RED ALERT: CMMC Begins December 16th
Category
CMMC, News
Risk Level
The long-awaited CMMC rule has finally been officially published and is accompanied by some beneficial changes from the original draft. We break them down for you so you and your organization can begin to prepare for the imminent enforcement.
If you read our Race to CMMC Compliance breakdown or watched our recent Hive Live episode CMMC 101, then you are already well-versed in the different levels and assessment requirements for the new Cybersecurity Maturity Model Certification (CMMC) Program. The CMMC Final Rule was formally published to the federal register on October 15th making it law - and came with some surprising, but welcome, changes to the requirements. If you’re not already familiar with Department of Defense (DoD) acronyms, get ready for this Hive ACT post to be an acronym salad.
“What changed in the final draft?”
Let’s start with the simple changes since the last draft: timeline.
Now that the CMMC Program rule has been finalized, CMMC requirements will officially start appearing in contract solicitations on December 16, 2024.
Phase 1 will now last for one year, giving organizations seeking assessment (i.e., DoD contractors subject to DFARS 252.204-7012) an extra six months to comply with CMMC Level 2.
While there is a phased implementation plan for CMMC, the final rule notes that DoD Program Managers may include CMMC requirements at any point during the implementation plan at their discretion. If you know you’re going to need to meet a Level 2 or Level 3 requirement, it’s important to start getting your requirements in place now, rather than waiting until the start of those phases.
Companies will also be relieved to hear that there were two major changes made that directly influence how they may operate under CMMC:
If a Virtual Desktop Interface (VDI) is properly configured to prevent processing, storing, or transmitting Controlled Unclassified Information (CUI) (other than keyboard, mouse, or video input), then the endpoint is out of scope.
If you’re using a Cloud Service Provider (CSP) that does not process, store, or transmit CUI in performance of the contract, that CSP does not need to be Federal Risk and Authorization Management Program (FedRAMP) Moderate or equivalent.
Supplier Performance Risk System (SPRS)
No matter what level or type of assessment you have to comply with, a senior official at your organization needs to attest to your continued compliance with CMMC at least annually. The new rule has clarified that the start of that one-year countdown begins on the date you receive Conditional CMMC Status, rather than Final status. What does that mean? Let’s look at an example:
ExampleDefenseCompany LLC undergoes a Certified Third-Party Assessor Organization (C3PAO) assessment to achieve CMMC Level 2 Status. They received 3 Plan of Action and Milestones (POA&Ms), but scored >88 out of 110 points to achieve Conditional CMMC Level 2 Status on October 1, 2024. The company’s senior official affirms the results in SPRS. ExampleDefenseCompany LLC remediates all POA&Ms and undergoes a POA&M Closeout Assessment, validating all POA&Ms have been remediated, and achieved Final CMMC Level 2 Status on January 1, 2024. The senior official affirms the results, again, in SPRS. ExampleDefenseCompany LLC will not go through another C3PAO assessment until 2027, but every year the senior official will need to affirm in SPRS no later than October 1 to prevent a lapse in the CMMC status.
Note that failure to affirm your CMMC status annually results in an assessment lapse. You will now need a new assessment to get your CMMC Level 2 status back, and may be subject to standard contractual remedies including, but not limited to, withholding progress payments, foregoing contract options, or even terminating the contract.
Flow Down Requirements
The previous draft of the rule indicated that subcontractors receiving CUI would need to have the same CMMC level as the contract Prime. The update has reduced this requirement for Level 3, indicating that subcontractors to a CMMC Level 3 Prime will need, at a minimum, a CMMC Level 2 C3PAO assessment result. The final flow down requirements for subcontractors depends on what information flows down in the performance of a contract, and what level of assessment is required in the contract award for the Prime.
It is important to note that under CMMC, it is the prime’s responsibility to determine what requirements flow down to subcontractors and then to ensure that the subcontractors meet the applicable CMMC criteria. Primes will not have access to subcontractors’ scores in SPRS. DoD expects that primes will work directly with subcontractors to communicate requirements and obtain verification of compliance. Ultimately, this may just mean asking your subcontractors to provide a screenshot of their status from SPRS before flowing down any Federal Contract Information (FCI) or CUI.
