JACOB-WILLIS.COM

ABOUT | LEARNING | NOTES | READING LIST



CMMC version 2

Intro

The Cybersecurity Maturity Model Certification (CMMC) is the latest iteration of initiatives created by the Department of Defense (DoD) to try to control the release and flow of controlled unclassified information (CUI) in non-federal systems. Basically, the CMMC is a DoD regulation which specifies how federal contractors should be handling sensitive information in their own systems. The CMMC is instantiated by Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021 and is intended to replace the patchwork of existing cybersecurity regulations currently in place which have proven largely ineffective. This new regulation is expected to be implemented in all federal contracts beginning as soon as the final rule is released sometime in the next eight to twenty-three months. The CMMC, in its latest version, is broken down into three distinct levels of increasing protections; level one declares the protections that must be put in place for federal contract information (FCI); level two mandates protections for CUI- and is the central focus of this article; and level three specifies cybersecurity protections for secret and top secret materials. The CMMC is purely focused on cybersecurity protections of this information and is not the only relevant regulation for federal contracting materials- those regulations are outside the scope of this article.

FCI, CUI, and Secret

Before we move on to regulations, we have to clarify some definitions. FCI is the least sensitive of all classes of data included in the CMMC. FCI refers to the entirety of all federal contract information on any federal job. Some amount of FCI is distributed to potential vendors before a job is even begun, this is so that contractors have the opportunity to determine whether they want to bid on the job. The bidding process involves multiple vendors and typically involves a good deal of back and forth between potential vendors and the federal government as both parties clarify the details of the contract, all this information is considered FCI.


CUI is the next class of protected data. Defining CUI is a tricky subject, as it has a long complicated history. Dating back to the 9-11 commission in 2002, CUI was found to be sensitive information that had not and would not be made confidential, but still posed a risk to national security; the commission found that the government had done a terrible job at protecting this data and thus began the National Archives and Records Administration’s (NARA’s) journey to find and label CUI across all executive agencies. NARA completed this goal over the next six or seven years; which, may sound like a long time, was actually a very quick turnaround considering the enormous size of the government’s CUI at the time. Their methodology for labeling CUI began by labeling all controlled technical information (CTI) as CUI and moving on from there; this move made sense as all CTI was already labeled. Ultimately, being able to define what is or isn’t CUI is not an easy task, which is why labeling is mandated by NARA itself; all CUI that is distributed to the defense industrial base (DIB) has already been labeled, additionally all CUI that will be generated by external contractors is specified in the contract. So, while CUI can be very simply explained as documentation that has been labeled “CUI”, this definition is problematic- the government frequently mislabels non-sensitive documents as CUI and almost as frequently forgets to label certain things as CUI. While this system may not be perfect, it has actually helped quell the issue of CUI leakage.


Our last data type is secret data. This is very well labeled and mandates the highest level of protection in the CMMC. Secret information has the potential to create a large impact on national security and in addition to the CMMC it has other relevant regulations to help protect it which I will briefly expand upon. The first of these regulations is called facility secret clearance (FCL) and is managed by the Department of State (DoS); all companies that will handle secret information must receive FCL from DoS prior to viewing. In order to receive FCL, contractors must be sponsored either by another contractor already holding FCL or by DoS; in both cases the contractor seeking certification must have a strong reason to be granted FCL. The DoS will review corporate structure, provide clearances to key management figures, and ensure there are no foreign interests; there are more nuances to the FCL, but these are the basics. The other critical piece of legislation is called the NISPOM, it is the National Industrial Security Program Operating Manual and it lays out the expectations of DoS regarding how secret cleared companies will handle their secret information. The NISPOM is an interesting document to mention in the discussion of CMMC, because the NISPOM is a highly prescriptive mandate with clear expectations that has been polished and is actively in place at over ten thousand companies, while the CMMC is not.

DFARS

DFARS clauses are the government’s legalese included on all DoD contracts that specify how the contract will be executed by the vendor. A specific subtype of FAR clause, DFARS clauses are unique to the DIB; FAR clauses are federal acquisition regulations and are included on all federal contracts regardless of the department. Since the CMMC is unique to the DoD, it is implemented by a DFARS clause- specifically DFARS 252.204-7021, though it is not the first DFARS clause to mandate cybersecurity protections. The set of cybersecurity DFARS clauses are typically referred to as the 70 series, since they all end in 70xx.


The first attempt by the DoD to implement basic cybersecurity protections came in the form of a failure called DFARS 7012. This clause began with a set of sixty unique protections based on NIST SP 800-53; shortly after it was released, NIST released a new publication specifically for protecting CUI in the DIB called NIST SP 800-171 and they also created an assessment methodology, NIST SP 800-171a, to ensure that those protections were being implemented. We’ll cover the contents of those publications later, but for now what’s important to know is that at that point, all DIB contractors who touched CUI had to score perfectly on the 171a assessment. The 7012 clause was included in all DoD contracts until the next iteration in the 70 series.


DFARS 7019, 7020, and 7021 were all released together. 7019 and 7020 represent the interim CMMC rule, while the 7021 implements CMMC itself. 7019 and 7020 specify the three levels of assessment for the three different types of protected data; at the moment, they are what is included in federal contracts.

NIST

NIST special publications have played a growing role in the CMMC throughout its development, at first providing merely a basis until now they are the central requirements of the CMMC. The first publication that was used was the 800-53, this publication specified the requirements in place to protect CUI in federal systems. In addition to being the basis of the 7012 clause, SP 53 also contains all of the same protections in SP 171 and more. The NIST SP 800-172 is the last important clause to note and is still under revision.


