CMMC – the New Protocol Droid for DoD Compliance

Written by Doug Barbin, Cybersecurity Practice Leader at Schellman & Company. Read entire article below, or on the Cloud Security Alliance website.

[Note – A week after this article was originally published, version .6 was released. We are now up to .7 and the following incorporates those updates.]

A long time ago in a galaxy exactly like ours…There was 800-171.

For some time, the US Department of Defense has been working to revise its funding procurement procedures referred to as the Defense Acquisition Regulation Supplement, or DFARS. Most important among all the details are the included requirements in the regulations (under 252.204-7012), which mandate that defense contractors meet the NIST special publication (SP) 800-171 standard that deals with Controlled [but] Unclassified Information (CUI).

Episode I – The Mandated Requirement

NIST 800-171, unlike its broader cousin NIST 800-53, was written for non-government entries such as government contractors and service providers. With that being said, though NIST 800-171 is required for contractors, the DFARS regulation also necessitates the more comprehensive FedRAMP authorization for cloud service providers.

Episode II – The Rise of CMMC

The means to communicate NIST 800-171 compliance has always been inconsistent, with many service providers performing self-attestation, but earlier this year, the DoD made a presentation on a new model based on new revisions to the requirement. This new model includes a “certification” framework, and contractors and vendors who were once able to self-attest will now need third-party validation in 2020.

This proposed framework is called the Cybersecurity Maturity Model Certification, or CMMC.

The model, now on version 0.7, was most recently updated on December 6, 2019 and is available for review.

In terms of requirements, v0.7 now includes additional descriptions of CMMC levels, practices, and processes. Practices measure technical activities and processes measure the maturity of processes. Practices and processes are cumulative.

* There are up to 9 unique processes required depending on CMMC level. The required processes for the CMMC level are repeated for all 17 domains.

Episode III – Oversight Awakens

Lastly, on October 3rd DoD issued an RFI to solicit accreditation bodies for CMMC. Note that this is not for audit firms like Schellman, but for an accreditation body that will oversee and audit the auditors. Within the request for information, the DoD disclosed that the auditors will now be referred to as CMMC 3rd Party Assessment Organizations (C3PAOs). Yes, you heard that correctly, though there’s been no word on Artoo Detoo.

Episode IV – A New Requisite

To summarize, here is what we know, based on the above data points:

• Per the CMMC home page – “The CMMC level of certification required for each procurement will be specified in the RFI and RFP upon release. Contractors will be required to meet the certification level at time of award. The Prime contractors must flow down the appropriate CMMC requirement to sub-contractors. Unless a higher level is specified, all contractors and sub-contractors must meet at a minimum CMMC Level 1.”
• The CMMC website also stated “Phase 1 of CMMC only applies to the contractor's networks and does not apply to their products.”
• Version 0.7 actually decreased the number of required practices for each level from previous versions.
• Future versions will provide tailored maturity processes based on domain. Currently there is a range of zero to nine required processes based on the CMMC level. Each process is required for all 17 domains.
• The Undersecretary of Defense is expected to create an accreditation body to authorize C3PAOs. It would not be surprising should it come together similarly to FedRAMP, which requires 3PAOs to be accredited by A2LA.
• To date, there still has been no guidance released on the content or format of CMMC or C3PAO deliverables—everyone remains in a holding pattern there.
• CMMC validation by a third party is expected to be requested in RFIs starting in June of 2020 and in RFPs starting in the fall of 2020.

Given everything that’s already been disclosed, we believe CMMC will soon become a contracting requirement. In fact, the odds of it NOT achieving that status by the end of 2020 are…

[1] https://www.quotes.net/mquote/91388

About the Author

Doug Barbin is a principal (co-owner) and firm-wide cybersecurity and compliance services leader where he spends most of his time developing, launching, managing, and adapting Schellman's attestation, compliance, and certification offerings. As such, he is privileged to work with many of the world's leading cloud computing, federal, FinTech, healthcare, AI, and security provider clients. Doug has more than 24 years’ experience and maintains multiple CPA licenses, along with CISSP, CIPP, ISO 27001 Lead Auditor, and QSA certifications. He is very active in industry organizations and regularly speaks and teaches on cloud security, AI, FedRAMP, and other compliance frameworks.

More Content by Douglas Barbin