On November 4, 2021 the United States Department of Defense released a preview of Version 2.0 of the Cybersecurity Maturity Model Certification (“CMMC”) program. The announced changes in CMMC 2.0 include the removal of:
- the “delta 20” controls that DoD had added to CMMC 1.x which went above and beyond those described in NIST Special Publication 800-171 (“800-171”) and
- the process requirements defined in CMMC 1.x.
Most experts would agree that well-constructed, and properly governed, processes are critical to a strong cybersecurity program that can respond to, and recover from, a cybersecurity incident. DoD’s removal of the processes from the assessment criteria is, therefore, surprising to many experts.
Some in the CMMC community are arguing that explicitly including the process requirements is not necessary because they are inherent in 800-171 and the accompanying assessment guide published by NIST (“800-171A”). They cite the number of times words like “policy” appear in the document, and some of the more sophisticated commenters point to the “NFO” controls referenced in Appendix E. In this article, we demonstrate why those arguments are, by and large, incorrect. We therefore strongly suggest that DoD examine this in more detail before finalizing CMMC 2.0.
One quick note: The exception that proves this rule is the requirement for a system security plan; this is explicitly required in 800-171 and 800-171A, and we will not spend more time on the topic here.
About 800-171A
NIST published 800-171A to provide “…federal and nonfederal organizations with assessment procedures and a methodology that can be employed to conduct assessments of the CUI security requirements in NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations[1]”. As noted in 800-171A, “The assessment procedures are flexible and can be customized to the needs of the organizations and the assessors conducting the assessments.” [2]
The 800-171A Assessment Process
The 800-171A assessment process is designed to be conducted in a variety of contexts, including self-assessments. As NIST notes: “Security assessments can be conducted as self-assessments; independent, third-party assessments; or government-sponsored assessments and can be applied with various degrees of rigor, based on customer-defined depth and coverage attributes.” [3]
“Organizations have the flexibility to specialize the assessment procedures by selecting the specific assessment methods and the set of assessment objects to achieve the assessment objectives. There is no expectation that all assessment methods and all objects will be used for every assessment.”[4] “The assessment process is an information-gathering and evidence-producing activity to determine the effectiveness of the safeguards intended to meet the set of security requirements specified in NIST Special Publication 800-171.”[5] “The assessment procedures in this publication offer the flexibility to customize assessments based on organizational policies and requirements, known threat and vulnerability information, system and platform dependencies, operational considerations, and tolerance for risk.”[6] It is clear that NIST’s intent was to create a flexible framework for conducting an assessment, one which allows the assessment to meet the needs of those conducting the assessment and the nature of the organization being assessed. The organization being assessed must “simply” demonstrate that their programs “meet the set of security requirements specified in NIST Special Publication 800-171” [7]. 800-171A gives the organization being assessed the flexibility to determine how this is done.
Assessment Objectives and Artifacts
To conduct an assessment under 800-171A, NIST states that “[a]n assessment procedure consists of an assessment objective and a set of potential assessment methods and assessment objects that can be used to conduct the assessment.”[8] “Assessment objects identify the specific items being assessed and can include specifications, mechanisms, activities, and individuals. Specifications are the document-based artifacts (e.g., policies, procedures, security plans, security requirements, functional specifications, architectural designs) associated with a system.”[9] It is important to note that the list of artifacts incudes not only polices, procedures, and plans, but also specifications, architectural designs, and security requirements. In so stating, NIST is clearly signaling that documentation other than policies, procedures, and plans are acceptable under 800-171A, and that the organization being assessed has the responsibility to collect artifacts that demonstrate, objectively, that the organization meets the objectives defined for each control in the framework.
Examining the Artifacts
They continue by stating “The assessment methods define the nature and the extent of the assessor’s actions. The methods include examine, interview, and test. The examine method is the process of reviewing, inspecting, observing, studying, or analyzing assessment objects (i.e., specifications, mechanisms, activities). The purpose of the examine method is to facilitate understanding, achieve clarification, or obtain evidence.”[10] Note here that, when discussing the objects to be reviewed, NIST’s exemplary list includes specifications, mechanisms, and activities; policies, procedures, and plans are not even mentioned.
What Artifacts Qualify?
