin issuing DoD-recognized CMMC certifications no later than Q4 2020.

CMMC V1.02 has been Released

When asked in an interview on govmatters.tv if the standards will evolve over time, Katie Arrington responded:
“The standard should evolve. We’re in the process of a DFARS rule change on the CMMC.”
She later said:
“As the threats evolve, as the way the adversary comes at us changes, as technology evolves, we will modify how that [standard] works.”

We have already seen proof of this statement with the release of CMMC v1.02. The changes from v1.0 consist of mostly grammatical revisions. The release of a minor revision this soon after v1.0 indicates we’ll likely continue to see updates to the standard in the weeks and months ahead.

What to do Now

While the DoD has made it clear recently that there are currently no Third-Party Organizations that can grant a CMMC certification, it is still important to prepare for an audit. You can do this by working toward compliance with NIST 800-171. These controls will get you in good shape for CMMC Level 3. From there, you can begin to identify any gaps you might have and work towards mitigating them. It’s true that no company can certify you at any level of CMMC right now, however, there are plenty of companies that are capable of preparing you for certification. It’s critical to find a service provider with experience in NIST 800-171 assessments to prepare for the upcoming CMMC audits.

For more news and updates on CMMC, keep an eye on our blog.

 

CMMC Model v1.0 has been Released

 
 

CMMC Model v1.0 has been Released

 

Published:
Feb. 4th, 2020

 

The wait is over. CMMC v1.0 is now available. Contractors can finally look at the first version of the model and begin assessing their systems against its requirements.
A lot has remained the same from Draft V0.7 but there are a few highlights we’d like to discuss as well as touch on some basics of the standard.

The Official Model v1.0 is available here.

 
 

The Model v1.0 Overview, Framework and Levels

Overview

The v1.0 document includes:

 The CMMC Model and Summary
 Appendix A: CMMC Model v1.0
 Appendix B: Process and Practice Descriptions
 Appendix C: Glossary
 Appendix D: Abbreviations and Acronyms
 Appendix E: Source Mapping
 Appendix F: References


The final revision is comprised of 17 Domains, 43 capabilities, 171 practices to measure technical capabilities as well as 5 processes across the 5 levels (Levels 2 – 5) to measure process maturity.

Framework

CMMC combines processes and practices into a set of domains that map across 5 levels. These domains contain processes and Capabilities and those Capabilities contain Practices.

CMMC Framework Model

Levels

Level 1  Level 1 is for basic safeguarding of FCI (Federal Contract Information). It is comprised of 17 practices and has no processes in place. Level 1 only addresses practices from the FAR Clause 52.204-21.

Level 2  Level 2 is meant to be a transitional step form safeguarding FCI to protecting CUI. Level 2 contains 72 practices and 2 processes.

Level 3  Level 3 is for protecting CUI. It contains 130 practices including all 110 controls found in NIST 800-171 Rev.1. All contractors that handle CUI will be required to certify at a CMMC Level 3. This level also contains 1 process.

Levels 4 & 5  Levels 4 and 5 are aimed at protecting CUI and reducing risk of APTs. These levels contain an additional 41 practices (26 in L4 and 15 in L5). These practices are sourced mostly from NIST 800-171 Draft RevB.

CMMC Model v1.0: Number of Practices and Processes Introduced at each Level
CMMC Level Practices Processes
Level 1 17
Level 2 55 2
Level 3 58 1
Level 4 26 1
Level 5 15 1

 
 

Practices and Processes

Appendix A includes the CMMC model v1.0 in tabular form with all practices organized by Domain (DO), Capability, and Level (L)

Practices are numbered as DO.L.###, with a unique practice number (###)

For example: The first practice found in the standard is listed in domain Access Control, under capability C001 Establish System Access Requirements. Therefore, it is listed as AC.1.001.

 

Appendix A also includes maturity level processes
Processes are generalized but apply to all domains.

Processes are numbered as ML.L.99#

The “ML” stands for Process Maturity while the “L” represents the CMMC level of that process. The numbers after the “L” are in reference to the 5 processes (ranging from 995-999).

Example:
Maturity Level 2 (ML2)
ML.2.999
Establish a policy that includes (DOMAIN NAME)


 

Practices

The model consists of 171 practices that are mapped across the five levels of capabilities and domains. Most of these practices originate from the safeguarding requirements and security requirements found in FAR Clause 52.204-21 and DFARS Clause 252.204-7012.

Level 1 is equivalent to all of the safeguarding requirements from the FAR clause.

Level 3 includes all of the security requirements in NIST 800-171 plus other practices.

CMMC Practices Per Level

Similar to how discussions and clarifications were included for Levels 1, 2 and 3 in Draft V0.7, the newest iteration includes discussions and clarifications for Levels 4 and 5 as well. These can be found in appendix B.

This appendix includes references, discussions from the sources, clarifications and examples of practices found in each of the 5 levels.

References

Each practice includes a reference. The reference refers to which standard or framework the practice can be mapped back to. For example, AC.1.001 can be referenced to a vast number of frameworks:

 FAR Clause 52.204-21 b.1.i
 NIST SP 800-171 Rev 1 3.1.1
 CIS Controls v7.1 1.4, 1.6, 5.1, 14.6, 15.10, 16.8, 16.9, 16.11
 NIST CSF v1.1 PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-3, PR.PT-4
 CERT RMM v1.2 TM:SG4:SP1
 NIST SP 800-53 Rev 4 AC-2, AC-3, AC-17
 AU ACSC Essential Eight

Discussion from Source

The discussion sections found for each practice include the reasoning and breakdown of what is being required of your organization. Here’s an example of what that looks like for AC.1.001:

Access control policies (e.g., identity-or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged versus non-privileged) are addressed in requirement 3.1.2.

