RGCI - One More Required Company Executive Certification Under CMMC 2.0

CMMC was put on hold until recently – but is rolling forward again at a high speed. DOD held a CMMC Day Conference in May 2022 stating its goal of submitting a proposed rule in July 2022 ( no proposed rule to date) and issuing two interim final rules by March 2023. If DoD is able to stay on track (which does not appear to be the case) and issue the final interim rule by March 2023, contractors could start seeing CMMC requirements in solicitations soon after.

What’s the difference between the basic assessment under NIST and the self-assessment under CMMC 2.0?

While the CMMC self-assessment is similar to the basic assessment performed using the criteria in NIST SP 800-171, the biggest difference that is rolling out with CMMC 2.0 is that a company or university executive will be certifying the accuracy of the CMMC scores uploaded into SPRS and will be held accountable for the validity of the score. DoD is planning to establish a minimum SPRS score and time frame for implementing security controls in the plan of action. It is likely, DCAA auditors will see a nexus and get involved. The planned changes are discussed below.

What are the types of assessments/certifications?

If you recall CMMC 2.0 reduced the number of CMMC maturity levels from 5 to 3. The CMMC 2.0 realignment has brought the Level I and Level II requirements and the NIST SP 800-171 security controls into alignment. DoD is still working on specific security controls required for Level 3 which are above and beyond the NIST SP 800-171 requirements. Each CMMC 2.0 level requires an assessment, including a certification, as follows:

  • Level I – Self Assessment (Federal Contract Information (FCI))
  • Level II – Self-assessment or third-party assessment (depending on the level of CUI data)
  • Level III – Third party assessment (defense contractors and university researchers that work with CUI on DoD’s highest priority programs)

FCI is information not intended for public release but requires protection and is not critical to national security (e.g., data provided or generated for the government under a contract to develop or deliver a product or service to the government).

CUI is controlled unclassified information that is of high priority for DoD and requires safeguarding and dissemination controls pursuant to and consistent with federal law, regulations, and government policies.

The US Department of Education is ramping up enforcement of NIST SP 800-171 for universities where researchers are working with CUI on DoD prime or subcontracts. This is difficult for universities because it may only apply to a small department or one division within the university. Compliance with CMMC will be required if there is funding on DoD contracts with CUI information.  

How is the final rule going to roll out?

Once the final rule is issued the plan is to have 2 phases. Under Phase 1, if a solicitation contains the CMMC requirement (e.g., FCI data required in the performance of the contract), all contractors and universities will need to conduct a Level 1 self-assessment and provide positive affirmation or certification of compliance. If a prime contractor flows the clause to a subcontractor and there is FCI, the subcontractor will also be required to prepare the Level 1 self-assessment. Once the self-assessment is performed; contractors and subcontractors will be required to upload the score in the SPRS. Contractors/Universities that are not registered in SPRS will need to create an account to upload the assessment.

The timing of Phase II has not been determined but in Phase II, solicitations will include a requirement for a self-assessment or third-party assessment. Third party assessments are performed for either Level II or Level III depending on the type of CUI data.   DoD is looking at assigning different weights to the NIST SP 800-171 security controls that have to be met for a CMMC Level II assessment, but this will be addressed in the interim rule. Detailed results of the CMMC assessment will not be public.

Remember regardless of the CMMC 2.0 roll-out, DFARS 252.204-7012 requires contractors to implement the NIST SP 800-171 security requirements on covered contractor information systems that contain covered defense information and upload the score into SPRS system.

We already performed our basic assessment under NIST SP 800-171, so we are good to go.

So, you say, you are good to go – well for now most likely you are, but remember the following. Your Information Technology (IT) department has implemented the NIST SP 800-171 security requirements on covered contractor information systems as required under DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, by preparing the basic assessment, and has a plan of action and milestones. First the basic assessment prepared using the NIST SP 800-171 criteria under DFARS 252.204-7012 is an internal self-assessment that can be signed by an employee at any level, maybe IT supervisor or manager. The score is required to be uploaded into SPRS system, which is required before the government can issue a contract. Although there was no minimum score required, the government could assess risk of a contractor’s cybersecurity as high and require the contractor to demonstrate they were implementing their plan of action and meeting milestones to close gaps in the criteria.

Information solutions such as Microsoft 365 Commercial and SharePoint service or Gmail do not comply with CMMC Level 2 requirements which we believe will be the common standard for most contractors. Contractors will need to adopt new platforms to achieve CMMC Level 2 and be awarded most government contracts, which may be a costly investment in both time and money.

We have plenty of time to go back and review our prior assessment for accuracy.

Even though the CMMC rule is not finalized, beware as big brothers (i.e., DoD, DCAA, DCMA, and even DOJ) are watching you as it relates to cybersecurity. First:

  • Defense Pricing and Contracting issued a memorandum and alerted Contracting Officers that contractors who don’t comply with the DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting requirements may be in “material” breach of contract terms, with remedies including: withholding progress payments, foregoing options, and/or terminating contracts. This is addressed in Redstone’s blog dated August 11, 2022.
  • Department of Justice (DOJ) has launched the Civil Cyber-Fraud Initiative and is encouraging whistleblowers (yes contractor employees) to come forward under the False Claims Act as a way of holding contractors accountable for misrepresenting cyber security practices or not reporting cybersecurity incidents. This is addressed in Redstone’s blog dated July 15, 2022.

