CMMC 2.0 in 2022

Words From the Author

Despite my many years working across the various disciplines under cybersecurity compliance, my imposter syndrome senses always start to tingle when the conversation turns toward federal government regulations. This compliance niche gets more complex and convoluted with each passing year. While there is very good information out there if you know where to look, it is still difficult to get the entire picture. That is why I set out to write this blog series which I hope can serve as a starting place for organizations who might be hearing CMMC, FAR, DFARS, or NIST 800-171 for the first time.

– Update October 14th, 2022 - Check out our new CMMC Assessment Template found here.

TLDR

As one of my esteemed colleagues pointed out, the information in this post is great, but extremely long and dense. For those of you who are busy, here are the highlights.

  • The Cybersecurity Maturity Model Certification (CMMC) is a new program currently under development which will give the Department of Defense a mechanism to evaluate the capabilities of contractors within the Defense Industrial Base (DIB) to protect Controlled Unclassified Information (CUI).
  • CMMC is a tiered model with increasingly advanced control sets and assessments based on the type of data a contractor is using to support a government contract:
    Level Data Type Control Framework Assessment Type
    1 Federal Contract Information (FCI) FAR 52.201-21 (17 Controls) Self-Assessment
    2 CUI Data NIST SP 800-171 (110 Controls) C3APO
    3 CUI Data from Critical Programs NIST SP 800-171 + NIST SP 800-172 (110+ controls) DoD Assessment (DIBCAC)
  • CMMC will not go into effect until the government completes the rule making process. This is estimated to be within 9-24 months from November 2021. DFARS 7012 and the interim rule are still the law of the land and NIST SP 800-171 assessments are currently required for DoD contracts.

Download our Free Assessment Workbook

What is CMMC?

We are going to start with CMMC despite the fact that it is actually the final piece of the puzzle. The Cybersecurity Maturity Model Certification (CMMC) is a training, certification, and third-party assessment program used to evaluate the information security management controls and processes of contractors within the Defense Industrial Base (DIB). At the end of the day, the program will give the Department of Defense a mechanism to evaluate contractors’ capabilities to protect Controlled Unclassified Information (CUI). The CMMC program was originally announced in 2019 and grew out of issues with adherence to DFARS (Defense Federal Acquisition Requirement Supplement, more on this later) contract clauses.

Only a few sentences in and we are already at a point where it is important to understand other key components of federal contract laws in order to understand CMMC. We will get back to CMMC but who doesn’t love a good origin story?

Understanding FAR

I want to start off by saying that the information contained below only scratches the surface of the long and complex history of federal contract laws which resulted in where we are with CMMC in 2022. I would highly recommend checking out “The Fascinating History of CMMC as Told by Jacob Horne”. Jacob does an AMAZING job of tracing back the history of CMMC going all the way to the 9/11 Commission Report which preempted the presidential memorandums that would coin the term “CUI”, and set all of this fun stuff in motion.

In my experience, the FAR isn’t specifically addressed very often, but it is an important part of the picture. The FAR is the principal set of rules regarding Government procurement in the United States, and is codified at Chapter 1 of Title 48 of the Code of Federal Regulations, 48 CFR 1. It covers a majority of the contracts issued by the US military and NASA, as well as US civilian federal agencies. The largest single part of the FAR is Part 52, which contains standard solicitation provisions and contract clauses. Solicitation provisions are certification requirements, notices, and instructions directed at firms that might be interested in competing for a specific federal contract.

The section of FAR we are most concerned with is FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems”, which is the contract clause covering “the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information”. FAR 52.204-21 consists of fifteen (15) basic requirements and procedures for protecting Federal Contract Information (FCI). This brings us to a new term which is worth understanding.

Federal Contract Information (from 48 CFR 52.204-21) means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

I found this nice graphic on the CUI Program Blog published by the National Archives which outlines the relationship between FCI and CUI which will be helpful as we get further into the CMMC world.

CUI/FCI Diagram

FCI/CUI Relationship from the CUI Program Blog

Finally, it’s important to note that this applies to all federal contracts unless explicitly excluded.

So now that we have a foundation to understanding FAR, what parts we are most concerned with, and what it applies to, how does FAR fit into the larger picture? Well, the fifteen controls outlined in FAR 52.201-21 also happen to make up CMMC level 1 (With some slight modification we will cover later). Additionally, those fifteen controls are also included within NIST 800-171.

Somehow, we have gotten this far without crossing NIST SP 800-171, which is probably the reason most of you are here. To jump right into those details, click here to see our NIST 800-171 article. Once again, it’s important to understand the drivers behind these various components, and if you are looking into NIST 800-171, you also want to understand DFARS.