CMMC Clarifications and Examples

CMMC Clarifications are provided to give guidance to how to apply the practice to your organization. The discussion is there to tell you what to do, while the clarification is there to tell you how to do it. The clarifications also include examples to give contractors a practical view of how to implement the practice. The examples are not meant for guidance but rather to help explain the practice. Here’s another example from AC.1.001 of what the CMMC clarification looks like:

Control who can use company computers and who can log on to the company network. Limit the services and devices, like printers, that can be accessed by company computers. Set up your system so that unauthorized users and devices cannot get on the company network.

Example 1
You are in charge of IT for your company. You give a username and password to every employee who uses a company computer for their job. No one can use a company computer without a username and a password. You give a username and password only to those employees you know have permission to be on the system. When an employee leaves the company, you disable their username and password immediately.

Example 2
A coworker from the marketing department tells you their boss wants to buy a new multi-function printer/scanner/fax device and make it available on the company network. You explain that the company controls system and device access to the network, and will top non-company systems and devices unless they already have permission to access the network. You work with the marketing department to grant permission to the new printer/scanner/fax/ device to connect to the network, then install it.

Processes

CMMC Draft v0.7 contained 9 processes, whereas, v1.0 contains only 5 processes found within Maturity Levels 2, 3, 4 and 5. The processes are in place to provide additional assurances that the practices associated with each level are implemented effectively. These processes apply to all domains:

CMMC Processes
Maturity Level Maturity Level Description Processes
ML 1 Performed There are no maturity processes asses at Maturity Level 1
An organization performs Level 1 practices but does not have process institutionalization requirements.
ML 2 Documented Establish a policy that includes (DOMAIN NAME).
Document the CMMC practices to implement the {DOMAIN NAME) policy.
ML 3 Managed Establish, maintain, and resource a plan that includes (DOMAIN NAME).
ML 4 Reviewed Review and measure (DOMAIN NAME) activities for effectiveness.
ML 5 Optimizing Standardize and optimize a documented approach for (DOMAIN NAME) across all applicable organizaion units.

Appendix B includes references, source discussions and CMMC clarifications for all 5 processes. They do not include examples.

References

All 5 of the processes reference CERT RMM V1.2.
In example here are some references from ML.2.999:

– CERT RMM v1.2 GG2.GP2
– CERT RMM v1.2 GG2.GP3

Discussion from Source

Just like the discussions for practices, the discussion for processes also give insight into what exactly the process is expecting from you. Here’s an example from ML.2.999:

ML.2.999: Establish a policy that includes (DOMAIN NAME).
Discussion from Source: CERT RMM v1.2


Develop and publish organizational policy for the process.
Establish the organizational expectations for planning and performing the process, and communicate these expectations via poicy. THe policy should reflect higher level managers’ objectives for the process.

CMMC Clarification

This section will describe what specifically should be included in that policy, plan or procedure as well as what needs to be done to implement the process. Here’s another example from ML.2.999:

A policy is a high-level statement from an organization’s senior management that documents the requirements for a given activity. It is intended to establish organizational expectations for planning and performing the activity, and communicate those expectations to the organization. Senior management should sign policies to show its support of the activity.

At a minimum, the policy should:

– Clearly state the purpose of the policy
– Clearly define the scope of the policy: for example, enterprise-wide, department-wide, or information-system specific;
– Describe the roles and responsibilities of the activities covered by this policy: the responsibility, authority, and ownership fo (DOMAIN NAME) domain activities; and
– Establish or direct the establishment of procedures to carry out and meet the intent of the policy, include any regulatory guidelines this policy addresses.

The release of CMMC v1.0 marks a huge step in forward progress for CMMC. Along with this massive milestone an Accreditation Body has established itself with a Board of 17 Directors including chairman Ty Schieber. While no official MOU has been signed yet, it’s safe to say it: This is happening. Contractors can now start the CMMC process by undergoing assessments of the CMMC v1.0 and producing System Security Plans and Policies. ComplyUp can help.
 

Draft CMMC v0.7 Has Been Released

 
 

Draft CMMC v0.7 Has Been Released

 

Published:
Dec. 16th, 2019

 

Draft CMMC v0.7 is now available. Highlights: the addition of levels 4 and 5, discussions and clarification for level 2 and 3 practices and clarification on the CMMC Maturity Process.

The Official Draft is available here.

 
 

Levels 4 and 5 Have Been Added to the Draft


Not much has changed for the sections that were included in Draft v0.6. The Domains, Capabilities and Practices for Levels 1, 2 and 3 have remained the same. They have, however, included the practices for Levels 4 and 5 in v0.7.


The number of practices has decreased significantly from the practices included in Draft v0.4. v0.4 included a staggering 138 practices for levels 4 and 5. The new draft has slimmed that number down to. This was to be expected as we saw a similar downsize for levels 1, 2 and 3 from v.04 to v0.6.


There is no indication at this time that any of the versions will include discussions and clarifications for Levels 4 and 5, given the complex nature of the practices found in those levels.


 

Discussions and Clarification on Levels 2 and 3 are Now Included


Similar to how discussions and clarifications were included for Level 1 in Draft V0.6, the newest iteration includes discussions and clarifications for Levels 2 and 3 as well. These can be found in appendixes B, C and D of Draft CMMC v0.7.