SP 171 specifies all of the expectations that the DoD has for the DIB in protecting CUI in nonfederal systems. All of its protections were taken directly from SP 53; some of the reasons why certain provisions from SP 53 were not transferred directly to 171 were as follows: the controls applied only to federal systems, the controls were too prescriptive to be reasonable, or the controls were so elementary or baseline that it simply seemed redundant to include them. This last group of controls is called Non-federal Organization (NFO) controls, and they did still make it into the CMMC- the nuance is that they must be implemented in order to pass, but they are not scored items. The 171a is the assessment version of 171; contained within it is every protection mandated in 171 along with an associated score of between 1-5 points. The scoring system works as follows: all assessed organizations begin with a maximum score of 110 points, if a protection is found not to have been implemented yet, its associated point value is deducted from the organization’s total. An organization may score a minimum of -203, and organizations who are just getting started with their security systems can expect to score in the negative hundreds. In addition to providing their score as part of an assessment, organizations must be prepared to deliver both their system security plan (SSP) and their plans of action and milestones (POAMs) for any uncompleted items.


The last publication of note is 172, this particular document is still a draft and it includes what are considered “enhanced” protections. A limited selection of these enhanced protections will be included for secret information under the CMMC. As of this writing, there are approximately sixty enhanced protections in the 172 and none have been specifically chosen for the CMMC.

CMMC

The CMMC is the DoD’s plan to ensure the protection of CUI in the DIB. This is a three layered model which has been scaled back from its previous version. In the earlier version, the CMMC included five layers along with additional practices and processes that would be unique to the model. While the earlier version could possibly have led to better outcomes, it would have had a disastrous impact on the hundreds of thousands of small businesses that would have had to spend tens of thousands of dollars on new cybersecurity protections, many of the most costly protections were from the unique CMMC requirements. In addition to the added cost, there were also the useless levels 2 and 4 which would have never been implemented on a single contract. Another change from the previous version is the elimination of level one assessments, which were more trouble than the thousands of dollars in costs they would have incurred. The CMMC third-party assessment organizations (C3PAOs) have had their role greatly scaled back, as only level two organizations will need to be assessed by C3PAOs if they do not hold CUI relating to national security and these assessments will only need to take place every three years. If level two organizations do hold CUI relating to national security then they will be assessed by the DoD themselves. Level three organizations will also be assessed by the DoD regularly. The final change to the CMMC is the change to its timeline; rather than being rolled out gradually over the next four years or so, the CMMC will be pushed into every DoD contract beginning sometime in the next 8-23 months. There are more nuances to this timeline, such as the potential incentives given by the DoD for early implementation, but by and large, the potential financial boost of fewer protections is offset by the much quicker rollout.

IT-AAC and The GAO

The last twist in the tale of CMMCv2.0 is the reports from the Information Technology Acquisition Advisory Council (IT-AAC) and the Government Accountability Office (GAO). IT-AAC’s purpose is to advise the DoD on its use and acquisition of IT tools; they created the CMMC - Center of Excellence (CMMC-COE) which serves as a vendor marketplace for C3PAOs, CMMC consultants, and organizations seeking compliance (OSCs). The IT-AAC recently published a report on its recommendations regarding the CMMC; this report was full of typos, errors, and was otherwise shoddily crafted. The GAO also recently released a report to congress on its recommendations regarding the CMMC, contained within were some very simple suggestions that have already been present in the process of creating the CMMC. These two reports as well as the CMMC-COE are notable, because they provide insight into how the CMMC is being approached from within the government, as well as the wider reaction to it from the DIB. These two reports were simply poor work with little value to add to the CMMC, but they show exactly how the rulemaking process is being viewed by the GAO and this NGO of former DoD leaders in the form of the IT-AAC: they are not taking it seriously. In the CMMC-COE we can see many of the potential vendors offering assistance with CMMC compliance, and in this marketplace we can find a full eight C3PAOs who will be responsible for administering audits to the vast majority of the 300,000 company-strong DIB. Neither the DIB, nor the government itself are taking this process seriously which leads to the only logical conclusion: the CMMC is far from finished, no matter what timeline the DoD has published.

Update August 2022: It's Still Coming

It's been a long time since this article got an update, and that's because nothing has really changed. I have included some clarifications below, but there really have been no significant changes to the CMMC since I wrote this article. I would like to clarify what the CMMC actually mandates and what's old news.

A common complaint against CMMC is that it is cost prohibitive- it will bar small and medium businesses from operating within the DIB, because the requirements are simply too difficult to comply with. This very common complaint has very little truth to it. While the assessments which are required by the CMMC are costly (and certainly will be when the rule starts being added to contracts) because of the shortage of assessors, size of the DIB, and length of the assessments, they are not big enough to topple a stable business and are not any more cost prohibitive to small and medium businesses than they are to big, established businesses. The real "cost" of CMMC that is typically being referred to is actually a requirement that has been around since 2016. This requirement is the DFARS 7012 which actually points to the NIST 171 and lays out the requirements for handling CUI. The expectation since this was released has been that the DIB was complying with this requirement despite a lack of explicit enforcement. The costs associated with that clause are the real kicker for most businesses, but at this point are very unlikely to see much change. So, CMMC points to DFARS 7012 and 7012 points to NIST 171 and they all are governed separately.

Disclaimer:

This information is meant to be a guide for future research and should not be construed as advice. It is also a point in time definition of relevant regulations as of August 2022; the CMMC and other DoD mandates are subject to ongoing revision.

Sources