Supply Chain Defense
Pivoting on Compliance Efforts Under CMMC 2.0
By Amy Williams, PhD, CISSP, CMMC-PI, CMMC-RP – Senior Director of Proactive Services
The U.S. government released CMMC 2.0 on November 4, or less than one week ago. This brief summarizes what we currently know, key points that still need to be addressed, and attempts to speculate on what might happen in the near future.
Structural Differences Between the Models
The most obvious change from reviewing the model above is that Levels 2 and 4 were eliminated in CMMC 2.0. This is no surprise as these two levels were always presented as a path to another level, and only levels 1, 3 and 5 were ever expected to be specified as a requirement in DoD contracts.
CMMC Levels 3 and 5 from CMMC 1.x are now Levels 2 and 3, respectively, in CMMC 2.0.
Any company with Controlled Unclassified Information (CUI) must comply at Level 2 of CMMC 2.0, but there will be changes to how compliance is achieved, and exactly what this looks like is yet to be determined.
Key Differences at Each of the New Levels
CMMC 2.0 Level 1:
Level 1 of CMMC 2.0 still includes 17 controls and is based on the FAR 52.204-21 requirements. Under CMMC 2.0, L1 companies can now self-assess, but they are required to register their scores in SPRS and are subject to the False Claims Act. (More about the possible impact of the False Claims Act in the final section).
CMMC 2.0 Level 2:
Level 2 in CMMC 2.0 essentially reverts compliance for companies holding CUI back to NIST 800-171, eliminating the additional 20 controls that were required under L3 CMMC 1.x.
All of CMMC 1.x’s maturity requirements (.997, .998 and .999) have also been eliminated in CMMC 2.0.
One of the biggest surprises is that companies at Level 2 will be bifurcated by the criticality of the CUI these companies hold. However, we still don’t have any guidance on what is considered critical CUI and, no pun intended, the definition of critical CUI is critical to helping many companies understand whether they will need to prepare for an assessment or whether they can bypass that expense and self-report their scores in SPRS.
Another major surprise is that POAMs and even waivers may be acceptable. This part of the announcement was quickly followed with generalizations stating that there will be guidelines and limits, but those details have not yet been clarified.
While we know that evidence requirements have been reduced, there are still no details yet on what will suffice as evidence for the 110 out of 130 controls that still remain.
For example, none of this week’s announcements address questions our clients have around topics such as FIPS requirements for encryption, or what level of MFA is sufficient (does Windows Hello suffice?), or what do you do if your critical cloud services that manage CUI are not FedRAMP – make them provide equivalency assurances or pivot your processes? The devil is still in the details.
CMMC 2.0 Level 3:
Level 3 in CMMC 2.0 is aligned with the requirements of NIST 800-172.
The biggest news around CMMC 2.0’s Level 3 is that these assessments will now be performed by the DIBCAC rather than by certified CMMC assessors. As has always been the case, we still have the least amount of clarity around how companies at this level should prepare.
Crystal Ball Gazing
Now for the fun part: speculating on what happens next.
On the supply side, the bifurcation of Level 2 companies will help alleviate the expected bottleneck resulting from the current shortage of assessors and C3PAOs. On the demand side, this strategy aligns with EO 14028 and the goal of reducing the attack surface on our most sensitive data around defense-related products and services by prioritizing the most sensitive data. Defining critical CUI needs to take place ASAP to help companies already preparing for assessment. Perhaps one of the most effective steps that the DoD could take immediately is to issue more effective guidance/training on CUI with clear definitions of what is critical.
It would also be helpful if the DoD made CMMC-AB style online training available to every company that needs to self-report, free of charge. There is already a tome that includes definitions and there is also some dry training that reinforces the definitions, but a lot of companies could benefit from examples to illustrate how CUI can originate in a contract, how it flows down, and through whom, effective examples of how to implement specific protections, etc.
Another really helpful step would be for the DoD to stop sending CUI when they don’t need to, and to more consistently and effectively labeling it when they do.
On a related note, the CMMC-AB members are already hinting in forums and on social media that companies will be allowed (or even encouraged) to proactively seek certification if they sit in an area where CUI criticality is less certain. There have been further hints that the bifurcation is temporary to ensure forward movement sooner rather than later. Effective, in-depth training for those who self-report would be a great foundation for transitioning companies from self-report to fully assessed.
One element of CMMC that has received little attention in the media is the pressure on prime contractors to understand and manage risk throughout their supply chains. We suspect that the move to self-reporting and the threat of an increase in lawsuits under the False Claims Act will increase pressure on primes to really understand the security posture of their subcontractors. Accordingly, perhaps some coalition of primes should work together to fund and develop adequate, unified training for meeting levels 1 and 2 of CMMC 2.0.
Another topic that deserves some crystal ball gazing is how CMMC 2.0 will impact compliance timelines. It is possible that CMMC 2.0 will accelerate the timeline by which companies will need to comply. CMMC 1.x specified that the requirements would be rolled out over a five-year period. CMMC 2.0 states that as soon as rule-making has been completed, which could take place within nine months, the rules will go into effect. Accordingly, companies that were thinking they had until 2024-2026 to comply may be looking at a requirement to comply by mid 2023.
Finally, there has been much discussion about CMMC being closely watched by other agencies as a model to emulate. The simplification of the rules increases the likelihood that more of the federal attack surface can be protected sooner than later. If making CMMC a simpler, more solid foundation also makes it implementable by more companies, that alone would be reason enough to make these changes.
Amy Williams is a BlueVoyant Senior Director of Proactive Services. For more information, please contact a CMMC expert at [email protected].