Here are our best guesses at the CMMC timeline today.
Very soon: CMMC Scoping Guide will be released by DoD. This should give definitive guidance on what systems need to be assessed, and which network security requirements apply to the systems.
Mid 2021: One contract authorized to require CMMC Level 3 (Space Force’s Broadband Global Area Network). This contract has not released the Request for Proposal yet. This will probably be the only contract released for CMMC in 2021.
Mid to Late 2021: The “DFARS Final Rule” for DFARS 252.204-7019, DFARS 252.204-7020, and DFARS 252.204-7021 is released. This will solidify CMMC certifications and NIST SP 800-171 Self Assessments as long-term requirements for bidding on DoD contracts.
Late 2021: 5-10 CMMC Third Party Assessor Organizations (C3PAOs) are expected to be approved to start performing CMMC Level 1-3 assessments.
Early 2022: Perhaps 10-30 CMMC assessments have been completed for defense contractors.
Early 2022: Other contracts (a handful) being considered for CMMC are scheduled for release in 2022.
Mid 2022: Perhaps up to 40 C3PAOs have been approved, performing up to 100 audits per month.
Mid 2023: Around 1,000 defense contractors have been assessed against CMMC (1% of total).
Mid 2024: Around 6,000 defense contractors have been assessed against CMMC (6% of total).
What CMMC Levels are available?
At this time, the de-facto situation is that only CMMC Level 1 or CMMC Level 3 will be required for contracts. Full guidance for CMMC Level 4 and 5 has not been released yet by the DoD. If you think your contract might require CMMC Level 4 or 5, you should consider the requirements and make sure your systems can be upgraded, but there is no rush at all to implement. The best guess for when assessments at CMMC Level 4 or 5 will be available is late 2023.
What CMMC Level will be required for your contract?
The current language of the DFARS 252.204-7021 interim rule (the one that implements CMMC) breaks down the CMMC Level requirements slightly differently than most cyber security professionals describe them.
The prime contractor is required to have a CMMC Certificate of the level specified in the contract.
Flow down: Each contractor shall require their subcontractor(s) to have a CMMC certificate appropriate to the type of data flowing down to the subcontractor.
What does this mean to you?
If you are a prime contractor, you will be required to have the CMMC Level listed in the contract. It does not matter if your company will handle sensitive data. It is entirely based on what level is listed in the contract. Action: Ask your procurement officer for insight into what they are planning.
If you are a subcontractor, your required CMMC Level should be related to the data your information system handles. It should be based on whether you handle FCI, CUI, or neither. However, because the level requirement is up to your upstream contractor to decide, your experience may vary.
What is likely to go wrong for defense contractors?
Scoping unknowns for Federal Contract Information
There is still a big question about how to assess Federal Contract Information (FCI) when the target contract requires CMMC Level 3. Many organizations are focusing on cyber security for their Controlled Unclassified Information (CUI) and completely ignoring cyber security for the less sensitive FCI. The DoD could go several ways – here are the most likely:
1) The DoD could completely ignore FCI for the contracts that require CMMC Level 3 (this is illogical but could happen).
2) The DoD could require CMMC Level 1 protections for FCI related to CMMC Level 3 contracts.
3) The DoD could require CMMC Level 3 protections for FCI related to CMMC Level 3 contracts.
Appeals of CMMC assessments
The latest news is that quality reviews and appeals of decisions will be performed entirely within the C3PAO (the organization that assesses you). There will not be any way to escalate to the DoD or to the CMMC Accreditation Body for adverse certification results. This decision should be scary for both defense contractors and C3PAOs.
Knowing this, what should you do?
- Choose your C3PAO carefully. You can interview them and review their published materials to understand their stances on various topics. Make sure that your C3PAO is comfortable with the technology and solutions you have chosen to use. F1 has already established contacts with proposed C3PAO organizations and will have a list for you to choose from that I respect.
- Get a “no consult” gap analysis from your chosen C3PAO early. This will give you information about what the C3PAO considers problems so that you can fix them. As long as your environment doesn’t change, there should be no surprises during the formal assessment later. You can also engage with a RPO that not only will help gap you against controls, but also be able to help recommend remedial actions and serve in a consultative resource for you. Alternately, make sure that your Managed Services Provider has a very good understanding of CMMC and is in-sync with C3PAO expectations. F1 Solutions is a RPO and can help you get ready for your third-party audit. We are making every effort to understand as much as we can how auditors will interpret controls and apply certification.
- Design your network to be well within requirements. Watch as other companies get assessed and take note of which solutions were considered acceptable.
What is likely to go right for defense contractors?
There are rumors that the DoD is considering allowing an assessment to pass even if a few requirements are NOT MET.
Significant delays (1-2 years) to the original CMMC roll-out timeline. Although delays are disappointing to cybersecurity professionals and the defense contractors who want to use CMMC as a competitive advantage, the delay is an overall win. A slower rollout gives companies more time to build the talent and processes needed to perform cybersecurity at the level expected by CMMC. This will reduce the risk to our supply chain based on companies failing their CMMC assessments.
Lessons learned from the first CMMC assessments.
CMMC Third Party Assessor Organizations (C3PAOs) are starting to have their information systems assessed against CMMC Level 3 by the DoD. These assessments are the first time that “rubber meets the road” in terms of the CMMC. What have we learned so far?
- Documentation is more than 50% of the effort for a CMMC Level 3 assessment. The System Security Plan needs to be completed before the CMMC assessment can even be scheduled. The implementation of each CMMC technical practice is expected to be described in company documentation like policies and procedures.
- The DoD considers user computers and phones to be in-scope for CMMC requirements if they can access sensitive data (such as through email or OneDrive). One C3PAO used a solution where remote workers remoted into a secure work computer to access sensitive data. This was accepted by the DoD.
- If clouds are in-scope, the contractor needs to provide evidence that the cloud is performing each CMMC requirement that they are responsible for. For example, defense contractors need to prove that their cloud performs physical security for the data center. Because CMMC does not allow reciprocity for any other compliance framework yet, it is difficult for C3PAOs to prove that their cloud meets requirements. FedRAMP authorized cloud providers like Office 365 are expected to be granted reciprocity as a high priority.
- FIPS validated cryptography was accepted if the product was on the NIST FIPS 140-2 FIPS Validated Module list and the product was enabled to use FIPS cryptography. Applying patches and system updates beyond the validated version did not cause the defense contractor to fail.
- The in-person assessment occurred in a single week (5 days). The C3PAO was expected to submit all their digital evidence (mostly documents) via secure file share a few weeks ahead.
- The question about whether Federal Contract Information needs to be assessed has not been answered.
Will CMMC be adopted across the Federal Government?
Biden’s Executive Order dated May 12 gave direction that agencies shall review “agency-specific cyber security requirements that currently exist as a matter of law, policy, or contract” and recommend a standard for use across the entire federal government. This choice of wording makes CMMC a key contender as a Federal-wide cyber security standard. The Executive Order states that this review and recommendation needs to be performed within 60 days, so we should have a better answer to this question by July-August 2021.