These appendixes include references, discussions, clarifications and examples of practices found in each of the 3 levels.


References

Each practice includes a reference. The reference refers to which standard or framework the practice can be mapped back to. For example, P1213 can be referenced to 48 CFR 52.204-21 and NIST SP 800-171.

References

– 48 CFR 52.204-21 b.1.xv
– NIST SP 800-171 3.14.5


Draft v0.7 has excluded all practices that can map back to NIST 800-171 from the Level 3 discussions and clarifications.


Discussions

The discussion sections found for each practice include the reasoning and breakdown of what is being required of your organization. Here’s an example of what that looks like for P1213:


NIST 800-171R2 Discussion

Clarifications and Examples

Clarifications are provided to give guidance on how to apply the practice to your organization. The discussion is there to tell you what to do, while the clarification is there to tell you how to do it. The clarifications also include examples to give contractors a practical view of how to implement the practice. The examples are not meant for guidance but rather to help explain the practice. Here’s another example from P1213 of what the clarification looks like:

CMMC v0.7 Clarification

CMMC v0.7 Clarification Example
 

Clarification on the CMMC Maturity Process


The new draft also includes an appendix on clarification of what the CMMC Process Maturity looks like.


Process for CMMC Maturity Level

We can see that there are 9 processes found within Maturity Levels 2, 3, 4 and 5. Appendix E includes references, discussions and certifications for all 9 of those process. Examples are not included.


References

All 9 of the processes reference CERT RMM V1.2.
For example:
CERT RMM v1.2 GG3.GP2


Discussions

Just like the discussions for practices, the discussion for processes also give insight into what exactly the process is expecting from you. Here’s an example from MP001:


Discussion CERT RMM v1.2

Clarifications

This section will describe what specifically should be included in that policy, plan or procedure as well as what needs to be done to implement the process. Here’s another example from MP001:


MP001 Clarification

The clarification that Draft V0.7 gives for the processes included in the Process Maturity Levels appear to be quite valuable. CMMC can, in a way, be viewed as two types of requirements: Practices and Processes. While the previous iterations of the draft have provided clarity on what the practices look like, this version has brought that same clarity to the processes side of the CMMC.


CMMC Model Version 1.0 is still scheduled to be released in late January 2020.


 

Draft CMMC v0.6 Has Been Released

 
 

Draft CMMC v0.6 Has Been Released

 

Published:
Nov. 11th, 2019

 

Draft CMMC v0.6 is now available, and as expected there are several changes to the standard. OUSD released the draft on Friday, November 8th to give industry a better look at what it can expect when the final CMMC revision is published.

The Official Draft is available here.

 
 

Reduction, Modification and Clarification.


Based on the feedback received from Draft V0.4, this version significantly reduces the model size, modifies the practices and processes, and provides clarifications and examples for CMMC Level 1 (the examples and recommendations for implementing the practices found in Level 1 are collected in Appendix B).


The Model’s framework has not changed and is still comprised of Domains, Capabilities, and practices and processes. Capabilities are assigned a unique number now (C###), and practices are also designated with an identifier (P1###) as well.


Adherence to CMMC processes and practices is cumulative. Once a practice is introduced in a level, it is a required practice for all levels above. For example, in order to achieve a Level 3 certification, contractors must implement all practices and processes found in Levels 1, 2 and 3. An organization that scores a Level 3 on practice implementation and a Level 2 on process institutionalization will be assigned a CMMC Level of 2. CMMC is still a go/no go decision. You have either implemented and demonstrated all the practices and processes found in a Level to achieve that certification or you will not receive that certification.


One specific practice in v0.6 introduces a bit of confusion. P1159 requires development and implementation of plans of actions (POA&Ms). This requirement doesn’t seem to fit with the Go/No go model.


The new draft includes 17 domains (one has been removed since Draft V0.4). The v0.6 domains contain 40 Capabilities: C001 – C044 (C006, C030, C033 and C038 are missing from the draft).


V0.6 also includes some clarification on what CMMC Process Maturity looks like. For example, a CMMC Level 3 organization must meet both the Level 3 defined practices, as well as the defined processes of Maturity Level (ML) 3. CMMC Version 1.0 will include tailored maturity processes for each domain. Additional assessment guidance and clarification will be provided in future iterations. Note that the nine processes are applied to each domain individually.


 

Processes for each CMMC Maturity Level (ML)


CMMC Maturity Level Processes

v0.6 Provides More Detailed Clarification on the Certification Levels.


Level 1 –

Level 1 is considered the foundation for the higher levels of the model. Every contractor and subcontractor will have to have a minimum of level 1 certification. At Level 1 and 2, organizations may be provided with FCI (Federal Contract Information). FCI is sensitive information that is not intended for public release. FCI is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.

Level 1 is primarily comprised of access control and physical protection requirements. Level 1 does not include process maturity, so it is unnecessary for organizations to exhibit process institutionalization.

Level 2 –

At CMMC Level 2, an organization is expected to establish and document standard operating procedures, policies, and strategic plans to guide the implementation of their cybersecurity program. Levels 2 – 5 require organizations to produce and maintain a System Security Plan, similar to NIST 800-171.

Level 2 has more complicated practices and processes including employing FIPS-validated cryptography when used to protect the confidentiality of FCI. The process maturity dimension of the model is introduced at Level 2.

Level 3 –

Level 3 will include all 110 controls found in NIST 800-171 Rev1, and will require full implementation of those controls. This level will be required of ALL organizations that receive and/or generate any CUI (Controlled Unclassified Information).

