CMMC – the New Protocol Droid for DoD Compliance

Written by Doug Barbin, Cybersecurity Practice Leader at Schellman & Company. Read entire article below, or on the Cloud Security Alliance website.

The information presented here has been superseded by CMMC 2.0, which you can read about here.

A long time ago in a galaxy exactly like ours…There was 800-171.

For some time, the US Department of Defense has been working to revise its funding procurement procedures referred to as the Defense Acquisition Regulation Supplement, or DFARS. Most important among all the details are the included requirements in the regulations (under 252.204-7012), which mandate that defense contractors meet the NIST special publication (SP) 800-171 standard that deals with Controlled [but] Unclassified Information (CUI).

Episode I – The Mandated Requirement

NIST 800-171, unlike its broader cousin NIST 800-53, was written for non-government entries such as government contractors and service providers. With that being said, though NIST 800-171 is required for contractors, the DFARS regulation also necessitates the more comprehensive FedRAMP authorization for cloud service providers.

Episode II – The Rise of CMMC

The means to communicate NIST 800-171 compliance has always been inconsistent, with many service providers performing self-attestation, but earlier this year, the DoD made a presentation on a new model based on new revisions to the requirement. This new model includes a “certification” framework, and contractors and vendors who were once able to self-attest will now need third-party validation in 2020.

This proposed framework is called the Cybersecurity Maturity Model Certification, or CMMC.

The model, now on version 0.7, was most recently updated on December 6, 2019 and is available for review.

In terms of requirements, v0.7 now includes additional descriptions of CMMC levels, practices, and processes. Practices measure technical activities and processes measure the maturity of processes. Practices and processes are cumulative.

* There are up to 9 unique processes required depending on CMMC level. The required processes for the CMMC level are repeated for all 17 domains.

Episode III – Oversight Awakens

Lastly, on October 3rd DoD issued an RFI to solicit accreditation bodies for CMMC. Note that this is not for audit firms like Schellman, but for an accreditation body that will oversee and audit the auditors. Within the request for information, the DoD disclosed that the auditors will now be referred to as CMMC 3rd Party Assessment Organizations (C3PAOs). Yes, you heard that correctly, though there’s been no word on Artoo Detoo.

Episode IV – A New Requisite

To summarize, here is what we know, based on the above data points:

• Per the CMMC home page – “The CMMC level of certification required for each procurement will be specified in the RFI and RFP upon release. Contractors will be required to meet the certification level at time of award. The Prime contractors must flow down the appropriate CMMC requirement to sub-contractors. Unless a higher level is specified, all contractors and sub-contractors must meet at a minimum CMMC Level 1.”
• The CMMC website also stated “Phase 1 of CMMC only applies to the contractor's networks and does not apply to their products.”
• Version 0.7 actually decreased the number of required practices for each level from previous versions.
• Future versions will provide tailored maturity processes based on domain. Currently there is a range of zero to nine required processes based on the CMMC level. Each process is required for all 17 domains.
• The Undersecretary of Defense is expected to create an accreditation body to authorize C3PAOs. It would not be surprising should it come together similarly to FedRAMP, which requires 3PAOs to be accredited by A2LA.
• To date, there still has been no guidance released on the content or format of CMMC or C3PAO deliverables—everyone remains in a holding pattern there.
• CMMC validation by a third party is expected to be requested in RFIs starting in June of 2020 and in RFPs starting in the fall of 2020.

Given everything that’s already been disclosed, we believe CMMC will soon become a contracting requirement. In fact, the odds of it NOT achieving that status by the end of 2020 are…

[1] https://www.quotes.net/mquote/91388

About the Author

As Chief Growth Officer and firmwide Managing Principal, Doug Barbin is responsible for the strategy, development, growth, and delivery of Schellman’s global services portfolio. Since joining in 2009, his primary focus has been to expand the strong foundation in IT audit and assurance to make Schellman a market leading diversified cybersecurity and compliance services provider. He has developed many of Schellman's service offerings, served global clients, and now focuses on leading and supporting the service delivery professionals, practice leaders, and the business development teams. Doug brings more than 25 years’ experience in technology focused services having served as technology product management executive, mortgage firm CTO/COO, and fraud and computer forensic investigations leader. Doug holds dual-bachelor's degrees in Accounting and Administration of Justice from Penn State as well as an MBA from Pepperdine. He has also taken post graduate courses on Artificial Intelligence from MIT and maintains multiple CPA licenses and in addition to most of the major industry certifications including several he helped create.

More Content by Douglas Barbin