The Department of Defense's (DoD) Cybersecurity Maturity Model Certification (CMMC) program is on the verge of significant transformation, and defense contractors must be well-prepared. While we eagerly await the finalization of the CMMC Proposed Rule, which the DoD published in the Federal Register on December 26, 2023, let's take a deep dive into some critical insights and guidance to help you stay ahead in this evolving landscape.
1. CMMC Cost Estimates
It's essential to recognize that the estimated costs for achieving CMMC compliance do not cover the expenses associated with adhering to FAR clause 52.204-21 or the implementation of NIST SP 800-171 requirements. These are pre-existing obligations separate from the CMMC framework. For a comprehensive understanding of your compliance costs, consider these factors in addition to the CMMC-related expenses.
2. Level 2 Security Controls and NIST SP 800-171 R2
CMMC Level 2 will necessitate compliance with 110 security controls and 320 assessment objectives, mirroring the requirements outlined in NIST Special Publication 800-171 Revision 2 (R2). This alignment underscores the importance of understanding and adhering to NIST 800-171 R2 for defense contractors who handle Controlled Unclassified Information (CUI). It's a foundational step to achieving CMMC Level 2 and maintaining eligibility in the defense supply chain.
3. C3PAOs - The New Norm
The CMMC Third Party Assessment Organizations (C3PAOs) are set to play a pivotal role in the assessment process. The proposed rule estimates that approximately 95% of organizations dealing with CUI will require C3PAO certification. While self-assessment will still be an option for a limited few, the majority will need to engage accredited assessors. This emphasizes the significance of choosing reliable C3PAOs for your assessments.
4. Plan of Action and Milestones (POA&M) - A Limited Lifeline
The proposed rule provides clarity on POA&Ms. While they will be permitted under specific circumstances, they won't be a universal safety net. Organizations pursuing CMMC certification need to understand that not all controls are eligible for POA&Ms. Moreover, the highest-weighted security controls, worth 3 and 5 points per the DoD's Assessment Methodology, won't be POAMable. All security gaps must be addressed within 180 days of the initial assessment.
5. Joint Surveillance Voluntary Assessments (JSVA) - A Direct Path to CMMC Level 2
A significant advantage highlighted in the proposed rule is the direct transferability of 110/110 JSVA results to CMMC Level 2 certification. However, this comes with a caveat - your JSVA must score perfectly, with no open POAMs. It's a testament to the importance of meticulous preparation and execution in the assessment process.
6. Encryption and FIPS Validated Cryptographic Modules
For defense contractors and Cloud Service Providers (CSPs) using encryption to protect CUI and support CMMC Level 2 certification, there's a clear requirement for FIPS-validated cryptographic modules. This certification ensures the security of encryption processes. Organizations should proactively request FIPS 140-2 certification from their CSPs to maintain compliance.
7. Email Systems and DFARS 252.204-7012 (c)-(g)
The proposed rule clarifies that common commercial email systems like Office 365 fall short of compliance with DFARS 252.204-7012 (c)-(g). These regulations pertain to cyber incident reporting. Organizations using CSPs for email services should seek attestation from their CSPs regarding compliance with these requirements.
8. CMMC Scoring Methodology
Partial scoring is applied for Multi-factor Authentication (MFA) and Federal Information Processing Standards (FIPS) validated encryption. For MFA (IA-L126.96.36.199), if it's implemented only for remote and privileged users, 3 points are deducted from the maximum score. If MFA is not implemented at all, 5 points are deducted.
Regarding FIPS-validated encryption (SC.L2-3.13.11), if encryption is employed but not FIPS-validated, a deduction of 3 points is made. If encryption is not used at all, 5 points are deducted from the maximum score. These scoring rules reflect the importance of both MFA and FIPS-validated encryption in protecting sensitive information.
9. Eternal Service Providers (ESPs)
When an Organization Seeking Accreditation (OSA) employs an External Service Provider (ESP) that is not a Cloud Service Provider (CSP), the ESP must have a CMMC Level 2 Final Certification Assessment. If the ESP is part of the OSA's internal operations, its security measures should be detailed in the OSA's System Security Plan (SSP). For entities targeting CMMC Level 3 Certification, any utilized ESP, excluding CSPs, must also hold a CMMC Level 3 Final Certification. Similarly, an internal ESP's security protocols must be included in the Organization's SSP. If a CSP is used, adherence to specific guidelines outlined in § 170.18(c)(5) is required, ensuring that any CUI or Security Protection Data is processed, stored, or transmitted on ESP assets.
The Final Rule is anticipated to be published in late 2024 or early 2025. As CMMC becomes part of the Defense Federal Acquisition Regulation Supplement (DFARS), contractors may need to secure certification before contract awards. CMMC will be phased in over a three-year period.
The CMMC Proposed Rule brings clarity and structure to the upcoming changes in CMMC compliance. Understanding these key insights is pivotal for defense contractors aiming to maintain their position in the defense supply chain. While the timeline for implementation extends over a few years, now is the time to proactively improve your cybersecurity posture and align with the upcoming CMMC requirements. Stay informed, stay prepared, and navigate the evolving landscape with confidence.
Looking to navigate the complexities of CMMC 2.0? Aspire Cyber is here to guide you through every step. With our team of Certified CMMC Assessors and our status as a C3PAO Candidate pending DIBCAC High Assessment, we're equipped to support your cybersecurity compliance journey. Contact us at Aspire Cyber for expertise you can trust.