As they dig deeper into the assessment approach, NIST states:
“Organizations are not expected to employ all assessment methods and objects contained within the assessment procedures identified in this publication. Rather, organizations have the flexibility to determine the level of effort needed and the assurance required for an assessment (e.g., which assessment methods and assessment objects are deemed to be the most useful in obtaining the desired results). This determination is made based on how the organization can accomplish the assessment objectives in the most cost-effective manner and with sufficient confidence to support the determination that the CUI requirements have been satisfied.”[11] (underlined emphasis added)
“Assessors can build on previously developed materials that started with the specification of the organization’s information security needs and is further developed during the design, development, and implementation of the system and system components. These materials, developed while implementing security throughout the life cycle of the system, provide the initial evidence for an assurance case.”[12]
“Moreover, the entire list of potential assessment objects should not be viewed as required artifacts needed to determine compliance to the requirements. Organizations have the flexibility to determine the specific methods and objects sufficient to obtain the needed evidence to support claims of compliance.”[13]
Analysis
In 800-171A, NIST is clearly giving organizations conducting assessments the flexibility to meet the objectives using any evidence they choose, provided the evidence is sufficient to meet the objective. Again, this is true for both self-assessments and assessments conducted by third parties or the government. And that evidence is not limited to any specific type of document or artifact, and certainly not to policies, procedures, or plans such as those that would be created under an NFO control of 800-171 Appendix E.
This, then, creates a bit of a conundrum. A contractor, as the organization being assessed during a self-assessment, can determine that their reliance on evidence such as system requirements and designs is sufficient to establish that they meet the 800-171 objectives. At the same time, DoD’s DIBCAC team or a C3PAO’s assessment team, as the organization conducting an assessment, can theoretically determine that those same categories of documents, independent of their content, are not sufficient to demonstrate that the objectives are met and that other document types, such as policies and procedures, are instead required.
As a result, contractors can invest tens of thousands of dollars in personnel and consultant time collecting artifacts that they correctly believe demonstrate their organization meets the 800-171A requirements, only to find out that the assessors are looking for something different. Yes, the contractor can try to pivot and quickly create the necessary documents, but well-written policies and procedures that meet the 800-171 objectives, and especially those crafted to meet the NFO controls of Appendix E, are not written overnight. In the time needed to craft the documents and bring an assessor back in to perform an assessment, the contractor will likely miss out on contracts.
How will this conflict be resolved? Most likely in one of two ways.
The first, and our recommended approach, is by DoD explicitly stating which interpretation is correct within the standard, as was done in CMMC 1.x. However, as Deputy Assistant Secretary of Defense Salazar stated in the CMMC Town Hall on November 9, 2021 that it was DoD’s intent to adhere strictly to 800-171 and not issue DoD-specific deviations in CMMC 2.0, such clarifications are unlikely to appear in CMMC 2.0. This is unfortunate, since 800-171 was clearly written with the intention of giving agencies precisely this kind of flexibility.
Given DoD’s reluctance to provide affirmative guidance, the unfortunate alternative is through costly and distracting litigation. If, and more likely when, that litigation occurs, the courts are going to look at the approach DoD took when implementing CMMC 2.0. In 800-171A, NIST makes it clear that compliance can be demonstrated through a variety of evidence types. By explicitly removing the “process” requirements from CMMC 2.0, DoD has signaled to the organizations being assessed that they can provide evidence other than policies, procedures, and plans to meet the 800-171 assessment objectives. Thus, any attempts by DoD to subsequently require policies, procedures, or plans as part of an assessment will likely fail in court. But we won’t know for sure for many years as the parties battle it out.
Rather than helping secure our nation’s supply chain, CMMC 2.0 allows the status quo to continue. Our nation, and our servicemembers, will be worse off for it, and DoD should reinstate the maturity requirements.
[1] NIST Special Publication 800-171A, Abstract (Page ii)
[2] Id.
[3] Id.
[4] NIST Special Publication 800-171A, Page iv, Cautionary Note
[5] NIST Special Publication 800-171A, Chapter One, Page 1, third full paragraph
[6] NIST Special Publication 800-171A, Chapter One, Page 2, first full paragraph
[7] NIST Special Publication 800-171A, Chapter One, Page 1, third full paragraph
[8] NIST Special Publication 800-171A, Chapter Two, Page 4, second full paragraph
[9] NIST Special Publication 800-171A, Chapter Two, Page 4, third full paragraph.
[10] NIST Special Publication 800-171A, Chapter Two, Page 4, final paragraph.
[11] NIST Special Publication 800-171A, Chapter Two, Page 5, second full paragraph.
[12] NIST Special Publication 800-171A, Chapter Two, Page 6, third full paragraph.
[13] NIST Special Publication 800-171A, Chapter Three, Page 8, Cautionary Note