CMMC – the New Protocol Droid for DoD Compliance
By Doug Barbin - Cybersecurity Practice Leader at Schellman & Company, LLC
A long time ago in a galaxy exactly ours…There was 800-171.
For some time, the US Department of Defense has been working to revise its funding procurement procedures referred to as the Defense Acquisition Regulation Supplement, or DFARS. Most important among all the details are the included requirements in the regulations (under 252.204-7012), which mandate that defense contractors meet the NIST special publication (SP) 800-171 standard that deals with Controlled [but] Unclassified Information (CUI).
Episode I – The Mandated Requirement
NIST 800-171, unlike its broader cousin NIST 800-53, was written for non-government entries such as government contractors and service providers.With that being said, though NIST 800-171 is required for contractors, the DFARS regulation also necessitates the more comprehensive FedRAMP authorization for cloud service providers.
Episode II – The Rise of CMMC
The means to communicate NIST 800-171 compliance has always been inconsistent, with many service providers performing self-attestation, but earlier this year, the DoD made a presentation on a new model based on new revisions to the requirement. This new model includes a “certification” framework, and contractors and vendors who were once able to self-attest will now need third-party validation in 2020.
This proposed framework is called the Cybersecurity Maturity Model Certification, or CMMC.
In terms of requirements, v0.4 now includes additional descriptions of levels and practices including:
- 35 practices to achieve level 1 maturity or “Basic Cyber Hygiene”
- 115 additional practices to achieve level 2 maturity or “Intermediate Cyber Hygiene”
- 91 additional practices to achieve level 3 maturity or “Good Cyber Hygiene”
- 95 additional practices to achieve level 4 maturity or “Proactive”
- 34 additional practices to achieve level 5 maturity or “Advanced Progressive”
Episode III – Oversight Awakens
Lastly, on October 3rd DoD issued an RFI to solicit accreditation bodies for CMMC.Note that this is not for audit firms like Schellman, but for an accreditation body that will oversee and audit the auditors.Within the request for information, the DoD disclosed that the auditors will now be referred to as CMMC 3rd Party Assessment Organizations (C3PAOs).Yes, you heard that correctly, though there’s been no word on Artoo Detoo.
Episode IV – A New Requisite
To summarize, here is what we know, based on the above data points:
- Version 0.4 further increased the number of required practices for each leader.
- The Undersecretary of Defense is expected to create an accreditation body to authorize C3PAOs.It would not be surprising should it come together similarly to FedRAMP, which requires 3PAOs to be accredited by A2LA.
- To date, there still has been no guidance released on the content or format of CMMC or C3PAO deliverables—everyone remains in a holding pattern there.
- CMMC validation by a third party is expected to be requested in RFIs starting in June of 2020 and in RFPs starting in the fall of 2020.
Given everything that’s already been disclosed, we believe CMMC will soon become a contracting requirement. In fact, the odds of it NOT achieving that status by the end of 2020 are…