Level 4 and 5 –

Levels 4 and 5 were not included in the draft v0.6 as they are still undergoing modification based on feedback that was received from draft V0.4. The updates to CMMC Levels 4 and 5 will be included in the next release.

CMMC Model Version 1.0, to be released in late January 2020, will be in document form with clarifications for Levels 1-2. CMMC Model Version 1.0 will also include a mapping to the key references that informed model development.

CMMC Accreditation Body RFI Update

 
 

CMMC Accreditation Body RFI Update: Questions and Answers

Published:
Oct. 19th, 2019

OUSD(A&S) has released answers to questions submitted in response to the CMMC Accreditation Body RFI.

 

Key Takeaways:


1 . A modification to the RFI now allows for-profit entities to respond. A single non-profit organization will still become the Accreditation Body, OUSD(A&S) is interested in understanding what relevant capabilities exist to support the operations of the Accreditation Body. The response due date remains the same (10/21).

2 . OUSD(A&S) is relying heavily on the Accreditation Body to set the standards, process and requirements for becoming certified, becoming an accredited C3PAO and managing most of the CMMC.

The Accreditation Body is going to be responsible for the following:


What the process is to become a certified C3PAO

The requirements for becoming a certified C3PAO

What the requirements will look like for C3PAO recertification

How long a contractor’s certification will last

Establishing requirements for Individual Assessors who are either employed by a certified C3PAO or work independently

Handle all contracts/agreements with C3PAOs

Deciding the proper use of an Assessment Tool

How many C3PAOs there will be (no limit is anticipated)

The model for how the system will work (processes and practices of becoming accredited and certifying contractors)

Ramping up its own ability and capacity to conduct training over time

Set requirements with respect to conflict of interest between the Accreditation Body, C3PAO organizations and organizations that perform remediation or “security as a service”.

Several questions were submitted regarding how and when the 300,000 contractors will become certified. OUSD(A&S) stated that there is no estimate for how many C3PAOs there will be to support getting this number certified and that the timeline depends upon the size and capacity of these organizations. They also anticipate that it will ramp up over time.

Subscribe to our CMMC mailing list to be notified of any updates that occur involving C3PAOs.

The Complete Q&A list follows:


Question 1: Is this a new requirement or contract renewal?

– Answer: This is not a contract renewal and the government anticipates that no contract will result from this RFI. The purpose of the RFI is to obtain information.

Question 2: If renewal, what is current contract number?

– Answer: Please refer to the answer associated with Question 1.

Question 3: When does the Government anticipate the RFP release?

– Answer: Please refer to the answer associated with Question 1.

Question 4: Will the RFP solicitation number be changed?

– Answer: Please refer to the answer associated with Question 1.

Question 5: When does the Government anticipate the award – FY19?

– Answer: Please refer to the answer associated with Question 1.

Question 6: Do you know what the process is to become a certified 3rd party to perform CMMC accreditations?

– Answer: That process has yet to be determined. It is anticipated that this process will be determined by the CMMC Accreditation Body.

Question 7: The RFI states that “The working estimate for the number of organizations requiring CMMC certifications is 300,000”. To support this large number of organizations requiring CMMC certifications, how many Third Party Assessment Organizations (C3PAOs) are estimated to be accredited by the CMMC Accreditation Body?

– Answer: There is no estimate at this time. The number of C3PAOs will depend upon the size and capacity of these organizations, and it is anticipated that it will ramp up over time.

Question 8: Once a C3PAO is accredited/certified at a specified level by the CMMC Accreditation Body, what is the re-assessment cycle (Continuous Monitoring) to keep the C3PAO at that CMMC at a specified level? This will help better understand the scope, size and workload of the CMMC Accreditation Body activities for re-assessments.

– Answer: The CMMC Accreditation Body will establish the requirements for C3PAO recertification.

Question 9: The RFI states that “Each assessment will be conducted by a credentialed independent assessor working for an accredited C3PAO under the oversight of the CMMC Accreditation Body”. Is the intent of the Govt. to have the Accreditation Body accredit individuals as independent CMMC Assessors regardless of their employment status with an accredited C3PAO or not?
Once an individual is accredited as an independent assessor (by the CMMC Accreditation Body), will the individual be capable of conducting assessments for a different C3PAO if the employment situation changes?
Please clarify.

– Answer: The CMMC Accreditation Body will establish requirements for individual assessors who are either employed by a certified C3PAO or work independently.

Question 10: The RFI states that “The working estimate for the number of organizations requiring CMMC certifications is 300,000”. In the future, if organizations/companies (not within the 300,000 estimate) who need to achieve CMMC certification (due to non-DoD agency requirements or other private sector compliance needs), will the CMMC Accreditation Body be the only organization responsible for managing, operating and sustaining the CMMC program for such companies?

– Answer: See response to Question 13. The initial focus of CMMC is for the DIB sector that supports the DoD.

Question 11: Do you have an estimate of the number of companies that you expect will seek accreditation in 2020, the first year of CMMC implementation?

– Answer: Not at this time.

Question 12: When do you expect the accreditation process to begin (i.e., what is the timeframe to be “up and running”)?

– Answer: The goal is for the Accreditation Body to be established and prepared to certify candidate C3PAOs in Spring 2020.

Question 13: Are you anticipating more than one accrediting body? If so, do you expect the different organizations to have a specific regional or functional focus?

– Answer: It is anticipated at this time that there will be a single CMMC Accreditation Body that may be comprised of one or more organizations.