Connect with an Expert

DFARS 7012 – Supplement to the FAR

Once again, I would point you to the video by Jacob Horne of Summit7 if you really want to understand the full picture and history of federal information security regulation, but in order to understand today’s topic, we can start in 2016.

Building off what we just covered on FAR, the purpose of the original FAR was to consolidate the numerous individual agency regulations under one comprehensive set of standards which would apply across the whole government. Supplemental regulations have subsequently been introduced, with one of the best-known examples being the Defense Federal Acquisition Regulation Supplement (DFARS), covering acquisition regulations for the Department of Defense.

DFARS 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” was introduced in 2016 and amended in 2017. This provision required contractors to implement NIST Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” to safeguard covered defense information that is processed, stored, or transmitted on their internal information systems network.

I would recommend reading my full breakdown here (INSERT LINK TO DFARS 7012 ARTICLE), but at a high level 7012 states that:

  • All contractors must implement the NIST SP 800-171 control framework to protect any FCI/CUI related to execution and fulfillment of a DoD contract.
  • The DoD must mark or identify CUI provided to a contractor.
  • December 2017 deadline for implementation of NIST 800-171 controls.
  • Contractors are responsible for the NIST 800-171 implementation and no single prescribed method exists to implement.
  • Contractors must develop a System Security Plan (SSP) per NIST 800-171
  • Contractors must develop a plan of action and milestones (POAM) to address deficiencies per NIST 800-171.
  • Contractors must report all cybersecurity incidents related to the contract data to the DoD.
  • Prime contractors must include the DFARS 7012 clause in all sub contracts.

This all sounds great, right? Contractors will implement NIST 800-171, tell their subs to do the same and no more data will be lost. However, anyone familiar with infosec compliance can tell you, implementing something like NIST 800-171 is not a small task. Additionally, the clause lacked any teeth as this was all based on self-attestation. As a result, very few contractors actually implemented NIST 800-171 correctly, and the hacks continued over the next 3 years.

This brings us to mid 2019 when the National Defense Authorization Act of 2020 announces they are developing a new program to tackle the issues related to compliance with DFARS 7012 and the Cybersecurity Maturity Model Certification is born!

DFARS Case 2019-D014

In fall 2020 we get the DFARS 70s series expansion and the Interim Rule outlined in DFARS Case 2019-D014. This is a long document but the key takeaways are the newly required DFARS clauses and Interim Rule which went into effect November 30th 2020.

I am releasing detailed breakdowns of each clause (7019, 7020, 7021), but at a high level, here is a summary:

DFARS 7019 – Prior to contract reward, contractors must complete and submit a NIST SP 800-171 assessment for any system which stores, processes, transmits CUI data which would be leveraged to supply the services related to the contract. The outputs of this assessment are a System Security Plan (SSP), Plan of Action and Milestones (POAM), and summary level score which can be calculated using a DoD released methodology. The results of the assessment must be posted in the Supplier Performance Risk System (SPRS).

DFARS 7020 – Contractors are required to provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessments, as described in NIST SP 800-171 DoD Assessment Methodology, if necessary. Additionally, prime contractors are responsible for including the pertinent DFARS clauses in all sub contracts and assuring that applicable subs also have a score uploaded into SPRS.

DFARS 7021 – This clause lays the ground work for the new Cybersecurity Maturity Model Certification (CMMC), and subsequent subcontractor flow down of requirements based on the data they interact with.

At this point, DFARS 252.204-7012 is still the law of the land, however, these new clauses are now in play which is giving the DoD some new power and a vector for accountability. Additionally, CMMC is going to be rolled out over the next few years where it will eventually become the mechanism for the DoD (and likely eventually the entire government) to evaluate the protection of sensitive data by contractors.

CMMC 1.0

As of this writing, CMMC 2.0 has been released with significant changes from CMMC 1.0; therefore, I am not going to spend any time on control specifics. However, there are things which were established under 1.0 which are worth noting:

  • Unlike DFARS 7012, CMMC 1.0 would focus on assessment and certification before award of a contract, where DFARS relied on self-assessment and incident reporting.
  • The CMMC Accreditation Board was established in January 2020 and is authorized by the US Department of Defense to be the sole authoritative source for the operationalization of CMMC Assessments and Training with the DoD contractor community, or other communities that may adopt the CMMC.
  • The CMMC-AB has since established certifications using a bifurcated model with Certified Third-Party Assessor Organizations (C3PAOs) and Certified CMMC Assessors/Professions (CCAs/CCPs) performing official assessment on behalf of the government and Registered Provider Organizations (RPOs) and Registered Practitioners (RPs) providing readiness and advisory to companies in the DIB prior to official assessments. Compliance Cloud is an RPO and I am an RP.
  • CMMC is a tiered model with progressively advanced levels (5 levels in CMMC 1.0), depending on the type and sensitivity of the information.
  • CMMC sets forward the process for information flow down to subcontractors.
  • CMMC is enforced through contracts and once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.
  • The November 30th 2020, Interim rule established a 5-year rollout of the CMMC program.

