January 2020 was a very important month for DOD’s Cybersecurity Maturity Model Certification (CMMC) initiative. Last week, on January 31, 2020, DOD issued CMMC “Version 1.0” to the public. The Version 1 release includes three documents: a “Briefing”; the CMMC Version 1; and Appendices A through F. Also on January 31, DOD officials held a news conference discussing aspects of the CMMC initiative that are not discussed in Version 1.0. Earlier in January 2020, the CMMC initiative took another significant step with the formation of an “Accreditation Body” that will enter into a memorandum with DOD to oversee CMMC audits of contractors. Unfortunately, as discussed below, these events have still not addressed many fundamental questions associated with the CMMC initiative.
Background
As explained in a prior blog, DOD has relied on contractor self-attestation of compliance with the cybersecurity clause at DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” However, DOD has concluded that steps taken to date are not enough and that the level of contractor compliance is unsatisfactory. As such, DOD launched the CMMC initiative last year, which includes the goal of using CMMC third-party assessment organizations (C3PAOs) to audit the entire DOD supply chain based on five maturity levels ranging from basic to advanced cyber hygiene. The level required for each procurement will (at some point) be specified in RFIs and RFPs. Unless a higher level is specified, all contractors must meet CMMC Level 1. DOD also took steps last year to help establish the Accreditation Body as a nonprofit organization that will grant accreditations to the C3PAOs.
CMMC Version 1.0
CMMC Version 1.0 follows Draft CMMC Version 0.7 issued in December 2019. As with Version 0.6 (issued in November 2019), Version 0.7 used a CMMC Model framework that categorized cybersecurity best practices within “Domains,” which were segmented by a set of “Capabilities,” which in turn were further broken down into “Processes” and “Practices.” Processes measure the maturity of a company’s processes, while Practices measure the technical activities required to achieve compliance with a given capability requirement.
Version 1.0 retains this framework and, like Version 0.7, includes 17 Domains and 43 Capabilities. Version 1.0 also includes 5 Processes (4 fewer than Version 0.7) and 171 Practices (2 fewer than Version 0.7). Version 1.0 summarizes the levels as follows:
- Level 1: Basic safeguarding of Federal Contract Information (FCI), which is information provided by or generated for the Government under contract not intended for public release.
- Level 2: Transition step to protect Controlled Unclassified Information (CUI), which is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and Government-wide policies.
- Level 3: Protecting CUI.
- Levels 4-5: Protecting CUI and reducing the risk of Advanced Persistent Threats (APTs), defined in part as threats from adversaries that possess sophisticated levels of expertise that allow it to create opportunities to achieve objectives by using multiple attack vectors.
The three documents issued as part of Version 1.0 are: (1) a 15-page “Briefing” document; (2) a 27-page “Main” document; and (3) Appendices A through F, covering 336 pages. By comparison, Version 0.7 consisted of 190 pages, and Version 0.6 consisted of 90 pages. Much of the increased length of the Version 1.0 documents is attributable to Appendix B, which contains 256 pages providing detailed descriptions of Processes and Practices, while providing additional information such as clarifying examples. Appendix A provides the Model in tabular form with all Practices organized by Domain, Capability, and Level, and also includes maturity level Processes. Appendix C is a glossary. Appendix D provides abbreviations and acronyms. Appendix E summarizes the sources for the Processes and Practices. And Appendix F provides supporting references.
The CMMC levels and associated Process and Practices are cumulative – in order to achieve a specific level, a contractor must demonstrate achievement of the preceding lower levels. Version 1.0 explains that, when implementing CMMC, a contractor can achieve a specific level for its entire network, or for particular segment(s), depending on where the information to be protected is handled and stored.
Although Version 1.0 provides a significant amount of information concerning the various elements of the CMMC Model, it does not discuss critical but related information, including the C3PAO auditors and the Accreditation Body that will grant accreditations to the C3PAOs. Nor does Version 1.0 discuss DOD’s timeline for implementing Version 1.0. For some reason, DOD has “siloed” Version 1.0 to keep it separate from these related aspects of the CMMC initiative.
DOD’s January 31, 2020 News Conference
DOD provided certain information about these other aspects of the initiative at a news conference held on January 31, 2020 (information about this conference can be found in a DOD article here and in a transcript of the conference here. During that conference, Ellen Lord (Under Secretary of Defense for Acquisition and Sustainment) indicated that DOD is drafting a memorandum between DOD and the Accreditation Body to outline its roles, responsibilities, and rules. She also indicated that the Accreditation Body will oversee the training, quality, and administration of the C3PAOs. C3PAOs will not be paid by DOD, and instead will enter into private transactions with the Accreditation Body. Ms. Lord said that while multiple companies are interested, DOD has not yet designated any entity as qualified. Katie Arrington (DOD’s Chief Information Security Officer for Acquisition) noted that companies will be able to schedule CMMC assessments for specific levels through a CMMC marketplace portal. She further noted that a company’s certification will be good for three years.