Another key clarification is that External Service Providers (ESPs) provide a service that meets requirements specified by the Organization Seeking Assessment (OSA); they are not considered subcontractors and are not subject to the flow down requirements.
External Service Providers
The draft rule left a lot of confusion around ESPs - what they were, when CMMC applied, and how much of it applied. The final rule clarified many of the points around what, exactly, an ESP is and how to meet CMMC requirements for ESPs.
First, let’s start with some CMMC definitions.
External Service Provider: external people, technology, or facilities that an organization uses to provision and manage IT and/or cybersecurity services on behalf of the organization. CUI or Security Protection Data (e.g., log data, configuration data) must be processed, stored, or transmitted on the ESP assets to be considered an ESP. An ESP may use cloud service offerings to deliver services to a client without being a CSP.
Cloud Service Provider: an ESP that provides its own cloud services based on a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing that can be rapidly provisioned and released with minimal management effort or service provider interaction on the part of the OSA. An ESP that manages third-party cloud services on behalf of the OSA is not a CSP.
Managed Service Provider: an ESP that is not a CSP that provides tech support services to clients. It does not host its own cloud platform offering.
The ruling also notes that service providers who only need temporary access to perform services such as penetration testing, cyber incident response, or forensic analysis do not meet the definition of an ESP and do not process, store, or transmit CUI.
The requirements for an ESP are determined by whether or not it is a CSP, and what type of data it is processing, storing, or transmitting.
The initial draft ultimately said if you’re using a third party to perform a security function, then that third party needed a C3PAO assessment and needed to meet all 110 of the NIST 800-171 controls. Under the updated guidance, any ESP that performs a security function may obtain a C3PAO assessment if they choose, but it is no longer required. Instead, the services provided by the ESP will be assessed as part of the OSA’s self-assessment or C3PAO assessment. ESPs will be required to have a Customer Responsibility Matrix (CRM) available to OSAs, and OSAs must document the use of an ESP, its relationship to the OSA, and the services provided in the OSA’s SSP, the ESP’s service description, and the Customer Responsibility Matrix (CRM).
Although the new assessment rules for ESPs alleviate a significant burden on both OSAs and ESPs, it may still be beneficial for ESPs to pursue voluntary certification. Without it, any time a customer goes through an assessment, the ESP may be on the hook to support the assessment by providing evidence. If an ESP chooses to pursue certification, all they need is a Commercial and Government Entity (CAGE) code and a SPRS account - and the ability to implement and meet CMMC Level 2 requirements if processing, storing, or transmitting CUI or Security Protection Data.
Updates to Scoping
Security Protection Assets are assets that provide a security function or capability for the CMMC Assessment Scope. Previously, these assets needed to be assessed against all 110 NIST 800-171 controls. The final rule updated this requirement, and now Security Protection Assets only need to be assessed against security requirements that are relevant to the capabilities provided.
Contractor Risk Managed Assets are assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place. The final rule changed how these assets will be assessed. Under CMMC Level 2, these assets must be sufficiently documented in the SSP along with details about how the risk from these assets is treated, but will not be assessed against all 110 NIST 800-171 controls. That being said, they’re still expected to implement those controls. The final rule clarified that these assets will be treated as CUI assets under CMMC Level 3 - meaning the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment (performed by the Defense Contract Management Agency) will check that these assets meet all CMMC Level 2 and Level 3 controls. Ultimately, in its current state you are better off treating these assets as CUI Assets since they have to have all 110 controls anyway, or to segment them so they can be considered an Out of Scope Asset if they don’t need to process, store, or transmit CUI.
The initial draft of the rule stated that any organization seeking a Level 3 assessment needed to have an identical Level 2 scope. This has been updated to note that the Level 3 assessment scope must be the same or a subset of the Level 2 assessment scope. This is a significant improvement and means you can have a Level 3 enclave within your Level 2 scope, rather than having to apply all 24 Level 3 controls across your entire Level 2 environment.
One final point that was clarified in regards to scope relates to common carriers. The final rule states that a common carrier’s information system is not in scope for the assessment as long as CUI is properly encrypted during transport. This significantly reduces scope, provided encryption is enforced appropriately.
