The 60-day comment period begins for the new proposed CMMC rule published in the Federal Register.
The Department of Defense’s CMMC program office has broken its silence for the long awaited publishing of its new Proposed CMMC Rule on December 26th in the Federal Register.
Commenting Period for the New Proposed CMMC Rule
The CMMC comment period is open for 60 days. It started on December 26th, when the rules were first shared on the Federal Register, and it will end on February 26, 2024.
After this date, the Department of Defense (DoD) will look at all the comments and think about them. This might take about a year to a year and a half. We expect the final rules to be ready by the end of 2024 or early in 2025.
When the CMMC becomes part of the DFARS rules, companies might need to get a CMMC certificate before they can win a contract. This new rule will be slowly brought in over three years.
Want to share your thoughts on the CMMC rules? You can! It’s important to give your comments because the DoD has to read and think about what you say as this rule will impact your company. You can send your comments through the Federal eRulemaking Portal until February 26, 2024.
Understanding When CMMC Rules Do Not Apply to Your Business
It’s important for companies to know that not all of them will need to comply with the CMMC Levels 1, 2, or 3. In fact, your business might not be affected by this rule at all. This rule specifically applies to organizations that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) in their operations. If your company’s work involves storing, processing, or transmitting these types of information, then the CMMC requirements are relevant to you.
However, there are exceptions. If your business is primarily involved in selling Commercial Off-The-Shelf (COTS) products, you might not be subject to these regulations. Similarly, there might be cases where the agency you work with has decided not to include these CMMC requirements in your contract. It’s also important to note that during the initial phases of CMMC implementation, certain procurements may not require compliance with these rules, depending on the phase-in period. Additionally, the Department of Defense has the discretion to waive the application of CMMC requirements for specific procurements or classes of procurements, following their established policies and procedures.
For instance, a Department of Defense Service Acquisition Executive or a Component Acquisition Executive has the authority to decide not to include CMMC requirements in a solicitation or contract. This means that for some contracts, even if you process, store, or transmit FCI or CUI, the CMMC rules might not apply. Understanding these exceptions are critical for your business to determine whether the CMMC rules are applicable to your operations.
Updated Cost of the CMMC Program
If you’re a small business in the defense industry, understanding the Cybersecurity Maturity Model Certification (CMMC) levels and their associated costs is important. Let’s break it down in simple terms.
How many levels of CMMC are there?
CMMC has three levels, and it’s expected that most businesses will aim for Level 2. Think of Level 1 as the starting point – it’s the easiest and most cost-effective level to achieve. However, Level 2 is where most businesses should focus, as it’s more comprehensive in terms of cybersecurity requirements.
Why Focus on Level 2?
The government conducted an analysis, known as the Flexibility Regulatory Analysis, to estimate the costs for businesses and the government itself. Initially, these costs were predicted to be lower, but recent updates have provided new figures. It’s important to remember these costs are just for the assessment process and don’t include what you might spend to actually implement the required cybersecurity measures.
Estimated Costs for Level 2 Compliance
So, what can you expect to pay for Level 2 CMMC compliance? Here’s a breakdown:
Level 2 Self-Assessment (Every Three Years):
- Planning and Preparation: $14,426
- Conducting the Assessment: $15,542
- Reporting Results: $2,851
- Affirmations: $4,377 (spread over three years)
- Total Over 3 Years: $37,196
Level 2 Certification Assessment (Every Three Years):
- Planning and Preparation: $20,699
- Conducting the Assessment: $76,743
- Reporting Results: $2,851
- Affirmations: $4,377 (spread over three years)
- Total Over 3 Years: $104,670
What About Levels 1 and 3?
For completeness, here’s a quick look at the other levels:
- Level 1 (Annual): Total cost of about $5,977 per year.
- Level 3 (Every Three Years): Total cost of about $12,802 over three years.
Remember, these costs are estimates for a single assessment per system and vary based on the assessment’s frequency – annually for Level 1 and every three years for Levels 2 and 3.
For small businesses, especially those new to CMMC certification costs, focusing on the costs associated with Level 2 is a good starting point. Keep in mind that these figures are just for assessments and don’t include the additional costs of implementing the necessary cybersecurity measures. Being prepared financially for these assessments is a vital part of your business’s journey towards CMMC compliance.
