CMMC was put on hold until recently – but is rolling forward again at a high speed. DOD held a CMMC Day Conference in May 2022 stating its goal of submitting a proposed rule in July 2022 ( no proposed rule to date) and issuing two interim final rules by March 2023. If DoD is able to stay on track (which does not appear to be the case) and issue the final interim rule by March 2023, contractors could start seeing CMMC requirements in solicitations soon after.
What’s the difference between the basic assessment under NIST and the self-assessment under CMMC 2.0?
While the CMMC self-assessment is similar to the basic assessment performed using the criteria in NIST SP 800-171, the biggest difference that is rolling out with CMMC 2.0 is that a company or university executive will be certifying the accuracy of the CMMC scores uploaded into SPRS and will be held accountable for the validity of the score. DoD is planning to establish a minimum SPRS score and time frame for implementing security controls in the plan of action. It is likely, DCAA auditors will see a nexus and get involved. The planned changes are discussed below.
What are the types of assessments/certifications?
If you recall CMMC 2.0 reduced the number of CMMC maturity levels from 5 to 3. The CMMC 2.0 realignment has brought the Level I and Level II requirements and the NIST SP 800-171 security controls into alignment. DoD is still working on specific security controls required for Level 3 which are above and beyond the NIST SP 800-171 requirements. Each CMMC 2.0 level requires an assessment, including a certification, as follows:
- Level I – Self Assessment (Federal Contract Information (FCI))
- Level II – Self-assessment or third-party assessment (depending on the level of CUI data)
- Level III – Third party assessment (defense contractors and university researchers that work with CUI on DoD’s highest priority programs)
FCI is information not intended for public release but requires protection and is not critical to national security (e.g., data provided or generated for the government under a contract to develop or deliver a product or service to the government).
CUI is controlled unclassified information that is of high priority for DoD and requires safeguarding and dissemination controls pursuant to and consistent with federal law, regulations, and government policies.
The US Department of Education is ramping up enforcement of NIST SP 800-171 for universities where researchers are working with CUI on DoD prime or subcontracts. This is difficult for universities because it may only apply to a small department or one division within the university. Compliance with CMMC will be required if there is funding on DoD contracts with CUI information.
How is the final rule going to roll out?
Once the final rule is issued the plan is to have 2 phases. Under Phase 1, if a solicitation contains the CMMC requirement (e.g., FCI data required in the performance of the contract), all contractors and universities will need to conduct a Level 1 self-assessment and provide positive affirmation or certification of compliance. If a prime contractor flows the clause to a subcontractor and there is FCI, the subcontractor will also be required to prepare the Level 1 self-assessment. Once the self-assessment is performed; contractors and subcontractors will be required to upload the score in the SPRS. Contractors/Universities that are not registered in SPRS will need to create an account to upload the assessment.
The timing of Phase II has not been determined but in Phase II, solicitations will include a requirement for a self-assessment or third-party assessment. Third party assessments are performed for either Level II or Level III depending on the type of CUI data. DoD is looking at assigning different weights to the NIST SP 800-171 security controls that have to be met for a CMMC Level II assessment, but this will be addressed in the interim rule. Detailed results of the CMMC assessment will not be public.
Remember regardless of the CMMC 2.0 roll-out, DFARS 252.204-7012 requires contractors to implement the NIST SP 800-171 security requirements on covered contractor information systems that contain covered defense information and upload the score into SPRS system.
We already performed our basic assessment under NIST SP 800-171, so we are good to go.
So, you say, you are good to go – well for now most likely you are, but remember the following. Your Information Technology (IT) department has implemented the NIST SP 800-171 security requirements on covered contractor information systems as required under DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, by preparing the basic assessment, and has a plan of action and milestones. First the basic assessment prepared using the NIST SP 800-171 criteria under DFARS 252.204-7012 is an internal self-assessment that can be signed by an employee at any level, maybe IT supervisor or manager. The score is required to be uploaded into SPRS system, which is required before the government can issue a contract. Although there was no minimum score required, the government could assess risk of a contractor’s cybersecurity as high and require the contractor to demonstrate they were implementing their plan of action and meeting milestones to close gaps in the criteria.
Information solutions such as Microsoft 365 Commercial and SharePoint service or Gmail do not comply with CMMC Level 2 requirements which we believe will be the common standard for most contractors. Contractors will need to adopt new platforms to achieve CMMC Level 2 and be awarded most government contracts, which may be a costly investment in both time and money.
We have plenty of time to go back and review our prior assessment for accuracy.
Even though the CMMC rule is not finalized, beware as big brothers (i.e., DoD, DCAA, DCMA, and even DOJ) are watching you as it relates to cybersecurity. First:
- Defense Pricing and Contracting issued a memorandum and alerted Contracting Officers that contractors who don’t comply with the DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting requirements may be in “material” breach of contract terms, with remedies including: withholding progress payments, foregoing options, and/or terminating contracts. This is addressed in Redstone’s blog dated August 11, 2022.
- Department of Justice (DOJ) has launched the Civil Cyber-Fraud Initiative and is encouraging whistleblowers (yes contractor employees) to come forward under the False Claims Act as a way of holding contractors accountable for misrepresenting cyber security practices or not reporting cybersecurity incidents. This is addressed in Redstone’s blog dated July 15, 2022.
Contractors should start the process sooner rather than later
We recommend contractors/universities, with the leadership of the Executives that will have to certify, take cyber security seriously and start taking action now since implementation of CMMC 2.0 is right around the corner. The executives may think the IT staff has this under control, but the basic assessment performed under the NIST requirements was not certified as to the accuracy of the responses, maybe the IT scored full compliance of a security step in process that was not completed and validated that it was working or took a favorable position and added points before hitting a milestone. The executive should ensure there is a System Security Plan (SSP) in place or create one as soon as possible. The highest score on a NIST 800-171 basic assessment is 110. If your company does not have a score of 110, ensure that you have a plan of action and milestones with realistic dates and you are moving forward with implementation so Contracting Officers don’t consider your inaction to be a material breach of contract terms. The executive should review and ensure the accuracy of the information in the SSP, plan of action, and milestones as they will be certifying the scores from the assessment uploaded into SPRS possibly, as early as May 2023.
Companies should consider updating the current score in SPRS if it is not accurate. Some companies may not have an Information Technology Staff and may need to hire an outside consultant to assist in determining the gaps in the security system. The amount of time to implement the requirements under CMMC is going to vary based on:
- the security maturity level at your company
- resources available to perform the assessment
- creation and implementation of the plan and
- management buy in to support the importance of the requirement
Contractor and University executives need to take compliance of cyber security seriously especially since DOJ is encouraging whistleblowers (contractor employees) to come forward.
Be Proactive and Send Comments When Proposed and Interim Rule is Issued
While the interim rule is scheduled to be issued in March 2023, there will be a comment period of 30-60 days. One of the proposed changes, is to put a timeframe on fixing any security gaps. Be on the lookout for the interim rule and take the opportunity to provide comments and request reasonable changes or clarifications before the rule becomes final.
Redstone GCI can provide our clients with more information and guidance in working with established industry leading partners who can assist in fulfilling numerous cybersecurity compliance requirements including but not limited to penetration testing, incident response, security assessments and POA&M revolving around the information technology infrastructure. Redstone GCI along with our trusted partners can bring you a full solution with ensuring cyber security policy and flow-down requirements revolving around all aspects are accomplished including but not limited to purchasing policy requirements.