Question 14: Will there be any special government contracting requirements other than getting trained/licensed through the future accreditation agency?

– Answer: It is anticipated that C3PAOs will establish a contract / agreement with the Accreditation Body and not the Government.

Question 15: In the RFI there is a reference to, ‘Maintain the Reference Implementation Assessment Tool’, Could you provide some background? Can a proprietary platform/assessment tools could serve the needs of the CMMC Program?

– Answer: The CMMC Accreditation Body will decide the proper use of the assessment tool.

Question 16: What evaluation criteria and weighting factors will be used to select the Accreditation Body?

– Answer: It is anticipated that interested entities will form the Accreditation Body.

Question 17: If a company has specific technical capabilities that they believe will be of value to the Accreditation Body, including the industry community records management systems/databases identified in Section 4.0 of the RFI, should they respond to the RFI describing those capabilities, or should they approach the Accreditation Body directly once it is announced?

– Answer: Please submit a whitepaper in response to the RFI.

Question 18: The user of the term Cybersecurity suggests that privacy controls would be excluded from this pursuit. Does the government intend to address both security and privacy (either alone or in combination as individual certification circumstances dictate) as that is in their best interest?

– Answer: Please refer to the draft CMMC Model (v0.4) on the CMMC website https://www.acq.osd.mil/cmmc/index.html for details of the security requirements and/or practices and processes.

Question 19: Does the scope of this effort pertain solely to CUI? Not suggesting Classified information be included in this program, but there are many other types of data (e.g., FTI, PCI, PHI, PII) that federal entities may have occasion to receive, transmit, or maintain and it would be in the government’s best interest to implement a program that would allow organizations to customize their certifications according to the data they have all in one unified but flexible program.

– Answer: Please refer to the draft CMMC Model (v0.4) on the CMMC website https://www.acq.osd.mil/cmmc/index.html for details of what is included within the CMMC Model.

Question 20: The RFI provides a working estimate of 300,000 organizations in the scope of this effort. Could the CMMC Program Office provide a more granular distribution based on size of the organization? If possible it would be helpful if the distribution were not only based on the number of personnel per organization, but also the volume of data each must protect. Additionally, do they intend to have multiple assessments per organization? Such as contractor XYZ who has multiple contract vehicles and possible multiple networks/location? Would this contractor have to undergo multiple assessments?

– Answer: The DIB sector consists of a diverse set of contractors with respect to size, from small to large. The vast majority of the DIB sector consists of small businesses.

Question 21: Does the OUSD anticipate that the CMMC model will be based on or map to FIPS 199 Security Categorizations?

– Answer: The mapping between the CMMC Model and other standards and references will be included in Release version 1.0 in January 2020.

Question 22: Is there a limit to how many entities we can accredit?

– Answer: There is no limit to the number of entities who can receive accreditation. It is anticipated that the number will be driven by the marketplace and the ability of candidate C3PAOs to meet requirements set by the Accreditation Body.

Question 23: Are they modeling this accreditation system after anything else and if so what is that?

– Answer: We are not modeling the accreditation system after any other system. The Accreditation Body may choose to take advantage of lessons learned from other accreditation bodies while meeting requirements.

Question 24: In section one of the program description, it indicates a requirement to submit to the RFI the submitting body should be organized as a “non-profit organization”. Is this required to submit content to the RFI and ultimately to be considered as the facilitator or board accreditation body manager if the program is established?

– Answer: For-profit entities can respond to the RFI. Once organized, the Accreditation Body itself will determine its corporate status.

Question 25: Why are only non-profits requested to respond? It should be open to all for information input. It gives the appearance that if the government were to issue a RFP, a level of “pre-selection” is involved.

– Answer: Please see answer associated with Question 1 and Question 24.

Question 26: Preventing loss of Controlled Unclassified Information (CUI) within the Defense Industrial Base (DIB) is critical to maintaining national security is provided as background information in the RFI. If this is so critical, why wouldn’t the government provide seed funding, in the event that an RFP is issued, for an organization to work through issues for the first 2-3 years, since the CMMC program is expected to effect at least 300,000 companies or more?

– Answer: Please see answer associated with Question 1.

Question 27: If an RFP is issued and an Accreditation Body is awarded, an MOU may not be the proper mechanism to manage the government’s relationship with the Accreditation Body.
Has any thought been given to using an Other Transaction Agreement to be flexible to manage the relationship?

– Answer: Please see answer associated with Question 1.

Question 28: SBIR’s are important to DOD but are with very small companies, with very few employees. Has there been any thought to work with the SBIR program, to either pay for or guide the company to help with assessment or allow more costs to be added to a phase 1 participant to cover the assessment cost?

– Answer: Any such use of the SBIR program is yet to be determined. Please submit a whitepaper in response to the RFI.

Question 29: I did not see any prohibition for government organizations being accredited. Is this correct?

– Answer: It is anticipated that certified C3PAOs will be commercial, third-party organizations.

Question 30: Once a government contractor is granted a CMMC certification how long is that certification good for?

– Answer: It is anticipated that the Accreditation Body will set the requirements for recertification.

Question 31: Will instructors and/or assessors require clearances for top secret facilities?

– Answer: The certified C3PAOs will only assess non-federal unclassified networks. It is anticipated that the Accreditation Body and/or certified C3PAOs will work with DIB contractors with respect to access requirements for credentialed CMMC assessors.

Question 32: What framework will be used to base the CMMC against?

– Answer: The draft CMMC Model cites multiple references. Please refer to the draft CMMC Model (v0.4) on the CMMC website https://www.acq.osd.mil/cmmc/index.html for details of what is included within the CMMC Model.

