The release of CMMC 2.0 from the Department of Defense last month brings many changes to the CMMC framework. There are some positives, some negatives (in my opinion), and strangely for a final document, still a lot of unknowns.
We’ve held off writing a post about 2.0 because additional documentation, such as new assessment guides and scoping documentation, was due to be released by the end of November. Since that has not materialized and will likely not before year end, it’s time to summarize what we learned at the release, what additional information has come out since the announcement, and what we still need to know.
The Known…ish. The model is still subject to final rule making so even these pieces can change but seem solid.
Our take: Levels 2 and 4 were never destined for DoD contracts and were put in place to make the old jumps from 1->3->5 less daunting. But they served no meaningful purpose so eliminating them does simplify the model.
Our take: At first blush this seems less than ideal, especially since the 20 practices address some real shortcomings in NIST SP 800-171. In further discussions, it’s been revealed that one reason for the removal of these practices and adherence to NIST SP 800-171 is to make it easier for other government agencies to adopt the CMMC requirements. I’m sure there were some in the DIB who chaffed against the cost of implementing more controls, so this placates them too. There have been suggestions that some of the 20 will come back, but only through revisions to NIST SP 800-171. NIST documents are constantly under revision, so this is likely.
Our take: This is a welcome change! The “all or nothing” approach of CMMC 1.0 did not leave much wiggle room for an assessor to work with an organization with minor deficiencies. This gives the organization time to fix a minor practice issue and still pass their assessment. There will be some practices which will be a hard “go/no go” requirement and will not be “POAM-able” but these have not been defined yet. We can assume these will be the higher scoring deductions from the NIST SP 800-181 self-assessment scoring matrix.
Our take: This was by far the most concerning and controversial change to CMMC. Recognizing that self-attestations are problematic was the primary driver for the creation of the CMMC in the first place. Some organization took the NIST SP 800-171 self-attestations seriously, and a few even got it right. But large number of those who tried to take it seriously simply didn’t understand the requirements and had no incentive to get help. We also know that many organizations simply ignored the requirements until the prime contractors began forcing the issue. [We have experience with a number of companies that optimistically believed their SPRS score was 100+ only to realize they were actually in the low teens, if not negative].
What we have learned since the announcement is that this is a way to slowdown the assessment process to allow for more CMMC Assessors to become available to conduct the assessments. Eventually, the number of exempted Level Assessments will drop off.
We have been told that waivers will be granted in very specific case, and be time based. This makes sense as the DoD could find itself in a crunch for a sole-sourced component and can’t have it held up for CMMC. They needed a way out in these specific circumstances.
There is also some discussion of making Level 1 Assessments available on a voluntary basis. This is a smart move for organization who recognize that cybersecurity is becoming a leading issue for suppliers and an external assessment is a lot more valuable than a self-attestation. The same goes for any Level 2 organization.
Our Take: We are neutral on these changes. On the one hand, it removes a very subjective part of the assessment process where the assessor was supposed to figure out if the organization had really “institutionalized” a practice or had simply installed something yesterday. But having policies and procedures are key components of a cybersecurity security program. NIST SP 800-171 has a specific requirement for a Security Plan, but what about Policies and Procedures? We are waiting for clarity on this, and perhaps we will have to wait for the CMMC 2.0 Assessment Guides.
How do we meet practices now? The new assessment guides are past due. If all they were doing was stripping away the 20 requirements, they would be done by now. So here’s hoping they did some additional work too. Perhaps the new assessment guides will require more from a level 2 company than a Level 1 company for Level 1 practice and provide clarity on policies and procedures.
When will we need to be compliant? Even CMMC 2.0 is tentative until the final rule making takes place. The DoD is drawing up the policy now, it will enter a mandatory 60-day public comment period, and then will have to be approved. At best, this will take 9 months, and at worst 2 years. Best estimates are somewhere in the middle.
Will there be any assessments done before final rule making? The DoD is working on an incentive program to persuade interested organizations to assess and certify before the final rule takes effect. What those incentives will be is anyone’s guess, but they are hoping to avoid a flood of assessments needs when the rule making is final.
Who will need Level 2 assessments and who will self-attest? That’s a real sticking point right now, and we simply don’t know how they’ll draw the line. What’s low risk CUI? Why is it called CUI at all if its not as critical? It’s really a poor distinction, since most companies have a hard time identifying what CUI they have in the first place. The DoD has admitted there is opportunity for improvement in their labelling practices of CUI.
Should we just wait? No. If you are thinking about CMMC, you are almost certainly already subject to a DFARS or FARS clause that is already in place. In other words, the name is changing, but you are already supposed to be doing it!
