By now, we all know the Department of Defense (DoD) and the CMMC Accreditation Body (CMMC AB) have had a course correction…and many consider it a near about-face. In the beginning of November, the DoD announced a 2.0 version of CMMC, which removed levels 2 and 4 from CMMC 1.0/1.2 as well as its maturity requirements. They also noted that not all companies will be required to complete a third-party assessment. Those are significant changes. We covered many of the additional changes to the standard in our previous blog post, so be sure to check those out as well.
As time progresses, we are getting more information about CMMC 2.0 and what it means to the Defense Industrial Base (DIB). Below are some items we are learning post the initial announcement.
With the announcement of POAMs being permitted in CMMC 2.0, there was a collective sigh of relief by many within the DIB. While a POAM may provide more time and flexibility in your strategy, it is not a blank check. I had a conversation with a company recently who wants to shift several security related items to a POAM in order to avoid some investment. If you are considering this approach as well, it could be a dangerous strategy. While the DoD is still finalizing the criteria for POAMs, the guidance we are currently hearing is that POAMs will not be blanketly available. The thinking is that while POAMs will be made available for specific exceptions, they will not be accepted cart blanche, and will also have both time and scope limits as well.
Who are the lucky ones to have a required third-party assessment? The underlying answer is… they are not sure. The removal of the third-party assessment was reportedly made to address CMMC ecosystem scalability and sustainment. The guidance today is that the scope for third-party assessments will vary. At the outset, prioritized acquisitions (which have not been defined) will require a third-party assessment. Further, as the number of certified third-party auditing organizations (C3PAO) increases, so too will the scope of contracts requiring triannual third-party assessments. There is a two-fold benefit to this change to third-party assessments: now that the (new) Level 2 requirement is closer aligned to NIST 800-171, C3PAO’s will have greater familiarity with the standards, and they too will have an easier time being accredited with CMMC. CMMC 1.0 created a log jam of C3PAO’s that sought certification but could not get through the audit themselves. Now with a lower threshold, more C3PAO’s should make it through CMMC certification and thus the ecosystem will increase at a faster rate. The larger ecosystem may also translate to certification efforts being more cost-effective.
What will this mean for the defense contractors themselves? We’ve seen several reports that the number of companies that will eventually require a third-party assessment is still around 40,000. The guess is – and this is just a guess – that if your business is directly involved in anything related to warfighting capability (i.e. manufacturing), you will eventually need an assessment.
CMMC is Popular (at least with the Feds)
Those are three words I did not anticipate combining…yet here we are. CMMC is indeed popular within the federal government; at its recent town hall, the CMMC AB hinted that the CMMC may even be adopted by other U.S. government agencies. Additionally other ally countries, including France, have inquired about the model and how they may also potentially adopt it. We shall see where that goes.
CMMC: A Volunteer Program That Isn’t (Completely) Voluntary
Yes that’s right. At this point in time, CMMC 2.0 is still technically a volunteer program. The DoD has outlined an interim period of voluntary compliance which may last anywhere between nine to 24 months. It is certainly not lost on anyone that nine to 24 months is a very wide stretch of time: for many organizations it is the difference between making huge changes yesterday or taking a more methodical approach. We believe this “volunteer” period should be taken with a grain of salt for a few reasons. First, given that we have already seen significant modifications to CMMC, this time frame could change. In addition, most organizations that store or process CUI are still contractually required to be compliant with NIST 800-171 (via DFARS 7012); there’s nothing voluntary about that. While the details of CMMC will continue to change, the core of the standard remains the same. NIST 800-171 has always been the foundation of CMMC for an organization that stores or processes CUI.
If your company currently stores or processes CUI and you are not yet compliant with NSIT 800-171, now is a good time to start. If you are just entering the DIB, or perhaps changing your engagement and will soon store or process CUI, you will be required to achieve CMMC certification. Regardless of when the volunteer period will end, now is a good time to start.
While this volunteer program may not seem so voluntary, the DoD is attempting to sweeten the deal. According to the CMMC AB, the DoD is adding some incentives to organizations who gain certification during the initial volunteer period. While the incentives are not yet known, it’s interesting to see the DoD is exploring this route. We believe the DoD is thinking about its supply chain, and wants to ensure that there are plenty of accredited suppliers available once the CMMC ruling is finalized and becomes compulsory. Hopefully more information will be available soon on any incentives, as they could be a valuable tipping point into compliance for some organizations.
Whether you are trying to meet your current obligation (i.e. DFARS 7012) or preparing for CMMC 2.0, the NIST 800-171 standard is the target you should pursue. Meeting this objective is not an overnight event. It takes time to define your data, build a strategy and deploy the proper technologies. If you are starting from effectively zero, you should plan for at least six months before you approach a compliant environment. This means you can’t afford to wait any longer.
At C3 we have a history of helping organizations with their technology needs in support of NIST 800-171 and CMMC. We have a unique vision of technology that is geared towards your compliance needs while also bolstering your security. To learn more about CMMC 2.0 and how we can help you achieve compliance, please contact us at firstname.lastname@example.org.
Scott Whitehouse is a Senior Systems Consultant at C3 Integrated Solutions, a full-service IT provider based in Arlington, VA that specializes in securing our nation’s Defense Industrial Base through cloud-based solutions and industry leading partners. Scott is part of C3’s Projects Team and focuses on Microsoft Office 365 Engineering, including Intune, EM+S, and Compliance.