The last item that is called out is one that I find is frequently overlooked. The CMMC program is in the process of being rolled out. I find ALL of the companies I speak with are extremely concerned with getting to a certain CMMC level, and have missed the fact that DFARS 7012, NIST 800-171 assessments and SPRS uploads are what currently matters. While I very much appreciate the CMMC enthusiasm, a NIST 800-171 assessment should be the concern if it has not yet been performed. During 2021, the DoD was performing pilot CMMC assessments (you would 100% know if your contract was involved), but all have been suspended at this point. I’ll discuss more on this below.

Well, if you have managed to stick with me this far, we have finally made it to CMMC in real time!

CMMC 2.0

At this point, we can move beyond the origin story and get some information straight from the Secretary of Defense website:

In March 2021, the Department initiated an internal review of CMMC’s implementation, informed by more than 850 public comments in response to the interim DFARS rule. This comprehensive, programmatic assessment engaged cybersecurity and acquisition leaders within DoD to refine policy and program implementation.

In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:

  • Safeguard sensitive information to enable and protect the warfighter
  • Dynamically enhance DIB cybersecurity to meet evolving threats
  • Ensure accountability while minimizing barriers to compliance with DoD requirements
  • Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience
  • Maintain public trust through high professional and ethical standards

With the release of CMMC 2.0, there are major updates to the controls required, assessment processes, and a full overhaul of the CMMC maturity levels from 5 down to 3. I have prepared a separate post covering the details of the technical and process changes which can be seen here. For a quick overview, the graphic below gives a good picture.

CMMC level 1.0 to 2.0 mapping

CMMC 1.0 to 2.0 Mapping

What’s the most important thing to get from this graphic? Level 2 is mapped directly to the 110 controls of NIST 800-171, which happens to be the current requirement under the DFARS interim rule. One more gap to fill in, although not explicitly stated in the graphic above, I can tell you that the 17 level one controls are almost a perfect 1:1 mapping to the FAR 52.204-21 basic safeguarding requirements. One of the 15 basic controls from FAR was broken out into 3 separate controls which got us to 17 (I still haven’t been able to find a straight answer on why that is but it doesn’t matter in the large picture).

In addition to the technical updates, we received some additional information about the CMMC timeline.

The interim DFARS rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). The Department does not intend to approve inclusion of a CMMC requirement in any contract prior to completion of the CMMC 2.0 rulemaking process.

Once CMMC 2.0 is codified through rulemaking, the Department will require companies to adhere to the revised CMMC framework according to requirements set forth in regulation.

I want to highlight this for a second time since it seems to be the largest misconception I encounter most frequently.

CMMC compliance is not currently required for any contracts. The pilot assessments have been suspended. DFARS 70 series and the interim rule are still the requirements which need to be addressed. This means that no matter what type of data you deal with, NIST 800-171 and an SPRS upload is what you need to be concerned with.

At the time of this writing, the DoD is still completing the rulemaking process in which the CMMC program will be codified under the 32 and 48 Code of Federal Regulations. It has been stated that this process could take 9-24 months from the initial release of CMMC 2.0 in November 2021. Additionally, Matthew Travis of the CMMC-AB stated earlier this month (February 2022) that the Pentagon wasn’t planning to fully implement the requirements across all contracts until fiscal year 2026.

Overall, this means that CMMC is still developing and likely will be subject to more changes for the foreseeable future, and for a final time, DFARS 7012 is still the law of the land and NIST 800-171 is going to be the path forward for DIB contractors.

Next Steps – Get your DFARS ducks in a row and get started with NIST 800-171

So where do you go from here? If I haven’t made it clear, a NIST 800-171 assessment is going to be the place everyone should start whether you are hoping to stay in good standing with your current contracts, or are looking to get ahead of the CMMC curve. Check out our additional information on how to conduct a NIST 800-171 assessment and the common mistakes (if you have never heard of NIST 800-171A you will want to read that post carefully), and how Compliance Cloud can help streamline the process.

Get Help with NIST 800-171