Question 33: What are the specific definitions for “micro”, “small” and “mid-sized”?

– Answer: Please refer to the answer associated with Question 20.

Question 34: What is the specific definition for “large” customers?

– Answer: Please refer to the answer associated with Question 20.

Question 35: What are the cut-offs for cybersecurity maturity: low-end, high-end?

– Answer: The draft CMMC Model consists of QTY 5 levels. Please refer to the draft CMMC Model (v0.4) on the CMMC website https://www.acq.osd.mil/cmmc/index.html for details of what is included within the CMMC Model.

Question 36: What is the capacity requirement for training?

– Answer: It is anticipated that the Accreditation Body’s capacity to conduct training will ramp up over time.

Question 37: Will there be any Conflict of Interest restrictions between the Accreditation Body, the C3PAO organizations, and organizations that perform remediation or “security as a service” tasks for DIB vendors?

– Answer: The Accreditation Body will set requirements with respect to conflict of interest amongst these entities.

Question 38: If a company is involved as part of the accreditation body, would they be ineligible to become a C3PAO?

– Answer: Please see the answer associated with Question 37.

DoD Issues Accreditation Body RFI

 
 

DoD Issues Accreditation Body RFI

 

Published:
Oct. 7th, 2019

An RFI has been issued to gather information on establishing a non-profit to act as the Accreditation Body for the Cybersecurity Maturity Model Certification.

(And it’s cleared up some of the process for us)



The Office of the Undersecretary of Defense (Acquisition & Sustainment) (OUSD(A&S)) in the Department of Defense has issued an RFI (Request for Information), found here, to determine if a non-profit entity could successfully function as the Accreditation Body for CMMC. Some of the RFI key points follow:

• The Accreditation Body Will be a Non-Profit Organization.


The Government’s goal is for a non-profit organization to become the Accreditation Body that will handle a number of activities within CMMC and do so using revenue generated through dues, fees, partner relationships, conferences, etc. The Government will not be funding or providing resources to the Accreditation Body.

The figure depicts the program relationships
among the major components of the CMMC Program.

CMMC Organizational Relationships

• Auditors Now Have an Official Title: C3PAOs (CMMC Third Party Assessment Organizations).


Auditors that become accredited will be referred to as CMMC Third Party Assessment Organizations (C3PAOs). After accreditation they will conduct CMMC assessments and grant CMMC certifications to eligible contractors.

• Assessments for Certification Will be Conducted On-Site.


CMMC Assessments will be evidence-based, on-site evaluations of the capabilities, practices, and process maturity defined in the CMMC model. They will be conducted by C3PAOs. The estimated number of organizations requiring CMMC certifications is 300,000 with a high majority of those being micro-, small- and mid-sized. Each assessment will be conducted by a credentialed independent assessor working for an accredited C3PAO.

• The CMMC Accreditation Body Will be Responsible for Managing, Operating and Sustaining the CMMC program.


The CMMC Accreditation Body will conduct, but is not limited to, the following ongoing activities:

– Accredit C3PAOs

– Conduct CMMC Training for C3PAOs and Assessors

– Implement Individual Assessor and C3PAO Quality Control Programs

– Coordinate and report metrics with the CMMC PMO

– Maintain the Reference Implementation Assessment Tool

– Manage and maintain CMMC assessor training and associated assessment guidance

– Manage and maintain CMMC supporting systems and databases (records management, knowledge sharing and marketplace, artifact store)

– Manage the dispute resolution process to adjudicate C3PAO technical appeals and complaints.

The figure below is a notional functional decomposition that describes potential areas of work associated with the CMMC Accreditation Body Activities.

CMMC Accreditation Body Functional Decomposition

• OUSD (A&S) is Seeking Input from Industry on the Following:


• Approaches that meet the Government’s intent for the Accreditation Body.

• Potential CMMC Accreditation Body organizational structure.

• Potential CMMC Accreditation Body financial arrangements (i.e. business model).

• Extent of interest a non-profit has in performing one or more of the functions of the Accreditation Body.

• Areas where the CMMC Accreditation Body can leverage established organizations, standards, tools and automation opportunities.



Responses to this RFI are due by 10/21/19. To learn more about the CMMC, visit our CMMC page.

Draft CMMC v0.4 Has Been Released

 
 

Draft CMMC v0.4 Has Been Released

 

Published:
Sept. 6th, 2019

The Wait is Over.


The mid-point release of the CMMC standard is out in draft for a limited time.
We can finally see what the standard is shaping up to look like. The DoD has released the draft in an effort to gain industry feedback on the model. This is the first of three drafts that they plan to release. Draft CMMC v0.4 will be available until September 25, 2019 for feedback and review.

The Official Draft is available here.

CMMC Model Framework

What does the Model Framework look like?


CMMC model framework consists of 18 domains, based on cybersecurity “best practices”. You could compare CMMC’s “domains” to the “families” of NIST 800-171. Inside these domains you’ll find capabilities which are comparable to the controls you would find in the NIST framework. Finally, capabilities are comprised of practices and processes, which are mapped to CMMC Levels 1 through Level 5.


To break that down, basically you have a group of 18 domains (families). Inside the domains are a number of capabilities (controls), and inside each capability are different practices and processes which are primarily activities required by level to achieve said capability.

