Last Updated: 6-DEC-2020 – 1:53 PM US Eastern
The Office of the Undersecretary of Defense for Acquisition and Sustainment (“OUSD(A&S)”) earlier today released guides for conducting Maturity Level 1 and Maturity Level 3 assessments. They also updated their FAQ to reflect recent changes. We will continue to update this document as we continue our review of these documents.
CMMC Assessment Guide Level 1 Notes
Alignment with NIST SP 800-171A
The Assessment Guides provide much-needed clarity on how the assessments will be conducted. Leveraging the many years of experience that went into NIST SP 800-171A is a smart move on the part of DoD and the CMMC-AB. That means that the assessment requirements will be more familiar to contractors, especially those already creating or storing Controlled Unclassified Information (“CUI”). And for those contractors who are just starting to deal with the intricacies of the DoD’s cybersecurity requirements, such as contractors who are bidding on their first contracts, the ability to leverage the many consultants who are familiar with NIST SP 800-171 and SP 800-171A means the contractors will be able to start their compliance efforts more quickly and easily.
One of the burning questions that has been pending in CMMC is whether, and to what extent, contractors can inherit a service provider’s CMMC certification. On page 6 of Version 1.10 of the CMMC Assessment Guide Level 1 (the “Level 1 Guide”) states:
This should come as a relief to External Service Providers, such as Managed IT Service Providers and cloud service providers, as well as contractors. This allows the ESPs to be certified once and to present the certification and evidence any time a contractor client requests it, without needing to go through the entire certification process for each client. It also allows contractors to continue to leverage cloud-based services. Contractors should carefully identify those ESPs whose services that are likely to be in scope and discuss with the ESPs their certification plans, including certification timing, and the potential impact those plans will have on the contractor.
Missed Opportunity – No Clarity on Assessment Scope
As the DoD acknowledges on Page 2 of the Level 1 Guide:
After acknowledging that the assessment scope is an important precedent to any assessment, the DoD then says:
So, now contractors will know how to measure the maturity of their organization and systems, but not which systems will need to be measured, and whether the contractor can rely on a service provider’s certification (i.e., whether that certification can be “inherited”) or if the service provider might need to be assessed multiple times. For example, are cloud-based systems in scope for an assessment? If so, and if the cloud service provider’s systems have been certified, does the contractor still need certification? These are very relevant questions for many small businesses, especially those which are newer and dependent on cloud infrastructure for their operations.
On Page 2 of the Level 1 Guide, DoD also asserts that “The CMMC assessment methodology follows a data-centric security process…”. Our general recommendation is, therefore, to follow the data. If a system is used to create, process, or store Federal Contract Information (“FCI”) of any type (including Controlled Unclassified Information (“CUI”)), or to control access to systems that create, process, or store FCI, then that system should be assumed to be in scope for a Maturity Level 1 assessment. That does not mean that systems that do not create, process, or store FCI, or control those systems, won’t also be in scope, but since contractors will need to start their analysis somewhere, they should start with the systems that create, process, or store FCI, and any systems that control those systems. This is regardless of whether the system is on-premises or in the cloud, and regardless of whether the cloud system is providing infrastructure as a service (such as servers or systems stood up in Azure or AWS) or platform/software as a service (such as HR, accounting, or E-mail systems)
The same applies to a Maturity Level 3 assessment: follow the CUI. If a system is used to create, process, or store CUI, or if the system controls another system that is used to create, process, or store CUI, it should be treated as though it will be in scope for the Maturity Level 3 assessment.
DoD has consistently asserted that CMMC-related costs would be allowable costs, meaning they can be charged directly to DoD as part of a contract. However, many contractors questioned whether the allowable costs would be limited to only those associated with the CMMC assessment itself or if other costs would also be allowable. The FAQs now state:
This should come as good news to contractors, as it suggests that a much wider range of costs will be permitted as allowable costs.
Respective roles of the CMMC-AB and the C3PAOs
The FAQ update includes changes to the role the CMMC-AB is expected to play in the ecosystem. It now states:
The CAICO is an entirely new entity that is being introduced into the CMMC Ecosystem. The FAQ also changes the role C3PAOs will play in the CMMC Ecosystem, giving them more authority, and more responsibility, than they previously had. The FAQ now states:
While these changes bring the CMMC Ecosystem more closely into alignment with ISO’s accreditation structure, it represents a significant change to the CMMC-AB’s role in the ecosystem. Initially, DoD had expected the C3PAOs to provide the assessment-related services, with the CMMC-AB certifying the assessment results. Now it appears that the C3PAOs will be directly certifying the contractors.
Clarifying C3PAO Requirements
The DoD has also added some additional clarity as to what will be required of C3PAOs.
CMMC Assessors and Instructors Certification Organization
Similarly, the CMMC-AB had been responsible for managing the training of assessors and other individuals performing services as part of the CMMC Ecosystem. Now that function will be performed by the CMMC Assessors and Instructors Certification Organization. They state:
Timing and details of the creation of the CAICO are not provided.
CMMC Implementation Timeline Changes
The FAQ changes include, among other changes, a slower roll-out of CMMC requirements in later years.
The DoD also appears to have pulled back from their previous projections on the number of contractors and contracts that will require Maturity Level 4 and Maturity Level 5 certifications, now stating “For subsequent fiscal years of the rollout, the Department intends to incorporate CMMC Levels 4 and 5 on a small number of contracts”.
Characterization of the First 15 Contracts
Regarding the 15 contracts expected for FY2021, they state:
Prime and Subcontractor Flow-downs
They also clarified that all subcontractors on a contract may not need the same Maturity Level as the Prime. They state:
This confirms that, for example, a subcontractor who is only receiving FCI under a contract will only need Maturity Level 1 certification, even when the contract itself involves CUI.