Update: The CMMC-AB posted the recording from the February 23 Town Hall on March 2, 2021. You can view it at: CMMC Town Hall, February 2021 – Town Hall Videos (cmmcab.org)
Although yesterday’s CMMC-AB town hall was hosted by the CMMC-AB, representatives from the US Department of Defense did most of the talking. The session was excellent, and addressed many topics that are of interest to the contractor community. We provide our summary below, and will update this post with a link to the video once it is available from the CMMC-AB. The DoD representatives included Katie Arrington, Darren King, Lt. Col. Bryan Lamb, John Duncan, Dr. John Choi and Buddy Dees, and Diane Knight.
Karlton Johnson, Chairman of the CMMC-AB Board of Directors, introduced Katie Arrington, who made several important points:
- CMMC is part of a broader effort within DoD to improve their approach to acquisition. This is referred to as the “Adaptive Acquisition Framework,” or AAF, and DoD is actively working on training for Program Managers and Contracting Officers in the AAF. Foundational to the AAF is DoD Instruction 5000.90 entitled “CYBERSECURITY FOR ACQUISITION DECISION AUTHORITIES AND PROGRAM MANAGERS”. This instruction establishes policy, assigns responsibilities, and prescribes procedures for the management of cybersecurity risk by program decision authorities and program managers (PMs) in the DoD acquisition processes. It helps PMs and contracting officers understand how to craft RFPs going forward that properly assess and address their cyber risks.
- AAF is about driving a cultural change in DoD. The 2020 NDAA imposed CMMC requirements on DoD. As part of this, they did a self-assessment and saw a few key weaknesses on their end, including the fact that they were not marking information consistently or properly. The AAF, combined with Defense Acquisition University’s educational programs, are designed to change that going forward.
- AAF is not just focused on CUI. Over 60% of contractors will only ever need CMMC Maturity Level 1 [meaning they will never handle CUI].
Darren King, the Director for DoD’s Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”) spoke about the DIBCAC’s upcoming assessment of prospective C3PAOs. Mr. King mentioned:
- 5 C3PAO assessments are currently on the schedule. The first is scheduled to begin on March 8, with the next on March 22. They are taking a phased approach to the C3PAO assessments so they have time to process and internalize any lessons learned before attempting to assess the broader pool of CMMC-AB approved C3PAOs.
- The C3PAOs can expect that all assessments will include a site visit.
Lt. Col. Bryan Lamb and John Duncan spoke about the process of submitting a NIST SP 800-171 self-assessment score (as required under the Interim DFARS rule published in September 2020 and using DoD’s scoring methodology) to DoD’s Supplier Performance Risk System (“SPRS”). [Our self-assessment scoring tool can help those who have yet to conduct a self-assessment]
Dr. John Choi and Buddy Dees gave an update on the development of the DoD EMASS tool. The EMASS tool will be used by C3PAOs to submit assessment results. The EMASS tool will generate the corresponding certificates and will be used by DoD for tracking OSC assessment-related information. One important note stressed by Dr. Choi is that sensitive information will stay in the contractors’ systems.
Diane Knight gave an update on the pathfinder and pilot programs. The pathfinder assessments, which were conducted on a non-attributional, nonpunitive basis, are finished. The pathfinder assessments included 2 Maturity Level 3 assessments and the assessment of a Maturity Level 1 subcontractor. Pilot programs are still being evaluated. The services are continuing to suggest programs that might fit, and the OUSD(A&S) is reviewing each to ensure they are good candidates at this early stage of the DoD crawl-walk-run CMMC roll-out.
The session then turned to questions and answers. Several important points were addressed including:
- Cost Allowability: Costs associated with attaining and obtaining certifications at or below Maturity Level 3 will be part of the OSC’s overhead and built into the G&A rates. Costs associated with obtaining Maturity Levels 4 and 5 will be directly billable to the government.
- Next Versions of the Model and Assessment Guides: The next versions of the assessment guides are coming out “hopefully” by mid-year and will include changes that result from the adjudication of the interim rule. The new assessment guides are expected to include scoping guidance. Ms. Arrington stressed that most of the changes will likely occur in Maturity Levels 4 and 5, and asserted that “Maturity Levels 1 through 3 are pretty solid”.
- Process Maturity: DoD does not yet have guidance for contractors regarding what constitutes a “mature” process. Guidance is being formulated, but the release date for that guidance is not available.
- CMMC and SCADA/OT technologies: We are going through “Phase 1” of CMMC. In Phase 1, DoD intentionally chose to exempt SCADA and other Operational Technologies from CMMC. Phase 2 will come later and CMMC will likely be extended to include SCADA and OT technologies at that time.
What other questions would you like to hear DoD or the CMMC-AB address? Head over to our Communities to weigh in!