Decoding CMMC Scoping
Scoping will be the most important aspect of the entire program when aiming for CMMC certification. A well-planned scope can reduce the scope and streamline the certification process, while a poorly defined one can lead to complications. It’s important to define your scope well before the actual assessment and audit begin.
What Does Scoping Involve at Different CMMC Levels?
- CMMC Level 1: At this level, the focus is on every part of your business that handles Federal Contract Information (FCI) – this is what’s in scope. Everything else is not included. During the assessment, these specific areas are evaluated against the CMMC’s security requirements.
- CMMC Level 2: This level is more involved than just managing FCI. The main data type that it includes is CUI. It includes everything from all assets to security mechanisms like firewalls and Active Directory. Corporate processes and services you outsource, such as cloud and IT services, are also part of the scope. However, operational technology or IoT items, like machines and manufacturing equipment, are not directly included in the assessment. But, they must be documented in your security program. We’ll explore this in more detail later.
- CMMC Level 3: To reach Level 3, businesses must first perfectly meet Level 2 requirements. Level 3 expands the scope to include additional assets such as Operational Technology and IoT. Currently, it’s recommended for most organizations to concentrate on getting Level 2 scoping right first.
Effective scoping is about understanding which parts of your business will be examined for during your assessment. It’s the foundation of your journey towards CMMC certification.
Intermediary Devices in CMMC and Operational Technology
When it comes to securing your business in compliance with the Cybersecurity Maturity Model Certification (CMMC), understanding how Operational Technology (OT) fits into the picture is key. OT and Internet of Things (IoT) devices are considered “Specialized Assets” in the CMMC framework. This means they are unique because they can process, store, or transmit Controlled Unclassified Information (CUI) but may not be fully securable using standard IT cybersecurity measures.
The Challenge with Securing OT and IoT
Securing these types of technology can be tricky. Many OT and IoT devices, especially older models, may not support the latest security measures. They might use unique communication protocols or lack traditional operating systems, making conventional cybersecurity methods ineffective. Recognizing this challenge, the Department of Defense allows the use of intermediary devices. These devices act as a bridge, connecting your IT network and OT, and provide necessary security functions.
CMMC Level 3 and Specialized Assets
In the CMMC framework, particularly at Level 3, all assets within the scope of an assessment, including OT and IoT, are evaluated against all CMMC security requirements. However, there’s an exception: if these assets are physically or logically isolated, they might not need to meet all requirements. For those that aren’t isolated, intermediary devices can be employed. These devices might be specially designed firewalls or other security tools that handle more than just typical network traffic. They can inspect various types of protocols and ensure that OT devices, which often have limited computing and networking resources, continue to operate smoothly without disruptions caused by security scans or similar security measures.
What are intermediary devices?
Understanding the role of intermediary devices is important when attempting to secure Operational Technology (OT). Intermediary devices serve as a bridge in the realm of cybersecurity. They are essentially the connectors between your IT network and your Operational Technology. These devices are not just about connectivity; they play a role in ensuring security. In the context of CMMC, they are even more significant for businesses aiming to comply with stringent cybersecurity standards.
Under CMMC, OT and IoT devices are categorized as “Specialized Assets.” These assets, while essential, often cannot be secured using traditional IT security measures due to their unique characteristics. This is where intermediary devices step in. They provide the necessary security functions to protect these assets, ensuring compliance with CMMC requirements.
The Functionality of Intermediary Devices
Intermediary devices go beyond the capabilities of standard network devices. They are often custom-designed to cater to specific needs. A common type of intermediary device is a specialized firewall. Unlike standard firewalls, these are tailored to monitor and secure traffic based on unique OT protocols, rather than just regular network traffic. Many OT systems have limited computing and networking resources. Traditional security activities like scanning can cause disruptions or even shutdown operational technology. Intermediary devices handle security in a way that doesn’t interfere with the operation of these sensitive technologies.
CMMC Scoring Leveraged for Audit
Scoring is simple but can get complicated really fast. We put together a straightforward breakdown of how this is being proposed to work.
The CMMC Scoring Methodology is designed to evaluate how well an Organization Seeking Certification (OSC) has implemented specific security requirements based on NIST SP 800–171 Rev 2 and NIST SP 800–172. It aims to provide a clear measurement of an OSC’s cybersecurity practices, crediting partial implementation in only a few cases.