Why else? The False Claims Act, or the Whistleblowers law, has repeatedly come up during the discussions of CMMC 2.0. It gives financial incentives for an employee to sue you on behalf of the government if you are defrauding the government. For example, if you are knowingly reporting an incorrect NIST SP 800-171 score in the SPRS, or self-attest compliance with CMMC when you are not in fact compliant, the employee can sue, is protected from retaliation, and gets the money.
By the way, the bad guys also aren’t waiting another 9-24 months. Hackers, organized crime, and our enemies abroad are working very hard right now to gain access to your systems.
Read Also: When Security Vendors Fail at Security
All Content © 2023 Monarch ISC
Industries
Defense
Financial
Healthcare
CMMC / 800-171
Authorized Certification Assessment (C3PAO)
Readiness Assessments
Instructor-Led Training (LTP)
Remediation & Program Development
Latest Intel
The Monarch Blog
CyberMD
Cybersecurity Services: What To Look For
About
Meet The Monarch Team
About Monarch ISC
Arrange A Consultation
News
Training Programs
V-ISO is our most engaged and complete service offering at Monarch ISC. You select the components, and we execute an annualized program acting as an outsourced member of your internal team.
This package may include everything we offer, or any of several sets of core program components. We bundle your choices, provide privileged pricing, and schedule our year together to build the program foundations. Once the foundations are built, we move into Sustainability Mode, still providing whatever level of engagement you choose.
What’s included?
Our highly effective policies and plans are currently in-force at banks, credit unions, healthcare facilities, and DoD contractors. Our careful iterative process ensures your organization is understood before the writing begins. Your policies and plans need to express actual practices, not some templatized check-box fantasy that bears little resemblance to your unique organization.
We will work with you to create a new Information Security Program, or dramatically improve your existing program or any component to include:
Monarch ISC Information Security Program documents have undergone two-decades of regulatory and audit scrutiny, passed every test, and set the standard. They are the bedrock on which you will build your information security program.
People are your weakest link. We deliver effective training to any organizational group to strengthen the whole chain, from end-users, to IT Professionals, to Board of Directors, and every level in-between. Everyone must gain awareness and develop the skills needed in their roles to make an organization resilient to adverse events and incidents.
Our live instructor-led training sessions:
Engage us to follow-up the training with phishing email test campaigns to measure the effectiveness of our training too! We’re confident you’ll see results!
BUY NOW, Contact Us or Schedule Consultation Today
You made sure your Electronic Medical Record (EMR) system was HIPAA-compliant. Did you know that is just the first step in making your practice HIPAA-compliant?
You take great care of your patients, and you know that means taking great care of your patients’ sensitive personal data, too. But complying with the federal Health Insurance Portability and Accountability Act (HIPAA) can be as complicated as some of the things you learned in medical school.
Monarch Information Security Consulting understands what the law demands of you and your practice, can evaluate what you need to do to meet those expectations, and will create a customized and easy-to-understand plan for you to achieve complete HIPAA compliance and get back to caring for your patients with confidence.
Our consultants have over 40 years of experience in identifying, evaluating, and remediating HIPAA compliance. We take the time to get to know you and your organization, and we create a comprehensive map of your entire data flow. We pinpoint your vulnerabilities and infractions, we provide a smart, straightforward plan to achieve sustainable, HIPAA compliant data security, and we stand by you and our work in the event of an audit.
The FFIEC Cybersecurity Assessment Tool measures the maturity of your financial institution’s information security program. The tool helps define your current inherent risk profile and assess your compliance status across the security domains.
It can be a daunting exercise to complete.
We can help!
Our experts work with your team to complete the assessment and document any gaps in compliance. We will build a timeline for remediation, and can assist with training, risk assessments, policy building, business continuity exercises, board reporting, and more. Our work will fill the gaps and increase your maturity level.
The Cybersecurity Maturity Model Certification (CMMC) has been released!
The certification will be required for all Department of Defense contractors AND sub-contractors. Audits will begin in 2020. The audit timelines and the list of approved auditors have not been released.
Special Note: DoD Guidance for self-assessment scoring has been updated! You will need to provide your self-assessment (Basic) of the NIST 800-171 guidance to the Supplier Performance Risk System (SPRS). The system is online NOW! Do you know your score?
NOW is the time to start the certification process, so contact us for a free consultation.
For many organizations this is a strange new world. Data security requirements have been in place for banks, merchants accepting credit cards, and healthcare organizations, but never have manufacturers and other government contractors with unclassified information faced this type of scrutiny.
This can be an overwhelming amount of work.
The certification domains cover a wide variety of topics from Asset Management to System and Information Integrity. You will need to implement the correct controls, write the appropriate policies, and keep track of your compliance activities in preparation of an audit. Failure to be certified will mean thousands, or millions, of dollars in lost government contracts.
Monarch ISC can help.