Exceptions and Deficiencies
Another major change to the final rule was the allowance of enduring exceptions and temporary deficiencies.
Enduring Exception: a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible. This is used to accommodate special circumstances such as specialized manufacturing equipment or a unique laboratory environment that may prevent the implementation of certain security requirements. Enduring exceptions must be documented in the system security plan.
Temporary Deficiency: a condition arising after implementation where remediation of discovered deficiencies is feasible, and a known fix is available or is in process. The deficiency must be documented in an operational plan of action that identifies deficiency reviews, milestones, and shows progress towards implementation of corrections to reduce or eliminate identified vulnerabilities. Temporary deficiency may apply during initial implementation of a security requirement if, during rollout, specific issues with equipment are discovered that must be separately addressed (e.g., certain specific hardware or software unexpectedly needs to be changed for the requirement to be successfully applied). For example, if FIPS-validated cryptography was implemented, but subsequently a patch invalidated the FIPS validation of a particular cryptographic module, this could be considered a temporary deficiency.
Operational Plan of Action: a formal artifact which identifies temporary vulnerabilities and temporary deficiencies in implementation of requirements, and documents how they will be mitigated, corrected, or eliminated. This is the appropriate mechanism to use when a third party, to include CSPs and ESPs, are no longer compliant with a CMMC requirement. An operational plan of action does not identify a timeline for remediation and is not the same as a POA&M, which is associated with an assessment for remediation of deficiencies that must be completed within 180 days.
For assessment and scoring purposes, the following will be considered as meeting requirements:
Enduring Exceptions: if described in the System Security Plan (SSP) with associated mitigation measures.
Temporary Deficiencies: if properly documented in the operational plan of action.
By documenting these exceptions and deficiencies, organizations can demonstrate their efforts to mitigate and address security risks, and will not be penalized in the assessment and scoring process.
Assessments
In the previous draft, CMMC Level 2 self-assessments needed to be conducted every year. The final rule changed this requirement to align with the C3PAO assessment requirements, and now those self-assessments only need to be conducted every three years. That being said, affirmations still need to be entered into SPRS annually to validate ongoing compliance with the CMMC controls.
The final rule also clearly identified all 24 controls from NIST 800-172 that will be required for CMMC Level 3 and defined the parameters for each of those controls.
If any significant changes (i.e., changes that impact how a control is met) to your assessed environment occur during the three year period between assessments, you need to complete another assessment and update the affirmation.
Other noteworthy items
While the following may not necessarily be new in the final draft of the rule, they are still important details to be aware of when it comes to CMMC:
You can have as many different CMMC boundaries or assessment scopes as you deem necessary to perform services. Your Certificate of CMMC Status will be applied to the specific scope that was assessed. If you have multiple products or service offerings that are segregated and don’t want to bring them all under a single umbrella for CMMC, you don’t have to!
Any company that has completed a Joint Surveillance Voluntary Assessment (JSVA) prior to December 16, 2024 and obtained a score of 110 will have their results converted to a Certificate of CMMC Status at Level 2. The same applies to any DIBCAC High Assessments performed prior to December 16.
CMMC requirements apply to both domestic and foreign primes and subcontractors. If FCI or CUI will be processed, stored, or transmitted in performance of a DoD contract, CMMC applies.
You must have a documented System Security Plan to conduct a self-assessment or C3PAO assessment (and Hive Systems has free templates available on our website!). No SSP means no assessment, no SPRS score, and no contract eligibility.
“That’s a lot. What do I need to do before the end of the year?”
If you’re reading this, you’re likely here because you need help understanding what level you need to meet, determining your scope and asset types, or conducting a CMMC readiness assessment. Hive Systems is here to help! Our team has Certified CMMC Assessors and Certified CMMC Professionals who are well-versed in NIST 800-171 requirements, the CMMC assessment methodology, and various solutions to meet your unique CMMC needs.
And if you were nodding along because you’re all set and are worried about the rapidly growing line to get a CMMC assessment by a C3PAO, then contact us as Hive Systems is also in the process of becoming a C3PAO and will be ready to start conducting assessments in early 2025!
Reach out to us today to see how we can help you understand CMMC and ensure you’re in a position to meet DoD contract eligibility requirements.
Follow us - stay ahead.