The new Cybersecurity Maturity Model Certification (CMMC) program has officially been announced. This will bring some significant changes or lack thereof, which will hopefully make the certification process much easier. This new iteration of the CMMC is known as CMMC 2.0 and seems to take some of the obstacles that small businesses face into consideration.
Click here to read the CMMC Model Overview
For small to mid-size businesses working towards CMMC compliance, we’d like to highlight some of the changes and what they might mean for your business.
New:
Plan of Action & Milestones (POA&Ms) will be allowed (with possible restrictions) for certification under certain, not-yet-defined circumstances. This is contrary to what CMMC 1.0 was initially trying to accomplish, which did not allow for POA&Ms at all for compliance.
What this means for you:
Organizations will have the ability to put a POA&M in place to address controls that they may not have implemented yet or have some weaknesses with. This will provide businesses with the time to address said controls while also being able to participate in DoD contracts. It is important to note that POA&Ms will be time-bound to hold organizations accountable in executing their action plans.
New:
CMMC 2.0 will have 3 levels instead of 5. CMMC 1.0 Levels 1 and 2 are now CMMC Level 1: Foundational. CMMC 1.0’s Level 3 is now Level 2 in CMMC 2.0: Advanced. Finally, the new Level 3 is the expert level (NIST SP800-172). Certain contractors under Level 2 still may need to have a C3PAO every 3 years depending on the information that is being handled.
Will third party Assessments and Certifications still be required?:
o CMMC 2.0’s Level 1 and a subset of Level 2 will be required to perform annual self-assessments but will be legally liable by recording their DIBCAC Scores within the DoD’s SPRS system annually.
o CMMC 2.0’s Level 2 will be required to undergo a third-party C3PAO Assessment and certification via the CMMC-AB. A portion of Level 2 contract programs will require triennial (Once every 3 years) third-party assessments.
o CMMC 2.0’s Level 3 will require triennial (Once every 3 years) DoD DIBCAC lead Assessments.
What this means for you:
This shows not much has changed since the original DFARS 252.204-7012 rule-making days. The requirement for DIB organizations handling CUI has always required NIST SP800-171, and now it includes a self-attestation with accountability and a 3rd party audit mechanism that is now based on the criticality of the CUI data being handled by the DIB organization. What the criticality determinations are is still not clearly understood yet. The DoD has always struggled to provide clear guidance on what is considered CUI for a contract program, adding a layer to that with regards to categorizing CUI based on its criticality may result in the same problem DIB organizations are experiencing with the lack of clear guidance from contract program managers and contracting officers.
New:
While the rules are being decided, the DoD is going to suspend the CMMC piloting efforts and DoD solicitation of contractors will not include CMMC requirements for participation.
What this means for you:
Organizations will not see CMMC compliance as a requirement for participation in DoD contracts until these rules are finalized. We, here at IntelliGRC, still recommend organizations do their best to meet the NIST 800-171 standards as all DIB organizations handling CUI data should have since 12/31/2017.
New:
The practices required for CMMC 2.0 Level 2 are aligned with the 110 security requirements defined in NIST (SP) 800-171 Rev.2.
What this means for you:
Organizations that are already complaint with NIST (SP) 800-171 Rev.2 should be prepared for assessment and pat themselves on the back for being ahead of most. Organizations can directly review NIST (SP) 800-171 Rev.2 for requirements of certification. It is also recommended to utilize the NIST SP800-171 assessment objectives and the mappings to NIST SP800-53 controls within the NIST SP800-171 publication while ensuring they also address the NIST SP800-53 NFO controls.
Yes, Policies and Procedures were always expected with NIST SP800-171. Many believed this was something new with CMMC because CMMC assessment guides and process maturity requirements identified documented policies and procedures as requirements to be assessed. Also, before with NIST SP800-171, it was not clearly spelled out to have written policies and procedures and there were no 3rd party assessment required to assess these requirements. However, those that are familiar with the DoD DIBCAC’s assessment of NIST SP800-171 know that DIBCAC auditors did require reviews of relevant policies and procedures for NIST SP800-171.
New:
CMMC 2.0 will have a provision for waivers of the contractual CMMC requirements which must be approved by DoD senior personnel and will only be granted under limited circumstances. These waivers apply to the entirety of the CMMC requirement, but they will expire after certain conditions are met. This is also not entirely new with DFARS 252.204-7012, and its invocation of NIST SP800-171 allowed waivers if It was approved by the DoD CIO. The process details of waivers under CMMC 2.0 is not clearly understood yet.
What this means for you:
Organizations will be able to request that CMMC requirements be temporarily waived and still participate in certain contracts. It is however anticipated that the approval of these waivers will be extremely limited and restrictive.
New:
The documentation requirements are slightly reduced to only those mentioned in NIST SP 800-171 Rev. 2 requirements rather than the 17 CMMC 1.0 Level 3 Domains.
What this means for you:
It is now only required to have the documented policies and procedures defined in the NIST SP. 800-171 Rev.2 which also references NIST (SP) 800-53 NFO tailored controls. Well-documented policies and procedures are still and will always be recommended as they are crucial functional documents for continuity of business.
Our team at IntelliGRC is always pleased to support our SMB DIB colleagues with this ever-changing cybersecurity landscape. If you have questions or would like more information about our assessment and consulting services, please contact us or email us at info@intelligrc.com.