Contractors should start the process sooner rather than later

We recommend contractors/universities, with the leadership of the Executives that will have to certify, take cyber security seriously and start taking action now since implementation of CMMC 2.0 is right around the corner. The executives may think the IT staff has this under control, but the basic assessment performed under the NIST requirements was not certified as to the accuracy of the responses, maybe the IT scored full compliance of a security step in process that was not completed and validated that it was working or took a favorable position and added points before hitting a milestone. The executive should ensure there is a System Security Plan (SSP) in place or create one as soon as possible. The highest score on a NIST 800-171 basic assessment is 110. If your company does not have a score of 110, ensure that you have a plan of action and milestones with realistic dates and you are moving forward with implementation so Contracting Officers don’t consider your inaction to be a material breach of contract terms. The executive should review and ensure the accuracy of the information in the SSP, plan of action, and milestones as they will be certifying the scores from the assessment uploaded into SPRS possibly, as early as May 2023.

Companies should consider updating the current score in SPRS if it is not accurate. Some companies may not have an Information Technology Staff and may need to hire an outside consultant to assist in determining the gaps in the security system. The amount of time to implement the requirements under CMMC is going to vary based on:

  • the security maturity level at your company
  • resources available to perform the assessment
  • creation and implementation of the plan and
  • management buy in to support the importance of the requirement

Contractor and University executives need to take compliance of cyber security seriously especially since DOJ is encouraging whistleblowers (contractor employees) to come forward.

Be Proactive and Send Comments When Proposed and Interim Rule is Issued

While the interim rule is scheduled to be issued in March 2023, there will be a comment period of 30-60 days. One of the proposed changes, is to put a timeframe on fixing any security gaps. Be on the lookout for the interim rule and take the opportunity to provide comments and request reasonable changes or clarifications before the rule becomes final.

Redstone GCI can provide our clients with more information and guidance in working with established industry leading partners who can assist in fulfilling numerous cybersecurity compliance requirements including but not limited to penetration testing, incident response, security assessments and POA&M revolving around the information technology infrastructure. Redstone GCI along with our trusted partners can bring you a full solution with ensuring cyber security policy and flow-down requirements revolving around all aspects are accomplished including but not limited to purchasing policy requirements.

Contact Us for a Consultation

Written by Lynne Nalley, CPA

Lynne Nalley, CPA Lynne is a Director with Redstone Government Consulting, Inc. providing government contract consulting services to our clients primarily related to Commercial Item Determinations and support, Cost Accounting Standards, DFARS Business System Audits, Proposals, and Incurred Cost. Prior to joining Redstone Government Consulting, Lynne served in several capacities with DCAA and DCMA for over 35 years. Professional Experience Lynne began her career working with DCAA in the Honeywell Resident Office, Clearwater, FL in 1984. Lynne’s experience included various positions which involved conducting or reviewing forward proposals or rate audits, financial capability audits, progress payments, accounting and estimating systems, cost accounting standards, claims and disclosure statement reviews. She is an expert in FAR, DFARS, CAS and testified as an expert witness. Lynne assisted in drafting the commercial item guidance for DCAA Headquarters. Lynne was assigned as a Regional Technical Specialist where she provided guidance to 20 field offices on highly complex or technical issues relative to forward pricing, financial capability or progress payment issues. As an Assistant for Quality, she was involved in reviewing and ensuring audit reports were in compliance with policy and GAGAS as well as made NASBA certified presentations to the staff including but not limited to billing reviews, CAS, unallowable cost and progress payments. To enhance her experience in government contracting, Lynne accepted a position with DCMA in 2015 as part of the newly organized DCMA Cadre of Experts in the Commercial Item Group. This included performing reviews of prime contractor’s assertions and/or commercial item determinations as well as performing price analyses. Lynne was a project lead and later became a lead analyst where she engaged with the buying commands on requests and reviewed price analysis reviews performed by a team of 5 analysts. She also assisted the DCMA CPSR team relative to commercial items and co-instructed the Commercial Item Training presented to DCMA. Education Lynne earned a Bachelor of Science Degree in Accounting from the University of Central Florida. Certifications State of Florida Certified Public Accountant State of Alabama Certified Public Accountant Defense Acquisition Workforce Improvement Act (DAWIA) Level III- Auditing DAWIA Level III – Contracting

About Redstone GCI

Redstone GCI is a consulting firm focused on fulfilling the needs of government contractors in all areas of compliance. With a singular mission to help contractors through the multiple layers of “red tape,” we allow contractors to focus on what they do best – support their mission with the U.S. Government. We are home to a group of consultants made up of GovCon industry professionals, CPAs, attorneys, and retired government audit and acquisition professionals.

Our focus and knowledge of audit and compliance functions administered by DCAA and DCMA will always be at the heart of what we do. However, for the past decade, we’ve strategically grown to support other areas of the government contractor back-office with that same level of focus and expertise. We’ve added expertise in contracts management, subcontract administration, proposal pricing, various software systems, HR and employment law, property administration, manufacturing, data analytics/reporting, Grant specialists, M&A, and many other areas. When we see a trend in the needs of contractors, we act to ensure we can provide the best expertise in the market to fulfill those needs.

One thing our clients can be certain of is that with the Redstone GCI Team in your corner, there is no problem too big and no issue too technical for our team to tackle.

Topics: DFARS Business Systems, Contractor Purchasing System Review (CPSR), Cybersecurity