5 CMMC 2.0 Updates You Need to Know!
As you may have heard, the recent changes to the CMMC requirements have caused many DIB contractors to rethink their compliance implementation strategies so we wanted to take this opportunity to help clarify some of the most common questions our own clients have been asking as well as share some critical- and not so obvious- insights to help steer your organization in the right direction during this provisional review period.
1. Your MSP/MSSP IT Provider Needs to be NIST 800-171 & CMMC Compliant
One of the biggest takeaways from the latest town hall and the recently updated CMMC Assessors’ Guide, is that any 3rd parties with access to CUI or infrastructure that houses CUI, which would include IT service providers to DIB contractors, will be required to adhere to the same CMMC compliance standards as your organization and will be under scope for assessments. What does this mean to your organization? In short, if your 3rd party IT services or IT support providers can’t meet the rigors of the NIST 800-171 or CMMC frameworks, you may be exposing your organization to non-compliance which would ultimatley force you to find an alternative or complimentary IT provider that can meet those standards. For most organizations in this position, this would require a complete overhaul of all the hard work you’ve accomplished and costly IT investments unless your MSP/MSSP would be able to quickly pivot in time for your official assessment. From our own experience having been assessed by a provisional C3PAO and based on your level of compliance today, the process to become compliant takes any where from 6 months at the very minimum to do so, with very little time to address any gaps. If your MSP/MSSP intends on becoming compliant, it’s of the utmost importance that they’re able to be CMMC certification ready in time of your own C3PAO, DIBCAC or DoD audit to avoid the risk of failing your own assessment.
2. 3rd Party Assessments Aren’t Going Away
The assumption that the CMMC 2.0 requirements won’t require an independent 3rd party assessment is a bit misleading and should be clarified. As most DIBs will be required to accomplish CMMC 2.0 Level 2 (formerly CMMC 1.0 Level 3), including those that will be Level 3 required, there will be triennial CMMC C3PAO required assessments for Level 2 and DoD assessments for Level 3 DIBs, to attain a certification of compliance. Although the 3rd party assessment requirements have changed to a self assessment model, there is no indication that independently conducted assessments will be going away and if anything, they will be conducted in a far more regimented and frequent basis to ensure your organization is meeting the CMMC 2.0’s standards and requirements. To help clarify what may be required of your organization;
CMMC Level 1 (Foundational): Will require DIB to self-assess.
CMMC Level 2 (Advanced): May require third-party or self-assessments, depending on the type of information/CUI you possess. It may also:
- Require third-party assessments for prioritized acquisitions: Companies will be responsible for obtaining an assessment and certification prior to contract award.
- Require self-assessments for other non-prioritized acquisitions: Companies will complete and report a CMMC Level 2 self-assessment and submit senior official affirmations to SPRS.
CMMC Level 3 (Expert): Will be assessed by government official
3. Your Executive Team Is More Accountable than Ever to Your Assessment & Compliance Posture
Although the 3rd party assessment requirements from CMMC v.1 have since changed to a self assessment model, the level of accountability to your organization’s leadership have increased exponentially. Moving forward, any degree of perceived false attestations of an organization’s compliance posture could be susceptible to the False Claims Act and present a number of legal and contractual conflicts that could negatively impact your organization. The DoD and Attorney General’s office has made it abundtly clear that ignorance- whether unknowingly or intentional- to the NIST 800-171 or CMMC requirements, omission of details or misleading attestation of compliance will be susceptible to prosecution, so it’s of utmost importance to ensure that your organization accurately represent the reality of your compliance posture to avoid legal and contractual issues. As part of the CMMC 2.0, accountability will shift completely to DIB executive leadership who will have to sign off attesting to their organization’s compliance to these requirements. If your organization is relying on your IT team that may not have the experience or breadth of knowledge to provide an undeniably clear picture of your compliance posture, it may be a good idea to work with a 3rd party CMMC RPO that is also CMMC level compliant to assess your environment rather than conduct an internal self assessment.