  – Practices are activities performed at each level of the domain
  – Processess detail maturity of institutionalization for the practices

CMMC Model Level Descriptions


CMMC September Draft Levels

CMMC Model Rev 0.4 Levels by the Numbers


Domains Capabilities Total Practices per Domain Practices per Level
Level 1 Level 2 Level 3 Level 4 Level 5
Access Control 5 30 5 9 11 5 0
Assett Management 4 19 2 5 7 5 0
Audit and Accountability 8 27 2 9 7 7 2
Awareness and Training 4 16 0 4 5 7 0
Configuration Management 5 21 2 8 4 6 1
Cybersecurity Governance 4 21 2 6 4 9 0
Identity and Authorization 2 17 2 1 9 2 3
Incident Response 9 41 3 15 7 9 7
Maintenance 2 9 1 5 2 1 0
Media Protection 8 13 1 6 5 0 1
Personnel Security 2 5 2 2 0 1 0
Physical Protection 5 17 4 10 3 0 0
Recovery 2 8 0 3 3 2 0
Risk Management 7 36 0 9 6 15 6
Security Assessment 6 15 1 6 2 5 1
Situational Awareness 4 17 2 2 3 7 3
System and Comms Protection 3 45 2 10 13 12 8
Systems and Info Integrity 5 13 4 5 0 2 2
  Total Practices Per Level 35 115 91 95 34

The Difference Between Levels


Levels 1 and 2 are intended to provide basic cybersecurity standards that will include practices such as anti-virus, ad hoc incident response, awareness and training, risk management, and security continuity.

Level 3 will be required of any contractor who actually handles and stores CUI. It will include all NIST SP 800-171 Rev 1 requirements, an Information Security Continuity Plan and ensure you are able to communicate threat information to key stakeholders.

Levels 4 and 5 are targeted toward a small subset of the DIB (Defense Industrial Base) sector that supports DOD critical programs and technologies.

Timeline/Schedule


– Public comment of draft CMMC Rev 0.4 in September 2019

– Public comment of draft CMMC Rev 0.6 in November 2019

– CMMC Rev 1.0 will be released in January 2020

– CMMC will be included in RFIs starting in June 2020

– CMMC will be included in RFPs starting in Fall 2020

Important Notes to Remember


The model is still being refined and a reduction in size is anticipated. This means that they are still working out the kinks. Keep in mind the goal of CMMC is to be cost-effective and affordable for small business to implement the lower levels.

Detailed assessment guidance is still under development as well. They are planning on releasing a series of “Desk Books” to give concrete expectation for each CMMC level. These desk books will address both contractors and auditors.

Contractors can expect the desk books to spell out specifically what is required to obtain certification at a specific level, plus implementation examples where appropriate. On the auditor side, these books will clearly state what should be evaluated and how. This will ensure audit results are trustworthy regardless of the source.

CMMC Updates (08-21)

 
 

CMMC Updates (August 21st)

 

Published:
Aug. 22nd, 2019

Timeline Updates:


Jan 2020 – Accreditation Body selected and begins accepting auditor applications.
June 2020 – Auditors are assessing contractors en masse.
Oct/Nov 2020 – CMMC starts hitting RFPs.


Updates on CMMC Levels –


Level 1 will be equivalent to the type of security you should have on your home network.
Any organization that handles CUI will be a Level 3.
Multi-factor authentication will be a Level 2 requirement.
Only the most sensitive programs will require Level 4/5, for example Hypersonics.
Level 4/5 will be incredibly expensive.
As the model stands today, level 3 requirements will feel very similar to NIST SP 800-171 v1.


Updated CMMC Timeline

Accreditation Body –


The non-profit entity that will “certify the certifiers” is now being referred to as the Accreditation Body. In a departure from previous plans, the CMMC team is reviewing the legality and benefit of assigning this role to a commercial entity already established in the standards/compliance industry.

Auditor Certification –


An organization that seeks to become and auditor will be certified at the organizational level, not the individual/employee level. It is expected that organizations will have their own requirements for hiring auditor staff (e.g. CISA, CISSP, etc).

CMMC v0.4 Release –


Version 0.4 of the model is set to be released to the public in mid-September on the CMMC site. As is common with special publications and standards, public comment will be sought and incorporated into future revisions and CMMC updates. Version 1 is on schedule for release in January 2020.

Desk Books

Desk Books –


The CMMC team intends to develop a series of “Desk Books” to give concrete expectations for each CMMC Level. These desk books will come in two flavors: Contractors and Auditors.

For contractors, the desk books will spell out specifically what is required to obtain certification at a specific level, plus implementation examples where appropriate (e.g. multi-factor). These desk books are meant to provide contractors with “answers to the test” so there will be no surprises during an audit.

On the auditor side, these books will clearly state what should be evaluated and how. This will ensure audit results are trustworthy regardless of the source.

Self-Assessment –


The CMMC team encourages and expects contractors to use the Desk Books and self-assessment tools to prepare for an audit. Having self-assessment results prepared will save time and reduce the cost of an audit.

Funding –


The CMMC team is having conversations about creating/leveraging small-business assistance programs to aid small businesses. Currently, there is nothing concrete and no guarantees regarding assistance will be made. This assistance would be different than the “security is an allowable cost” changes discussed previously.

POA&Ms –


Edit: While it has been made very clear that CMMC is a go/no-go decision, the latest draft (V0.6) includes a practice that requires plans of actions for any deficiencies. This is a bit confusing since a failed practice means you will not receive certification for that level. We’ll have to see how this develops in the final iteration of the standard.

Reciprocity –


The CMMC team is working closely with other standards/framework entities (e.g. FedRAMP) to determine what/if reciprocity would look like. These conversations will lead to a list of existing accreditations that satisfy specific CMMC levels.

