Proposed Rule: Cybersecurity Maturity Model Certification, Version 2.1
By Thomas J. DeMayo, Partner and Nick DeLena, Partner
On December 26, 2023, the Department of Defense released a proposed rule which, if adopted, will officially introduce the Cybersecurity Maturity Model Certification (CMMC) version 2.1 into defense contracts. The CMMC program represents a major evolution for the industry with significant repercussions for all companies and vendors across the defense industrial base.
What is CMMC?
The Cybersecurity Maturity Model Certification initiative introduces third-party certification to cybersecurity requirements that have been mandatory for defense contractors since December 31, 2017. These requirements are encapsulated in the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012. This contractual requirement is inserted in all prime contracts in the defense sector and is required to be flowed down to subcontractors whenever Controlled Unclassified Information (CUI) is also flowed down.
The DFARS 252.204-7012 clause, titled Safeguarding Covered Defense Information and Cyber Incident Reporting, requires the implementation of 110 requirements and 320 assessment objectives within NIST Special Publication 800-171. To date, companies self-assess and since November 2020, upload a self-assessment score in the Department of Defense’s Supplier Performance Risk System. Companies are required to attest to the accuracy of the self-assessment under the False Claims Act.
After a series of reviews, the Department of Defense found contractors largely had not implemented the requirements and many were misreporting their state of compliance, leading to the introduction of CMMC and third-party assessments.
CMMC introduces new entities to the compliance ecosystem:
- CMMC 3rd Party Assessment Organizations (C3PAOs) are independent third parties authorized to perform CMMC certification assessments.
- Registered Provider Organizations (RPOs) are organizations dedicated to helping companies implement and prepare for third-party certification.
- The Cyber AB is a non-profit organization authorized by the Department of Defense to accredit C3PAOs and RPOs.
- Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is a division of the Defense Contract Management Agency. While not technically created as a result of CMMC, it is authorized to perform assessments of defense contractors to ensure contractual compliance.
New Information in CMMC 2.1
The release of the CMMC 2.1 rule and accompanying documentation contains a significant amount of new guidance for defense contractors. Below is a summary of the essential details:
- The CMMC program remains tiered. CMMC Level 1 will apply to contracts that do not contain CUI but contain only Federal Contract Information (FCI). Contractors can self-assess and attest annually. One hundred percent implementation of CMMC Level 1 is required. CMMC Level 2 will be applicable to specific contracts involving CUI. A small percentage of CMMC Level 2 contracts will only require self-assessment; however, the majority will require certification by a C3PAO. Certification will be valid for three years. CMMC Level 3 will pertain to a very small percentage of defense contractors working on high priority and high sensitivity programs. CMMC Level 3 assessments can only be performed by DCMA DIBCAC.
- The CMMC rollout will be phased. There is a four-phase implementation plan of the program requirements in solicitations and contracts.
- Phase 1 – begins on the effective date of the CMMC final rule, expected later this year or early 2025, and will require the DoD to include CMMC Level 1 self-assessments and CMMC Level 2 self-assessments for all applicable DoD solicitations and contracts as a condition of contract award.
- Phase 2 – begins six months following the start of Phase 1 and, in addition to Phase 1 requirements, the DoD intends to include CMMC Level 2 certification assessment requirements for all applicable DoD solicitations and contracts as a condition of contract award. Additionally, the DoD may, at its discretion, delay the inclusion of CMMC Level 2 certification assessments to an option period instead of as a condition of contract award.
- Phase 3 – begins one calendar year following the start of Phase 2. In addition to Phase 1 and 2 requirements, the DoD intends to make Level 2 certification a condition to exercise option periods and introduces CMMC Level 3 certification requirements for applicable solicitations and contracts.
- Phase 4 – begins one calendar year following the start of Phase 3 and represents full implementation of CMMC program requirements. At this phase, the DoD will include all requirements in applicable solicitations and contracts including option periods on contracts awarded prior to Phase 4.
- Annual affirmations required. A new requirement under CMMC 2.1 is for the organization seeking assessment to name an affirming official and submit an affirmation statement, attesting the contractor has implemented and will maintain implementation of all applicable CMMC security requirements for all information systems within the relevant assessment scope at the applicable CMMC level. This affirmation is required annually and will be submitted via SPRS.
- Plan of Action and Milestones (PoA&Ms) are allowed in certain circumstances. Gaps in compliance with CMMC, documented on a Plan of Action and Milestones (PoA&M) are permissible only for specific CMMC Level 2 and Level 3 security requirements and must be resolved within 180 days of the assessment. In order to be eligible to carry PoA&M items, a contractor must achieve a score of at least 88 as assessed by a C3PAO and requirements assessed as “not met” can only be single point items from the DoD Assessment Methodology listing. PoA&Ms are not allowed for CMMC Level 1 – full compliance must occur.
