Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

CMMC – the New Protocol Droid for DoD Compliance

Published 11/06/2019

CMMC – the New Protocol Droid for DoD Compliance

By Doug Barbin - Cybersecurity Practice Leader at Schellman & Company, LLC

A long time ago in a galaxy exactly ours…There was 800-171.

For some time, the US Department of Defense has been working to revise its funding procurement procedures referred to as the Defense Acquisition Regulation Supplement, or DFARS. Most important among all the details are the included requirements in the regulations (under 252.204-7012), which mandate that defense contractors meet the NIST special publication (SP) 800-171 standard that deals with Controlled [but] Unclassified Information (CUI).

Episode I – The Mandated Requirement

NIST 800-171, unlike its broader cousin NIST 800-53, was written for non-government entries such as government contractors and service providers.With that being said, though NIST 800-171 is required for contractors, the DFARS regulation also necessitates the more comprehensive FedRAMP authorization for cloud service providers.

Episode II – The Rise of CMMC

The means to communicate NIST 800-171 compliance has always been inconsistent, with many service providers performing self-attestation, but earlier this year, the DoD made a presentation on a new model based on new revisions to the requirement. This new model includes a “certification” framework, and contractors and vendors who were once able to self-attest will now need third-party validation in 2020.

This proposed framework is called the Cybersecurity Maturity Model Certification, or CMMC.

The model, now on version 0.4, was most recently updated on August 30, 2019. For more details, see the August 30, 2019 briefing document, as well as the latest Criteria v 0.4 – August 30, 2019.

In terms of requirements, v0.4 now includes additional descriptions of levels and practices including:

  • 35 practices to achieve level 1 maturity or “Basic Cyber Hygiene”
  • 115 additional practices to achieve level 2 maturity or “Intermediate Cyber Hygiene”
  • 91 additional practices to achieve level 3 maturity or “Good Cyber Hygiene”
  • 95 additional practices to achieve level 4 maturity or “Proactive”
  • 34 additional practices to achieve level 5 maturity or “Advanced Progressive”

Episode III – Oversight Awakens

Lastly, on October 3rd DoD issued an RFI to solicit accreditation bodies for CMMC.Note that this is not for audit firms like Schellman, but for an accreditation body that will oversee and audit the auditors.Within the request for information, the DoD disclosed that the auditors will now be referred to as CMMC 3rd Party Assessment Organizations (C3PAOs).Yes, you heard that correctly, though there’s been no word on Artoo Detoo.

Episode IV – A New Requisite

To summarize, here is what we know, based on the above data points:

  • Version 0.4 further increased the number of required practices for each leader.
  • The Undersecretary of Defense is expected to create an accreditation body to authorize C3PAOs.It would not be surprising should it come together similarly to FedRAMP, which requires 3PAOs to be accredited by A2LA.
  • To date, there still has been no guidance released on the content or format of CMMC or C3PAO deliverables—everyone remains in a holding pattern there.
  • CMMC validation by a third party is expected to be requested in RFIs starting in June of 2020 and in RFPs starting in the fall of 2020.

Given everything that’s already been disclosed, we believe CMMC will soon become a contracting requirement. In fact, the odds of it NOT achieving that status by the end of 2020 are…


[1] https://www.quotes.net/mquote/91388

Share this content on your favorite social network today!