![\"\"](\"https:\/\/tsisupport.com\/tsistaging\/wp-content\/uploads\/2022\/01\/table-security.jpg\")
<\/p>\nAs you may have heard, the recent changes to the CMMC requirements have caused many DIB contractors to rethink their compliance implementation strategies so we wanted to take this opportunity to help clarify some of the most common questions our own clients have been asking as well as share some critical- and not so obvious- insights to help steer your organization in the right direction during this provisional review period.<\/p>\n
One of the biggest takeaways from the latest town hall and the recently updated CMMC Assessors\u2019 Guide, is that any 3rd parties with access to CUI or infrastructure that houses CUI, which would include IT service providers to DIB contractors, will be required to adhere to the same CMMC compliance standards as your organization and will be under scope for assessments. What does this mean to your organization? In short, if your 3rd party IT services or IT support providers can\u2019t meet the rigors of the NIST 800-171 or CMMC frameworks, you may be exposing your organization to non-compliance which would ultimatley force you to find an alternative or complimentary IT provider that can meet those standards. For most organizations in this position, this would require a complete overhaul of all the hard work you\u2019ve accomplished and costly IT investments unless your MSP\/MSSP would be able to quickly pivot in time for your official assessment. From our own experience having been assessed by a provisional C3PAO and based on your level of compliance today, the process to become compliant takes any where from 6 months at the very minimum to do so, with very little time to address any gaps. If your MSP\/MSSP intends on becoming compliant, it\u2019s of the utmost importance that they\u2019re able to be CMMC certification ready in time of your own C3PAO, DIBCAC or DoD audit to avoid the risk of failing your own assessment.<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/tsisupport.com\/tsistaging\/wp-content\/uploads\/2022\/01\/security-protection.jpg\")
<\/p>\n
The assumption that the CMMC 2.0 requirements won\u2019t require an independent 3rd party assessment is a bit misleading and should be clarified.\u00a0 As most DIBs will be required to accomplish CMMC 2.0 Level 2 (formerly CMMC 1.0 Level 3), including those that will be Level 3 required,\u00a0 there will be triennial CMMC C3PAO required assessments for Level 2 and DoD assessments for Level 3 DIBs, to attain a certification of compliance. Although the 3rd party assessment requirements have changed to a self assessment model, there is no indication that independently conducted assessments will be going away and if anything, they will be conducted in a far more regimented and frequent basis to ensure your organization is meeting the CMMC 2.0\u2019s standards and requirements.\u00a0 To help clarify what may be required of your organization;<\/p>\n
CMMC Level 1 (Foundational):<\/b> Will require DIB to self-assess.<\/p>\n
CMMC Level 2 (Advanced):<\/b> May require third-party or self-assessments, depending on the type of information\/CUI you possess. It may also:<\/p>\n CMMC Level 3 (Expert):<\/b> Will be assessed by government official<\/p>\n Although the 3rd party assessment requirements from CMMC v.1 have since changed to a self assessment model, the level of accountability to your organization\u2019s leadership have increased exponentially. Moving forward, any degree of perceived false attestations of an organization\u2019s compliance posture could be susceptible to the False Claims Act and present a number of legal and contractual conflicts that could negatively impact your organization. The DoD and Attorney General\u2019s office has made it abundtly clear that ignorance- whether unknowingly or intentional-\u00a0 to the NIST 800-171 or CMMC\u00a0 requirements, omission of details or misleading attestation of compliance will be susceptible to prosecution, so it\u2019s of utmost importance to ensure that your organization accurately represent the reality of your compliance posture to avoid legal and contractual issues.\u00a0 As part of the CMMC 2.0, accountability will shift completely to DIB executive leadership who will have to sign off attesting to their organization\u2019s compliance to these requirements. If your organization is relying on your IT team that may not have the experience or breadth of knowledge to provide an undeniably clear picture of your compliance posture, it may be a good idea to work with a 3rd party CMMC RPO that is also CMMC level compliant to assess your environment rather than conduct an internal self assessment.