- External Service Providers. If the defense contractor utilizes an external service provider (ESP) like a managed service provider for outsourced IT, that ESP must obtain a final CMMC certification equal to or greater than the CMMC certification level the defense contractor is seeking. For example, if you are seeking a CMMC Level 2 certification, your outsourced IT provider must already be CMMC Level 2 certified before you may obtain your certification.
- Cloud Service Providers. If a defense contractor utilizes any cloud service providers to store, process or transmit CUI, or if a contractor uses a cloud service provider to provide security protection for any component in a CMMC scope, that contractor must ensure the product or service offering is either FedRAMP moderate (or better) authorized, or meets the security requirements equivalent to FedRAMP moderate. The CMMC rule defines FedRAMP equivalency as the defense contractor possessing the CSP’s System Security Plan aligned to the FedRAMP moderate baseline and a Customer Responsibility Matrix which defines how each control is met and which party is responsible for maintaining the control requirements which map to NIST Special Publication 800-171.
Shortly after the release of the CMMC 2.1 rule in the Federal Register, the Department of Defense released a memo further defining the requirements around FedRAMP equivalency and, in part, conflicting with the CMMC 2.1 rule.
The FedRAMP memorandum states “to be considered FedRAMP moderate equivalent, [Cloud Service Offerings] must achieve 100 percent compliance with the latest FedRAMP moderate security control baseline through an assessment conducted by a FedRAMP-recognized Third Party Assessment Organization.” The Cloud Service Provider must also provide a Body of Evidence (BoE) to the defense contractor which includes the following information:
- System Security Plan (SSP)
- Information Security Policies and Procedures (covering all control families)
- User Guide
- Digital Identity Worksheet
- Rules of Behavior
- Information System Contingency Plan (ISCP)
- Incident Response Plan (IRP)
- Configuration Management Plan (CMP)
- Control Implementation Summary (CIS) Workbook
- Federal Information Processing Standard (FIPS) 199
- Separation of Duties Matrix
- Applicable Laws, Regulations and Standards
- Integrated Inventory Workbook
- Security Assessment Plan (SAP)
- Security Test Case Procedures
- Penetration Testing Plan and Methodology conducted annually and validated by a FedRAMP-recognized Third Party Assessment Organization (3PAO)
- FedRAMP-recognized 3PAO Supplied Deliverables
- Security Assessment Report (SAR) performed by a FedRAMP-recognized 3PAO
- Risk Exposure Table
- Security Test Case Procedures
- Infrastructure Scan Results conducted monthly and validated annually by a 3PAO
- Database Scan Results conducted monthly and validated annually by a 3PAO
- Web Scan Results conducted monthly and validated annually by a 3PAO
- Auxiliary Documents (e.g., evidence artifacts)
- Penetration Test Reports
- Plan of Action and Milestones (POA&M)
- Continuous Monitoring Strategy
- Continuous Monitoring Monthly Executive Summary, validated annually by a 3PAO
Timeline for Rule Finalization and Program Implementation
The CMMC 2.1 rule is currently in a 60-day public comment period, which closes on February 26, 2024. It is not certain how long the public comment review period will be, but some estimates put the review period between 200 and 300 days, with a possible release of a final rule in late 2024 or early 2025, which would then trigger Phase 1 of the implementation timeline.
PKF O’Connor Davies Services for the Defense Industrial Base
PKF O’Connor Davies is a CMMC 3rd Party Assessment Organization and Registered Provider Organization for the CMMC program. We assist companies in assessing their implementations against the requirements in the framework and help in addressing gaps by developing System Security Plans, policies and procedures; assembling artifacts; and building certification-ready documentation sets. Our years of experience with these requirements allows us to address our clients’ strategic questions on overall investment in compliance and what constitutes cost-effective compliance strategies.
We welcome the opportunity to answer any questions you may have related to this topic or any other matters relative to cybersecurity and privacy. Please call or email any of the Cybersecurity and Privacy Advisory team members below:
Thomas J. DeMayo, CISSP, CISA, CIPP/US, CRISC, CEH, CHFI, CCFE
Cybersecurity and Privacy Advisory
firstname.lastname@example.org | 646.449.6353
Nick DeLena, CISSP, CISA, CRISC, CDPSE, CMMC-CCP
Cybersecurity and Privacy Advisory
email@example.com | 781.937.5191