The US DoD remains committed to safeguarding sensitive national security information by protecting the defense industrial base (DIB) from increasingly frequent and complex cyberattacks. The agency has recently released CMMC 2.0 framework based on 850+ public comments in response to the interim DFARS rule. The new framework simplifies the program and improves overall governance. While the framework has further optimized the number of controls needed, it hasn’t compromised its focus on “maturity”. In spirit, doing a few things well first is better than trying to do many things without assurance of quality across all.
The key differences and implications for contractors are summarized in the following table:
· The number of practices/controls required for certification have been reduced for many contractors that are exposed to controlled unclassified information (CUI). This should result in overall cybersecurity and compliance cost reduction.
· Contract awards are possible with a Plan of Action and Milestone (POA&M) and commitment to achieve the milestones in an agreed upon timeline as opposed to needing certification to bid on a contract.
· Eliminating 3rd party assessments for Level 1 and a subset of Level 2 certification enables contractors to reduce cost associated with an external audit for those who have internal capabilities to perform assessments in compliance with the CMMC Assessment Guide. A CMMC self-attestation is a representation that the offeror meets the requirements of the CMMC level required by the solicitation. The self-attestation essentially brings the accountability and associated liability to the contractors for ensuring assessment to the CMMC standard and compliance with the requirements. There is a difference between CMMC assessment and “Basic Assessment”, as defined in DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements. The Basic Assessment results in a confidence level of “Low” in comparison to what’s required under the CMMC assessment. Contractors wishing to pursue the self-assessment and self-attestation route should be mindful of the differences and resulting liabilities.
· The new framework reduces unnecessary reliance on roles, entities and certifications such as RP, RPO, LPP, and LTP that were created by CMMC-AB. The program will use CMMC-AB certified CMMC 3rd Party Assessment Organizations (C3PAO) and CMMC Assessors and Instructors Certification Organizations (CAICO), provided that CMMC-AB is ISO/IEC 17011 compliant. Level-3 assessments will be government-led, and the government can potentially contract with a C3PAO or other entities. The DoD will govern and likely approve how and when a CMMC Assessor can engage with contractors.
· While CMMC 2.0 appears to have eliminated all maturity processes, the spirit of maturity is still intact within the assessment procedure. The assessment procedure involves evaluating specifications, mechanisms, activities and individual(s) associated with each CMMC practice for the assets in scope. The assessment methods include examining documentations (provides evidence of intent), interviewing staff (evaluates the belief of existence), and testing (provides a validation of existence and effectiveness). In a case where an entity inherits a practice objective, an assessor will have to provide adequate evidence of the effectiveness of the practice in that entity via testing. While a certified assessor is not required to use all objects and method, s/he can use all of them to gain confidence that the CUI requirements have been satisfied. In other words, the assessor can assess for maturity level up to 5 processes (i.e., having KPIs, noting improvements, and reporting mechanisms to the senior executives for high-risk items) for CMMC Level 3 certification. Assets include all things of value such as people, processes, systems, organizations, etc., and they are considered to be in scope if they can process, store or transmit CUI, connects to CUI assets, or provide security function.
· The subcontractor will be assigned the same CMMC level as the prime contractors if they are handling the same type of FCI and CUI. In cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor.
In summary, CMMC 2.0 really doesn’t change the need for rigor in cybersecurity from the DIB. It reduces some practices, and hence the associated cost; it offers some flexibility by allowing an organization to win a contract with POA&M and performing self-assessments where appropriate. There is no reason for companies to wait for an official rule to follow the framework for at least up to Level 2 (Level 3 details are yet to be confirmed) certification. We know that hackers have been targeting aerospace and defense industries for years. Early adoption of the framework will ensure robust enterprise cybersecurity and put them ahead of the game with DoD contracts. Overall, CMMC 2.0 remains focused on maturity, simplifies the program, streamlines governance, and potentially reduces cost of compliance.
ResiliAnt offers an easy-to-use platform that organizations can use to ensure compliance with CMMC as well as NIST SP 800-171 DoD Assessment, and manage their cybersecurity related risks in a cost-effective manner. To attend our webinars or learn more about our platform, email us at info@ResiliAnt.co.