DOD officials also discussed the CMMC timeline at the January 31 conference. Previously, DOD had indicated that accreditations of C3PAOs would start in March 2020, that assessments by C3PAOs would start in June 2020, and that CMMC would be included in RFPs in the Fall of 2020. To the extent those projections were meant to apply to the entire Defense Industrial Base – estimated at 300,000 organizations – it was difficult to see how DOD could meet those projections because DOD would not be able to complete assessments of all 300,000 organizations by the Fall of 2020. DOD has now clarified the CMMC timeline by providing considerably more realistic projections, explaining that by FY 2026, all new DOD contracts will contain CMMC requirements. Ms. Arrington indicated that DOD is working to identify candidate programs that will implement the CMMC requirements during FY 2021 through FY 2025 as part of a phased rollout. She noted that DOD is engaging in a very deliberate and slow rollout process – DOD is targeting 10 RFIs for contracts that will include CMMC requirements starting in June, with corresponding RFPs by September or October 2020. Ms. Arrington said that no existing DOD contracts will have CMMC requirements added to them.
Ms. Lord also indicated that DOD is looking at the late Spring/early Summer time frame to complete a new DFARS, but did not elaborate on that action. DOD has opened a DFARS Case, No. 2019-D041, entitled “Strategic Assessment and Certification Cybersecurity Requirements.” The synopsis states: “Implements a standard DoD-wide methodology for assessing DoD contractor compliance with all security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” Although this information does not specifically mention CMMC, DOD has indicated that CMMC will be addressed as part of the DFARS Case.
Formation of the Accreditation Body
Another significant CMMC event that occurred last month was the formation of the Accreditation Body (AB). The AB is a 501(c)(3) Maryland nonprofit organization with a Board of Directors chaired by Ty Schieber from UVA’s Darden School. In early October 2019, DOD issued an RFI seeking information related to the establishment of the AB, followed by an Industry Day in November 2019 that included discussion of requirements associated with forming the AB. The AB has established a website, which provides important information about the AB while highlighting the fact that it is still very much a work in progress. As just one example, under “FAQ,” the website notes that the AB is in its formative stages and does not yet have authority from DOD.
With respect to substantive information, the website notes that DOD has indicated it will provide initial training guidance to the AB in the first quarter of 2020, and that the AB will publish a list of “Assessors” after training is developed and Assessors are certified. Assessors are persons who have successfully completed the background, training, and examination requirements outlined by the AB and to whom a License has been issued. Assessors work for C3PAOs, and not for the AB. Each C3PAO will need to be certified by the AB before deploying Assessors into the field. The website further explains that the AB does not yet know the fees or details associated with the process, but that, as a nonprofit, the AB’s fees will reflect the costs of providing an independent, national organization with a leading-edge customer experience.
Open Questions
The foregoing developments leave open the following questions:
- How will DOD determine specific Levels for each procurement?
- How long will it take to become certified at each Level, and what will those processes entail?
- Will CMMC apply to grants and cooperative agreements?
- Will the costs of compliance be allowable costs? DOD has provided conflicting statements on this important question.
An additional significant question is: What rights will contractors have to disagree with/appeal from assessments by certifiers? In fact, there are several dispute-related questions associated with the CMMC initiative, including what sort of disputes process will exist between the AB and C3PAOs, and between the AB and DOD. The AB website includes a glossary that defines “Dispute” as “A formal process managed by the CMMC-AB through which an Assessor and an OSC [Organization Seeking Certification] can seek resolution of a disagreement over the Assessment results.” The glossary also defines “Dispute Adjudicator” as “A CMMC-AB employee who is responsible for reviewing and resolving a Dispute.” These are very short descriptions for such important issues. Because all entities seeking to conduct business with DOD will have to attain the certification level specified for each procurement, being able to attain that specified level will be critical for contractors, which in turns ramps up the importance of any dispute resolution process involving certification levels.
Conclusion
It will be interesting to see how DOD and the AB attempt to address the many open questions associated with the CMMC initiative. But, at least now, DOD has adopted a much more manageable schedule that will allow more time to grapple with these questions.
Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.