<\/p>\n In order to encourage DIBs to achieve CMMC compliance- as well as help minimize the impact of implementation costs-\u00a0 the CMMC 2.0 will provide POAMs and waivers to help. Similarly with NIST 800-171, the CMMC 2.0 will provide an opportunity for DIBs to create POAMs detailing the gaps with their compliance postures and on a limited basis, there may be DoD approved waivers exempting certain DIBs from accomplishing some of the CMMC 2.0\u2019s requirements. However, it\u2019s important to note that unlike NIST 800-171\u2019s POAMs, the CMMC 2.0\u2019s will be limited to 180 days at most and the waivers will only be provided to DIBs that are deemed critical to national security by a specific DoD official.\u00a0 Although the news of CMMC 2.0\u2019s POAMs and waivers are a welcome relief to many organizations, its of the utmost importance to understand that these are not meant to function as a justification to indefinitely postpone the implementation of the CMMC\u2019s requirements and will be only provided to a select few organizations where it\u2019s deemed necessary. At the end of the day, the degree of which the primes require your organization to be compliant will determine what needs to be accomplished and it’s important to note that moving forward, regardless of these provisions, the primes will be reviewing your SPRS score to determine the vendors they can ultimately work with. In short:<\/p>\n CMMC 2.0 will allow limited use of POA&Ms<\/b><\/p>\n Waivers will be allowed on a very limited basis, accompanied by strategies to mitigate CUI risk<\/b><\/p>\n This final point is arguably the most important. Of the 20 controls from CMMC v.1 Level 3 that were removed, the vast majority- if not all- will continue to be required but in a different iteration within CMMC 2.0. If you were in attendance to last month\u2019s CMMC Town Hall, John Elliot of the DIBCAC made it clear that these 20 controls will be added to subsequent versions of NIST 800-171 and that the security program document requirements will continue to be a primary focus for assessors for both NIST 800-171 and CMMC 2.0 assessments.\u00a0 DoD, DIBCAC and C3PAO assessors will continue to focus on the documentation requirements to ensure that all practices, procedures and processes are adequately detailed and that they accurately reflect an organization\u2019s compliance posture. Based on our own experience being assessed by a provisional C3PAO, the documentation was a primary area of focus for our assessor. In the event you\u2019re ever assessed and any documentation is either missing or not congruent with the reality of your compliance posture, you would have 180 days to remediate the issue. The obvious issue here is that if your contractual obligations require compliance within a tight timeframe, you will have to reschedule an assessment based on the assessors\u2019 schedule which could result in losing a contract opportunity. In a worst case scenario, if it\u2019s found that there was obvious misrepresentation of your compliance posture and\/or a breach resulting from a gap that was previously attested to as being addressed, you could be facing prosecution under the False Claims Act which presents a vast array of additional issues included bad press and\/or negative impact of an organization\u2019s reputation.<\/p>\n In the spirit of the proposed CMMC 2.0 revisions, its critically important to continue pursuing NIST 800-171 compliance in preparation to whatever changes that are ultimately codified. Regardless of what CMMC 2.0 revisions are approved, the NIST 800-171 framework is required from day one, so it\u2019s of the utmost important to address as many of the 110 requirements as possible so you\u2019re able to focus on any of the additional CMMC 2.0 controls that can take considerable time to implement. For DIBs that are currently working with MSP\/MSSP IT service providers, now is the time to have those hard conversations about their own plans to become NIST 800-171 and CMMC compliant so that all the hard work and investments you\u2019ve made to this point can bear fruit and position your organization for a successful auditing outcome. In brief, the CMMC and it\u2019s rigorous and extensive requirements aren\u2019t going away and now is the best time to strive toward NIST 800-171 compliance so that you\u2019re able to fulfill your existing contractual obligations as well as compete for those contracts that many of your competitors will likely fail to meet the requirements for.<\/p>\n For more information on how you can start preparing for NIST 800-171 compliance today or if you have any questions, please give us a call at 508-543-6979<\/a> or send us a message here to get started.<\/p>\n<\/div>\n\t<\/div>\n<\/div>\n\n
3. Your Executive Team Is More Accountable than Ever to Your Assessment & Compliance Posture
\n<\/b><\/h5>\n4. POAMs & Waivers Are Available- With a Catch!<\/b><\/h5>\n
\n
\n
5. Security Program Development & Management: CMMC 3 Is Still the Standard and Will be for CMMC 2.0
\n<\/b><\/h5>\nConcluding Thoughts<\/b><\/h4>\n
\n\t\n\t\t\t\t\t\t\t\t\n\t\t\n\n\t\t\t\n\t\n\t\n\t\t\n\t\tGet in Touch with TSI<\/span>\n\t<\/h3>\n\t<\/div>\n<\/div>\n
\n\t\n\t\t\n\t\n\t\n\t\t