Last Updated: 6-DEC-2020 – 1:53 PM US Eastern

The Office of the Undersecretary of Defense for Acquisition and Sustainment (“OUSD(A&S)”) earlier today released guides for conducting Maturity Level 1 and Maturity Level 3 assessments. They also updated their FAQ to reflect recent changes. We will continue to update this document as we continue our review of these documents.

CMMC Assessment Guide Level 1 Notes

Alignment with NIST SP 800-171A

The Assessment Guides provide much-needed clarity on how the assessments will be conducted. Leveraging the many years of experience that went into NIST SP 800-171A is a smart move on the part of DoD and the CMMC-AB. That means that the assessment requirements will be more familiar to contractors, especially those already creating or storing Controlled Unclassified Information (“CUI”). And for those contractors who are just starting to deal with the intricacies of the DoD’s cybersecurity requirements, such as contractors who are bidding on their first contracts, the ability to leverage the many consultants who are familiar with NIST SP 800-171 and SP 800-171A means the contractors will be able to start their compliance efforts more quickly and easily.

Inheritance

One of the burning questions that has been pending in CMMC is whether, and to what extent, contractors can inherit a service provider’s CMMC certification. On page 6 of Version 1.10 of the CMMC Assessment Guide Level 1 (the “Level 1 Guide”) states:

A contractor can inherit practice objectives. A practice objective that is inherited is met because adequate evidence is provided the the enterprise or another entity, such as an External Service Provider (ESP), performs the practice objective. Evidence from the enterprise or the entity from which the objectives are inherited should show they are applicable to in-scope assets and that the assessment objectives are met. For each practice objective that is inherited, the Certified Assessor includes statements that indicate how they were evaluated and from whom they are inherited. If the contractor cannot demonstrate adequate evidence for all assessment objectives, through either contractor evidence or evidence of inheritance, the contractor will receive a NOT MET for the practice.

CMMC Level 1 Guide, Page 6

This should come as a relief to External Service Providers, such as Managed IT Service Providers and cloud service providers, as well as contractors. This allows the ESPs to be certified once and to present the certification and evidence any time a contractor client requests it, without needing to go through the entire certification process for each client. It also allows contractors to continue to leverage cloud-based services. Contractors should carefully identify those ESPs whose services that are likely to be in scope and discuss with the ESPs their certification plans, including certification timing, and the potential impact those plans will have on the contractor.

Missed Opportunity – No Clarity on Assessment Scope

As the DoD acknowledges on Page 2 of the Level 1 Guide:

“Prior to a CMMC assessment, the contractor must define the scope for the assessment that represents the boundary for which the CMMC certificate will be issued.”

CMMC Level 1 Guide

After acknowledging that the assessment scope is an important precedent to any assessment, the DoD then says:

“Additional guidance on assessment scope will be available in the next version of this CMMC Assessment Guide – Level 1″ [emphasis added].

CMMC Level 1 Guide

So, now contractors will know how to measure the maturity of their organization and systems, but not which systems will need to be measured, and whether the contractor can rely on a service provider’s certification (i.e., whether that certification can be “inherited”) or if the service provider might need to be assessed multiple times. For example, are cloud-based systems in scope for an assessment? If so, and if the cloud service provider’s systems have been certified, does the contractor still need certification? These are very relevant questions for many small businesses, especially those which are newer and dependent on cloud infrastructure for their operations.

Scoping Suggestion

On Page 2 of the Level 1 Guide, DoD also asserts that “The CMMC assessment methodology follows a data-centric security process…”. Our general recommendation is, therefore, to follow the data. If a system is used to create, process, or store Federal Contract Information (“FCI”) of any type (including Controlled Unclassified Information (“CUI”)), or to control access to systems that create, process, or store FCI, then that system should be assumed to be in scope for a Maturity Level 1 assessment. That does not mean that systems that do not create, process, or store FCI, or control those systems, won’t also be in scope, but since contractors will need to start their analysis somewhere, they should start with the systems that create, process, or store FCI, and any systems that control those systems. This is regardless of whether the system is on-premises or in the cloud, and regardless of whether the cloud system is providing infrastructure as a service (such as servers or systems stood up in Azure or AWS) or platform/software as a service (such as HR, accounting, or E-mail systems)

The same applies to a Maturity Level 3 assessment: follow the CUI. If a system is used to create, process, or store CUI, or if the system controls another system that is used to create, process, or store CUI, it should be treated as though it will be in scope for the Maturity Level 3 assessment.