4. POAMs & Waivers Are Available- With a Catch!
In order to encourage DIBs to achieve CMMC compliance- as well as help minimize the impact of implementation costs- the CMMC 2.0 will provide POAMs and waivers to help. Similarly with NIST 800-171, the CMMC 2.0 will provide an opportunity for DIBs to create POAMs detailing the gaps with their compliance postures and on a limited basis, there may be DoD approved waivers exempting certain DIBs from accomplishing some of the CMMC 2.0’s requirements. However, it’s important to note that unlike NIST 800-171’s POAMs, the CMMC 2.0’s will be limited to 180 days at most and the waivers will only be provided to DIBs that are deemed critical to national security by a specific DoD official. Although the news of CMMC 2.0’s POAMs and waivers are a welcome relief to many organizations, its of the utmost importance to understand that these are not meant to function as a justification to indefinitely postpone the implementation of the CMMC’s requirements and will be only provided to a select few organizations where it’s deemed necessary. At the end of the day, the degree of which the primes require your organization to be compliant will determine what needs to be accomplished and it’s important to note that moving forward, regardless of these provisions, the primes will be reviewing your SPRS score to determine the vendors they can ultimately work with. In short:
CMMC 2.0 will allow limited use of POA&Ms
- Strictly time-bound: Potentially 180 days; Contracting Officers can use normal contractual remedies to address a DIB contractor’s failure to meet their cybersecurity requirements after the defined timeline.
- Limited use: Will not allow POA&Ms for highest-weighted requirements; will establish a “minimum score” requirement to support certification with POA&Ms
Waivers will be allowed on a very limited basis, accompanied by strategies to mitigate CUI risk
- Only allowed in select mission critical instances: Government program office will submit the waiver request package including justification and risk mitigation strategies.
- Strictly time bound with timing to be determined on a case-by-case basis; Contracting Officers can use normal contractual remedies to address a DIB contractor’s failure to meet their cybersecurity requirements after the defined timeline.
- Will require senior DoD approval to minimize potential misuse of the waiver process. The limited use of POA&Ms and waivers could allow the Department and DIB companies flexibility to meet evolving threats and make risk-based decision.
5. Security Program Development & Management: CMMC 3 Is Still the Standard and Will be for CMMC 2.0
This final point is arguably the most important. Of the 20 controls from CMMC v.1 Level 3 that were removed, the vast majority- if not all- will continue to be required but in a different iteration within CMMC 2.0. If you were in attendance to last month’s CMMC Town Hall, John Elliot of the DIBCAC made it clear that these 20 controls will be added to subsequent versions of NIST 800-171 and that the security program document requirements will continue to be a primary focus for assessors for both NIST 800-171 and CMMC 2.0 assessments. DoD, DIBCAC and C3PAO assessors will continue to focus on the documentation requirements to ensure that all practices, procedures and processes are adequately detailed and that they accurately reflect an organization’s compliance posture. Based on our own experience being assessed by a provisional C3PAO, the documentation was a primary area of focus for our assessor. In the event you’re ever assessed and any documentation is either missing or not congruent with the reality of your compliance posture, you would have 180 days to remediate the issue. The obvious issue here is that if your contractual obligations require compliance within a tight timeframe, you will have to reschedule an assessment based on the assessors’ schedule which could result in losing a contract opportunity. In a worst case scenario, if it’s found that there was obvious misrepresentation of your compliance posture and/or a breach resulting from a gap that was previously attested to as being addressed, you could be facing prosecution under the False Claims Act which presents a vast array of additional issues included bad press and/or negative impact of an organization’s reputation.
In the spirit of the proposed CMMC 2.0 revisions, its critically important to continue pursuing NIST 800-171 compliance in preparation to whatever changes that are ultimately codified. Regardless of what CMMC 2.0 revisions are approved, the NIST 800-171 framework is required from day one, so it’s of the utmost important to address as many of the 110 requirements as possible so you’re able to focus on any of the additional CMMC 2.0 controls that can take considerable time to implement. For DIBs that are currently working with MSP/MSSP IT service providers, now is the time to have those hard conversations about their own plans to become NIST 800-171 and CMMC compliant so that all the hard work and investments you’ve made to this point can bear fruit and position your organization for a successful auditing outcome. In brief, the CMMC and it’s rigorous and extensive requirements aren’t going away and now is the best time to strive toward NIST 800-171 compliance so that you’re able to fulfill your existing contractual obligations as well as compete for those contracts that many of your competitors will likely fail to meet the requirements for.