The 411 On The CMMC Interim Rule
On September 29, 2020, the Department of Defense’s Defense Federal Acquisition Regulations Supplement (DFARS) agency issued an interim rule on Cybersecurity Maturity Model Certification (CMMC)implementation, per DFARS 252.204-7012. The rule is designed to clarify confusion about the integration of the CMMC framework, which has been a topic of concern to many people and businesses that serve the Defense Industrial Base (DiB).
The interim rule will go into effect on November 30th, 2020, and is open for comments until that date for purposes of formulating a final rule. Those comments will be posted at http://www.regulations.gov.
With the ever-changing landscape surrounding CMMC and this new interim rule, let’s take a look at what exactly CMMC is, what has changed with the interim rule, what companies need to be aware of, and finally, what RegDOX has been doing to prepare for the implementation of CMMC.
WHAT IS THE CMMC?
The CMMC was part of an initiative created in 2018 to assure the DoD that nonfederal DiB supply chain contractors and subcontractors have implemented ‘proper’ cybersecurity measures (processes and practices) to protect information at a level proportionate to the risk of exposure of that data. The CMMC introduced five (5) security levels with increasing controls and requirements on the handling and protection of information as the level increases.
There are several reasons why this initiative was launched: Increased sophistication and number of attacks, publicized, well-known ‘incidents’, and internal auditing results. Nearly everyone agrees that our nation’s adversaries have become more aggressive and daring and that we were not adequately protecting Controlled Unclassified Information (CUI) and other sensitive or confidential information. The then-existing system can best be explained as, “Do it yourself. Make sure you do it all and do it right, but it’s up to you.” As expected, this arrangement was haphazard and, unfortunately, not working at all for some.
The CMMC’s alternate approach was designed to have independent assessments of contractors’ IT systems, specifically cybersecurity, conducted by certified, trained, third-party providers. Their independent status and certification approvals were intended to ensure that compliance standards were being met.
The specific controls that the CMMC planned to implement and verify through this independent auditing mechanism were taken directly from the National Institute of Standards and Technology (NIST) SP 800-171, “Protecting Controlled Unclassified Information (CUI) In Nonfederal Systems and Organizations.”
Currently, anyone doing business with the DoD has to attest to being compliant with these controls, so the assumption was made that this foundational adherence to the NIST 800-171, together with those dictated by the presence of CUI, would not be an excessive burden to bring someone to CMMC compliance. Most companies need to be certified at Level 1, however, those with CUI would need to achieve Level 3, at a minimum.
WHAT IS CHANGING UNDER THE INTERIM RULE?
The most significant change introduced by the September 29, 2020 Interim Rule is to extend the date for third-party CMMC audits and certifications. Instead of a 2020 compliance and audit deadline, companies must meet the CMMC cyber controls, audits, and certification requirements to satisfy the CMMC level applicable by December 1, 2025. Before any future DOD contracts will be awarded, the company must submit a self-assessment to verify compliance in the cyber assessment capability module within the Supplier Performance Risk System (SPRS).
There is a specific scoring method to be followed for the Assessment. A contractor that has fully implemented all 110 of the NIST SP 800-171 controls will have a score of “110.” Contractors must conduct a self-assessment of its compliance with the NIST Requirements, and submit that self-assessment to SPRS by October 30th, 2020. This will give DoD at least 30 days to post the self-assessment scores to SPRS ahead of the November 30th, 2020 deadline. It’s important to note that an inaccurate report could subject a company to penalties under the False Claims Act.
The interim rule definitively stated that contractors will need to be re-certified every three years – at the highest level of CMMC applicable to their contracts. Also, that the CMMC level identified for specific contractors may be different than those required of sub-contractors to that contractor.
Another significant change under the interim rule is that the use of a Plan Of Action and Milestones (POA&M), will continue to be accepted. An organization may not be in compliance with a NIST (SP) 800-171 control, but if it has a POA&M that recognizes the deficiency for the control and documents a solution and timeframe to remediate the issue, then compliance is considered to be achieved.
The last critical change is that the previously recommended Level 1 through 5 ranking have been replaced with “Basic”, “Medium” and “High” level assessments used in the DoD Assessment Methodology.
WHAT IMPACT DOES THE INTERIM RULE HAVE FOR YOUR COMPANY?
The top five industries impacted by this interim rule are: Research and Development in the Physical, Engineering, and Life Sciences (except Biotechnology), Engineering Services, Commercial and Institutional Construction and Computer Related Services and Facilities Support Services. While those are the main target, any industry with a DoD contract will need to abide by CMMC, as well as any other requirements.
Contractors will still need to have a certified, external third-party assessor come in and conduct a formal review of its information systems and procedures for CMMC compliance before December 1, 2025. Without this certification, companies will be ineligible to participate in any DoD contract after that date. For now, each organization is required to self-assess according to the DoD Assessment Methodology and submit the results of the assessment – their ‘score’ – to the Supplier Performance Risk System (SPRS) here. There has been no definitive value that needs to be met or exceeded.
For those contractors that have been internally managing their systems’ security, as well as cybersecurity protocols, they need to be fully aware and understand the changes and reach of the new interim rule. A copy of the September 29, 2020 Interim Rule can be found here (85 Fed. Reg. 61,505).
Because of the new requirement to submit an assessment score using the DoD Assessment Methodology, those companies intending to conduct the assessment internally need to be aware of what the methodology says and what it means. A review of the NIST SP 800-171 DoD Assessment Methodology is available here (Strategically Assessing Contractor Implementation of NIST SP 800-171”).
WHAT IS REGDOX DOING TO PREPARE FOR CMMC?
RegDOX has an established practice of assisting, and at times directing, companies in achieving the self-assessment requirements that have been required by ITAR, DFARS, and now on an interim basis the CMMC. It will continue this offer this service.
Further, RegDOX has applied for training to become a Certified Third-Party Assessor (C3PA). And, depending on evolving requirements, RegDOX is also evaluating becoming a Certified 3rd Party Assessment Organization (C3PAO).
We will continue to participate in webinars, meetings (online and offline), phone calls, and networking events to keep up to date on any changes. By staying on top of current developments, RegDOX customers can be assured that our online compliance and collaboration solution and assessment services will continue to address and anticipate the current state of CMMC compliance.
About RegDOX Solutions Inc.
Operating since 2007, RegDOX is a market-leading provider of highly intuitive SaaS solutions enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. RegDOX® products and services include storage and data management.