FAQ Notes

Cost Allowability

DoD has consistently asserted that CMMC-related costs would be allowable costs, meaning they can be charged directly to DoD as part of a contract. However, many contractors questioned whether the allowable costs would be limited to only those associated with the CMMC assessment itself or if other costs would also be allowable. The FAQs now state:

The costs associated with implementing CMMC requirements, supporting the CMMC assessment, and contracting with the C3PAO will be considered an allowed cost. 

CMMC FAQ

This should come as good news to contractors, as it suggests that a much wider range of costs will be permitted as allowable costs.

Respective roles of the CMMC-AB and the C3PAOs

The FAQ update includes changes to the role the CMMC-AB is expected to play in the ecosystem. It now states:

“The CMMC-AB (https://www.cmmcab.org/) is an independent organization that will authorize and accredit CMMC Third Party Assessment Organizations (C3PAOs) and the CMMC Assessors and Instructors Certification Organization (CAICO) in accordance with DoD requirements.”

CMMC FAQ

The CAICO is an entirely new entity that is being introduced into the CMMC Ecosystem. The FAQ also changes the role C3PAOs will play in the CMMC Ecosystem, giving them more authority, and more responsibility, than they previously had. The FAQ now states:

Authorized and Accredited C3PAOs are responsible for conducting the CMMC assessments of DIB companies’ unclassified networks and then issuing appropriate CMMC certificates based on the results of the assessments.

After the completion of the CMMC assessment, the C3PAO will provide an assessment report and if there are no deficiencies, issue the appropriate CMMC certificate to the DIB company for the specified certification boundary. The C3PAO will also submit a copy of the assessment report and CMMC certificate to the DoD.

CMMC FAQ

While these changes bring the CMMC Ecosystem more closely into alignment with ISO’s accreditation structure, it represents a significant change to the CMMC-AB’s role in the ecosystem. Initially, DoD had expected the C3PAOs to provide the assessment-related services, with the CMMC-AB certifying the assessment results. Now it appears that the C3PAOs will be directly certifying the contractors.

Clarifying C3PAO Requirements

The DoD has also added some additional clarity as to what will be required of C3PAOs.

Authorized C3PAOs must meet DoD requirements and a subset of the ISO/IEC 17020, Conformity Assessment – Requirements for the Operation of Various Types of Bodies Performing Inspection requirements prior to being authorized to conduct CMMC assessments and issue certifications. The CMMC-AB can authorize C3PAOs to conduct CMMC assessments prior to the C3PAO achieving accreditation.

Accredited C3PAOs must meet all DoD requirements and achieve full compliance with ISO/IEC 17020. C3PAOs must be accredited by the CMMC-AB within 27 months of their registration.

CMMC FAQ

CMMC Assessors and Instructors Certification Organization

Similarly, the CMMC-AB had been responsible for managing the training of assessors and other individuals performing services as part of the CMMC Ecosystem. Now that function will be performed by the CMMC Assessors and Instructors Certification Organization. They state:

The Authorized and Accredited CAICO will be established to manage and oversee the training, testing, authorizing, and certifying of candidate assessors and instructors. The CAICO will be required to meet DoD requirements and achieve compliance with ISO/IEC 17024, Conformity Assessment – General Requirements for Bodies Operating Certification of Persons Conformity Assessment.

CMMC FAQ

Timing and details of the creation of the CAICO are not provided.

CMMC Implementation Timeline Changes

The FAQ changes include, among other changes, a slower roll-out of CMMC requirements in later years.

Updated Projected Number of Contracts with CMMC Requirements

The DoD also appears to have pulled back from their previous projections on the number of contractors and contracts that will require Maturity Level 4 and Maturity Level 5 certifications, now stating “For subsequent fiscal years of the rollout, the Department intends to incorporate CMMC Levels 4 and 5 on a small number of contracts”.

Characterization of the First 15 Contracts

Regarding the 15 contracts expected for FY2021, they state:

“During the first year of the rollout, the Department will require no more than 15 new Prime acquisitions to meet CMMC requirements as part of a CMMC pilot program. These contracts will focus on mid-sized programs that require the contractor to process or store CUI (CMMC Level 3). Primes will be required to flow down the appropriate CMMC requirement to their subcontractors.”

CMMC FAQ

Prime and Subcontractor Flow-downs

They also clarified that all subcontractors on a contract may not need the same Maturity Level as the Prime. They state:

If the DoD contract has a CMMC requirement and so long as your company does not solely produce COTS products, you will need to obtain a CMMC certificate. The level of the CMMC certificate is dependent upon the type and nature of information flowed down from your prime contractor.

CMMC FAQ

This confirms that, for example, a subcontractor who is only receiving FCI under a contract will only need Maturity Level 1 certification, even when the contract itself involves CUI.