How Assessments Are Scored
During a CMMC assessment, each security requirement will fall into one of three categories:
- MET: This means all objectives for the security requirement are fulfilled with solid evidence.
- NOT MET: This is when one or more objectives are not satisfied.
- NOT APPLICABLE (N/A): This applies to security requirements that are irrelevant in the current context of the CMMC assessment.
Scoring based on CMMC Levels
- Level 1: All requirements must be fully implemented to be considered MET. There’s no partial credit or POA&M (Plan of Action & Milestones), and results are scored as entirely MET or NOT MET.
- Level 2: The maximum score equals the total number of security requirements. Points are deducted for each NOT MET objective, with varying values assigned to different requirements based on their impact on network security.
- Level 3: Unlike Level 2, all Level 3 security requirements are valued equally at one point each. The maximum score is reduced by one point for each NOT MET requirement.
Requirements, like multi-factor authentication, may receive adjusted scores based on their level of implementation or maturity. For example, partially effective implementations may result in fewer points deducted than completely unimplemented ones.
Challenge of FIPS-Validated Encryption
For small businesses working towards CMMC, understanding and implementing encryption standards can be a significant hurdle. Particularly, the requirement to employ FIPS-validated encryption poses unique challenges.
Encryption is often dependent on vendors, and there is a noticeable delay in getting technology validated by the Cryptographic Module Validation Program (CMVP) managed by NIST. This delay, sometimes perceived as the government taking time to validate the technology, results in a high demand for validated encryption technologies but a limited supply in the market.
From a small business perspective, meeting the requirement for FIPS-validated encryption is arguably one of the most daunting tasks. The distinction between validated and certified cryptography is important to understand; the market lacks enough options for FIPS-validated encryption solutions. This gap can place small businesses in a difficult position when trying to comply with CMMC standards.
However, there’s a silver lining. CMMC allows the inclusion of encryption of Controlled Unclassified Information (CUI) within the Plan of Action & Milestones (POA&M). This means that small businesses can develop a plan to gradually meet this requirement over time. While this doesn’t eliminate the challenge, it provides a pathway for small businesses to work towards compliance in a manageable way, even amidst the constraints of available encryption technology.
Plans of Actions and Milestones Changes
CMMC’s proposed rule finally acknowledges the role of Plans of Action and Milestones (POA&Ms) in risk management. However, it’s important for small businesses to understand that POA&Ms are not a blanket solution for all security requirements. The new rule permits POA&Ms only for specific requirements, emphasizing that they should not be used as a shortcut to compliance.
Key Aspects of POA&Ms in CMMC
- Time-Bound Nature: Each POA&M must be addressed within 180 days of the initial assessment.
- Role of C3PAO: Certified Third-Party Assessment Organizations (C3PAOs) play a role in validating that the actions outlined in a POA&M have been completed.
- Specific Allowances: Only some of the CMMC requirements are eligible for POA&Ms based on requirement value and scores against the requirement. Not all security requirements can be deferred to a POA&M and some must be fully met at the time of assessment.
- Scoring Considerations: For CMMC Level 2, a POA&M is permissible only if the assessment score is sufficiently high, and none of the high-value security requirements are included in the POA&M. For Level 3, the assessment score must also meet a specific threshold, and certain critical security requirements cannot be included in the POA&M.
- POA&M Closeout Assessment: This is an important step of the overall process. For Level 2, it can be performed by the OSC or a C3PAO, depending on the type of assessment. For Level 3, the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC) will perform the closeout assessment.
For small businesses, the use of POA&Ms in CMMC compliance is a balancing act. While they offer a pathway to address certain unmet requirements, reliance on them should be measured and within the outlined constraints. A basic POA&M template can be found on the NIST website or FedRAMP website.
FedRAMP Equivalency and CMMC
The proposed rule complicates the relationship between the Federal Risk and Authorization Management Program (FedRAMP) and the Cybersecurity Maturity Model Certification (CMMC). While CMMC doesn’t fully or blindly accept FedRAMP certifications, there’s a notable intersection where these two compliance frameworks overlap.
The CMMC Program Management Office (PMO) acknowledges the challenges posed by FedRAMP’s requirement for government sponsorship, which can be a hurdle for many cloud service providers (CSPs).