CMMC Consortium –


A governing body/consortium will be established to guide CMMC into the future. Members will likely include ISACA, CMMI, and industry partners. Consortium members will be prohibited from functioning as auditors.

Certification Renewal –


Edit: Recertification will now be based on the level of certification an organization hopes to maintain. CMMC certification renewal is as follows:

Level 1 and Level 2
Recertification will be required every 3 years.

Level 3
Recertification will be required bi-annually.

Level 4 and Level 5
Recertification will be required annually.

Emerging Threats –


The CMMC team is still exploring options for rapidly modifying the model to adapt to emerging threats. Additionally, methods of distributing information on threats to certified contractors are being considered.

Subcontractor Flow Downs –


New positions such as Acquisition Security Analyst and Acquisition Intelligence Analyst will be created to better position Program Managers to evaluate the CUI requirements and appropriate contractor CMMC Levels for a contract. When a prime submits a proposal, it will be the responsibility of the prime (with acceptance of the contacting officer) to appropriately establish the CMMC Level to flow down to subcontractors. This will primarily be determined by whether the subcontractor requires access to the CUI held by the prime. Proposals will need to contain a list of subcontractors along with their certified CMMC Level, plus the CMMC Level the prime expects will be needed to perform the activities being delegated to the sub. There may be challenges initially as contracting officers and primes work through this process, and it is expected that a standard process for CMMC Level Flow Down will ultimately emerge.

DoD 5000 –


DoD 5000 is being rewritten so the acquisition force understands what CUI is and how to convey needs appropriately through RFPs.

CMMC beyond DoD –


The CMMC team expects/hopes that this model will eventually go government wide. Further, they would be very happy to see it adopted as an official ISO-9000 style standard.

Validating Certification –


At this time, the CMMC team expects validation of certification to be done by the Contracting Officer during proposal review. In practice, this may translate to CMMC Certification/Audit Deliverables/System Security Plan submission with a proposal. This process is not set in stone at this time. The government is still considering whether a “Clearing House” for contractor certification levels will be deployed. If deployed, this system may contain assessment results or evidence for each contractor. ComplyUp is being evaluated as a potential vendor for this system.

Validated Certification

Contractor/Auditor Adjudication –


The government will craft some sort of adjudication process where disagreements over audit results can be reviewed.

Public List of Auditors –


The CMMC team has not yet decided if it will centrally host a list of Auditors (similar to FedRAMP 3PAOs).

Conflict of Interest –


Large organizations with distinct divisions cannot perform audits of themselves. Organizations cannot function as both the technical consultant and auditor for a client.

CMMC Support on the Hill –


CMMC is perceived as a positive in Congress, and the program has been up-funded several times in its short existence. Support for CMMC is bi-partisan and unlikely to diminish regardless of the next election cycle.

As the year progresses, we’re on track to get more insight on the upcoming Cybersecurity Maturity Model Certification. Future CMMC updates will be covered here.

Clarification on CMMC and NIST 800-171

 
 

Clarification on CMMC and NIST 800-171

 

Published:
Aug. 2nd, 2019

There seems to be a good bit of confusion surrounding the upcoming Cybersecurity Maturity Model Certification (CMMC), particularly regarding what DoD contractors can expect from it and how it relates to the current NIST 800-171 requirements. Through talks with our customers and others in the industry, we’re learning that there’s a lot of misinformation out there. We have had direct conversations with Ms. Katie Arrington and her team, and we would like to clarify some things around the subject.

What exactly is CMMC? How does it relate to NIST 800-171?

CMMC is a new standard that will take the place of NIST 800-171. CMMC is not entirely derived from NIST 800-171; rather it builds upon it along with many other regulations to create five levels of certification that will better reflect the type of cybersecurity that a contractor will need to attain for a particular contract.

As it stands, thousands of small businesses that perform minor but crucial roles on contracts for the DoD are being asked to adhere to the same standard (NIST 800-171) that the big boys like Lockheed Martin and Northrop Grumman are going through. This puts a tremendous burden on the small and mid-size businesses due to the costs and efforts of implementing and maintaining the requirements in 800-171.

CMMC is a much more practical approach. If you are only selling nuts and bolts to a larger prime, there is no need for you to go through the effort of implementing all 110 requirements of NIST 800-171. You may only need to implement 63 of the new requirements to achieve a level 2 certification for CMMC, or even less to be level 1 certified.

Another key difference between the two standards is that while NIST 800-171 allows contractors to self-attest compliance, CMMC will require 3rd party certification. This means contracts requiring Level 1 certification will only be open to bidding by those businesses that have implemented the 17 Level 1 controls in CMMC and been audited.

In short, CMMC is not the same standard as NIST 800-171.

Do I still need to comply with NIST 800-171 with CMMC right around the corner?

Yes. NIST 800-171 is still in full effect under the DFARS clause 252.204-7012. Although CMMC is moving quickly, it will not be implemented overnight. It is still important that you produce documentation demonstrating compliance with 800-171.

The best way to get compliant with 800-171 while still preparing for CMMC is to assess your organization against the current 110 requirements of 800-171 and produce the required documentation (System Security Plan and Plan of Actions & Milestones). This will satisfy the current DFARS clause and give your organization clarification on where you stand in relation to the upcoming CMMC requirements.

To learn more about the CMMC process and how to get your organization ahead of the curve, get plugged in at complyup.com/cmmc or reach us at info@complyupstage.wpengine.com for more information.