The release of CMMC 2.0 from the Department of Defense last month brings many changes to the CMMC framework. There are some positives, some negatives (in my opinion), and strangely for a final document, still a lot of unknowns.
We’ve held off writing a post about 2.0 because additional documentation, such as new assessment guides and scoping documentation, was due to be released by the end of November. Since that has not materialized and will likely not before year end, it’s time to summarize what we learned at the release, what additional information has come out since the announcement, and what we still need to know.
The Known…ish. The model is still subject to final rule making so even these pieces can change but seem solid.
Our take: Levels 2 and 4 were never destined for DoD contracts and were put in place to make the old jumps from 1->3->5 less daunting. But they served no meaningful purpose so eliminating them does simplify the model.
Our take: At first blush this seems less than ideal, especially since the 20 practices address some real shortcomings in NIST SP 800-171. In further discussions, it’s been revealed that one reason for the removal of these practices and adherence to NIST SP 800-171 is to make it easier for other government agencies to adopt the CMMC requirements. I’m sure there were some in the DIB who chaffed against the cost of implementing more controls, so this placates them too. There have been suggestions that some of the 20 will come back, but only through revisions to NIST SP 800-171. NIST documents are constantly under revision, so this is likely.
Our take: This is a welcome change! The “all or nothing” approach of CMMC 1.0 did not leave much wiggle room for an assessor to work with an organization with minor deficiencies. This gives the organization time to fix a minor practice issue and still pass their assessment. There will be some practices which will be a hard “go/no go” requirement and will not be “POAM-able” but these have not been defined yet. We can assume these will be the higher scoring deductions from the NIST SP 800-181 self-assessment scoring matrix.
Our take: This was by far the most concerning and controversial change to CMMC. Recognizing that self-attestations are problematic was the primary driver for the creation of the CMMC in the first place. Some organization took the NIST SP 800-171 self-attestations seriously, and a few even got it right. But large number of those who tried to take it seriously simply didn’t understand the requirements and had no incentive to get help. We also know that many organizations simply ignored the requirements until the prime contractors began forcing the issue. [We have experience with a number of companies that optimistically believed their SPRS score was 100+ only to realize they were actually in the low teens, if not negative].
What we have learned since the announcement is that this is a way to slowdown the assessment process to allow for more CMMC Assessors to become available to conduct the assessments. Eventually, the number of exempted Level Assessments will drop off.
We have been told that waivers will be granted in very specific case, and be time based. This makes sense as the DoD could find itself in a crunch for a sole-sourced component and can’t have it held up for CMMC. They needed a way out in these specific circumstances.
There is also some discussion of making Level 1 Assessments available on a voluntary basis. This is a smart move for organization who recognize that cybersecurity is becoming a leading issue for suppliers and an external assessment is a lot more valuable than a self-attestation. The same goes for any Level 2 organization.
Our Take: We are neutral on these changes. On the one hand, it removes a very subjective part of the assessment process where the assessor was supposed to figure out if the organization had really “institutionalized” a practice or had simply installed something yesterday. But having policies and procedures are key components of a cybersecurity security program. NIST SP 800-171 has a specific requirement for a Security Plan, but what about Policies and Procedures? We are waiting for clarity on this, and perhaps we will have to wait for the CMMC 2.0 Assessment Guides.
How do we meet practices now? The new assessment guides are past due. If all they were doing was stripping away the 20 requirements, they would be done by now. So here’s hoping they did some additional work too. Perhaps the new assessment guides will require more from a level 2 company than a Level 1 company for Level 1 practice and provide clarity on policies and procedures.
When will we need to be compliant? Even CMMC 2.0 is tentative until the final rule making takes place. The DoD is drawing up the policy now, it will enter a mandatory 60-day public comment period, and then will have to be approved. At best, this will take 9 months, and at worst 2 years. Best estimates are somewhere in the middle.
Will there be any assessments done before final rule making? The DoD is working on an incentive program to persuade interested organizations to assess and certify before the final rule takes effect. What those incentives will be is anyone’s guess, but they are hoping to avoid a flood of assessments needs when the rule making is final.
Who will need Level 2 assessments and who will self-attest? That’s a real sticking point right now, and we simply don’t know how they’ll draw the line. What’s low risk CUI? Why is it called CUI at all if its not as critical? It’s really a poor distinction, since most companies have a hard time identifying what CUI they have in the first place. The DoD has admitted there is opportunity for improvement in their labelling practices of CUI.
Should we just wait? No. If you are thinking about CMMC, you are almost certainly already subject to a DFARS or FARS clause that is already in place. In other words, the name is changing, but you are already supposed to be doing it!
Why else? The False Claims Act, or the Whistleblowers law, has repeatedly come up during the discussions of CMMC 2.0. It gives financial incentives for an employee to sue you on behalf of the government if you are defrauding the government. For example, if you are knowingly reporting an incorrect NIST SP 800-171 score in the SPRS, or self-attest compliance with CMMC when you are not in fact compliant, the employee can sue, is protected from retaliation, and gets the money.
By the way, the bad guys also aren’t waiting another 9-24 months. Hackers, organized crime, and our enemies abroad are working very hard right now to gain access to your systems.
Read Also: When Security Vendors Fail at Security