To address this, the DoD is facilitating an alternative path known as the FedRAMP Equivalency Program. This program is particularly relevant for CSPs that handle systems hosting sensitive information like emails or HR data, potentially containing Controlled Unclassified Information (CUI).
Here’s what the FedRAMP Equivalency entails for CSPs:
- Achieving controls equivalent to the FedRAMP Moderate baseline standard.
- Producing a comprehensive “Body of Evidence (BOE)” to demonstrate compliance.
- Developing a detailed System Security Plan (SSP) and other necessary security documentation.
- Creating a Customer Responsibility Matrix (CRM) summarizing each NIST 800-53 control as per the FedRAMP Moderate Category.
- Establishing and maintaining policies, procedures, and other evidence that attest to compliance.
Interestingly, having a FedRAMP Approved Third-Party Assessment Organization (3PAO) prepare your BOE can significantly bolster its credibility. This step is for CSPs aiming for serious consideration in the CMMC landscape.
MSPs and IT Service Providers
Department of Defense (DoD) recognizes the significant role played by Managed Service Providers (MSPs) and External Service Providers (ESPs) in supporting small businesses. MSPs, functioning as ESPs, are essential in managing IT and cybersecurity services for these businesses. Highlighting the importance of MSPs/ESPs, the DoD’s CMMC Proposed Rule specifically mentions incidents like the Kaseya and SolarWinds attacks. These incidents underline the risks associated with popular platforms used by MSPs for remote access to client environments.
Consequently, the CMMC mandates that ESPs, including those critical to MSP operations like Kaseya, must achieve a level of CMMC Level that is equal to or greater than the certification level sought by the Organization Seeking Certification (OSC).
For example, if an OSC is aiming for a CMMC Level 2 Certification Assessment, their ESP must have at least a CMMC Level 2 or higher Certification Assessment. This requirement ensures that every link in the cybersecurity chain, including external partners, upholds the same rigorous standards.
The definition of an ESP within the CMMC Program is quite specific. It includes external individuals, technology, or facilities used for providing comprehensive IT and cybersecurity services. To qualify as an ESP, the entity must process, store, or transmit Controlled Unclassified Information (CUI) or Security Protection Data, such as log or configuration data, on their assets.
ESP Controlled Assets
An External Service Provider (ESP) asset refers to any resource or component that is part of the infrastructure, systems, or services provided by an ESP and is used in the delivery of their services to an organization. In the context of the CMMC proposed rule, this definition takes on a specific significance.
ESP assets can include a variety of elements such as:
- Technology Components: This includes servers, networking equipment, storage devices, and any other hardware used by the ESP to provide services.
- Software Systems: Any software tools, platforms, or applications used by the ESP in the provision of their services, such as remote monitoring and management systems, cybersecurity tools, or other specialized software.
- Facilities: Physical locations or data centers where the ESP’s technology infrastructure is located and from which services are delivered.
- Data: Any information processed, stored, or transmitted by the ESP on behalf of the organization, particularly relevant in cases where Controlled Unclassified Information (CUI) or other sensitive data is involved.
As we reach the conclusion of this long blog on the proposed CMMC rule, it’s clear that this update marks a significant milestone in the cybersecurity landscape. The rule effectively encapsulates the myriad of topics the industry has been buzzing about over the past few years, including the formalization of CMMC Level 3 and the management approach to industrial equipment.
What stands out in this update is the sense of stability it brings. The move to CMMC 2.0 appears to be a long-term strategy, suggesting that we might not see a shift to a CMMC 3.0 version for quite some time. This consistency is vital for businesses planning their cybersecurity strategies and compliance efforts.
Interestingly, the Department of Defense (DoD) has redefined the Accreditation Body’s (AB) role, shifting its focus solely to working with Certified Third-Party Assessment Organizations (C3PAOs) and training. This change reflects a broader trend in government operations: a preference for familiar procedures over big revolutionary changes. In this setup, NIST continues to be the standard-bearer, the AB concentrates on C3PAOs and training, and the DoD holds the reins on rule-setting.
A notable deviation from the norm is the empowerment of C3PAOs to issue certifications. This move could be a game-changer in how certifications are managed and awarded, adding a new dynamic to the compliance process.
As always, your insights and opinions are invaluable. Feel free to share your thoughts and comments on these developments about the new proposed CMMC rule. Until next time, over and out.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.