A press briefing was provided the morning of January 31st 2020 by DoD officials and members of OUSD: Kevin Fahey (ASD(A)), Katie Arrington, and Ellen Lord (USD(A&S)). Later in the afternoon CMMC 1.0 was released with slides from the morning's presentation and a separate set of apendices . Below is the briefing.
Notable Statements from the Briefing
Katie Arrington stated that they plan on 10 RFIs and 10 RFPs with approx. 150 total subcontractors per contract this fall with CMMC requirements to start the CMMC roll out.
Ellen Lord - "600B or about 1% of GDP is lost to cyber theft."
Ellen Lord - "Since the first draft publication in September 2019, our office has received over 2,000 comments"
Ellen Lord - "CMMC is a critical element of DoD's overall cybersecurity implementation. One of my biggest concerns is implementing CMMC for small and medium businesses... 6 to 8 levels down in the supply chain"
Ellen Lord - "We are looking at late Spring/early Summer timeframe to complete a new Defense Federal Acquisition Regulation."
Ellen Lord - "CMMC standards will be required at time of contract award"
Katie Arrington - Alluded to Level 2 being for smaller businesses.
Katie Arrington - "All new DoD contracts will contain the CMMC requirements starting in 2026"
Katie Arrington - "We trained over 5,200 small businesses on cybersecurity in preparation for CMMC"
Changes from Draft 0.7
For starters, there remains 17 Domains and 43 Capabilities from the last public draft. There were, however, two Practices removed from draft to final - bringing total Practices to 171 from 173. One Practice from both, Level 3 and Level 5, were removed. Processes were reduced/consolidated from 9 to 5.
Below are some high level removals/deletions. There are some word or phrasing changes, but those will be addressed later.
- Level 2 - Deleted "Establish a plan that includes (Domain Name)"
- Level 3 - They did a bit of rewrite, but they essentially deleted "Review (Domain Name) activities for adherence to policy and practices.
- Level 4 - Deleted "Review the status and results of (Domain Name) activities with higher level management and resolve issues"
- Level 5 - Deleted "Share identified improvements to (Domain Name) activities across the organization"
- Level 3 - In the Asset Management (AM) Domain and 'Identity and document assets' Capability - the Practice "Identify, categorize, and label all CUI" was deleted.
- Level 5 - In the Incident Response (IR) Domain and 'Develop and implement a response to a declared incident' Capability - the Practice "Establish and maintain a security operation center that facilitates a 24/7 response capability."
CMMC 1.0 Model
There are a myriad of activities, but the most impactful in 2020 are shown in the following graphic.
SSP and POA&M
- Companies must fully meet all Level 3 requirements at the time of the Audit.
- POA&Ms will not be honored for 3rd Party Audits as they are now under DFARS 7012. However, a proper POA&M should still be in place to capture new vulnerabilities and threat vectors as they are discovered. This is good security sense.
- A POA&M may also be used for tracking goals and objectives for meeting a higher level (i.e. I have a CMMC Level 2 certification and have measurable steps to take for Level 3 in the next year).
CMMC Audit Plan and Accreditation Body
The CMMC Accreditation Body (CMMC AB) will oversee the training, quality, and administration of the third party assessment organizations. The CMMC AB will consist of 13 individuals from industry, the cybersecurity community, and academia. Strict conflict of interest clauses will be integrated throughout a future memorandum or MOU that will dictate the activities and influence these 13 individuals have over certifications and audits.
CMMC Third Party Assessment Organizations, C3PAO's, will be the organizations deemed fit for auditing after training and assessment by the CMMC AB. There was also the introduction of Pathfinders - a group of test contracts and respective DIB suppliers where the CMMC OUSD team will assign various levels to these existing suppliers. This will better define which contracts will need which level and what future RFP's will require.
Our good friends at the Defense Acquisition University (DAU) will be performing training for contractors and acquisition professionals starting in July 2020. It was also mentioned that state and locally ran Procurement Technical Assistance Centers (PTAC) will provide training events and seminars to assist small businesses in their preparations.
CMMC Marketplace Portal
Supposedly there will eventually be a marketplace for companies to schedule their audit with the various certified C3PAO's. It is to be determined how much is required in terms of data entry, what information about each C3PAO will be provided, will payments be processed through this marketplace, etc.
Previously it was rumored that prime contractors and subcontractors would have similar level requirements. Katie Arrington addressed this head on in the briefing and said that this will not always be the case. Level flowdown will follow the CUI. Arrington stated that if a contractor is believed to never receive or touch CUI, then they would likely be required to meet Level 1. Conversely, if there is a greater chance a supplier will touch CUI, then they will likely be required to meet Level 3.
What to Do Next
Ellen Lord made it very clear that there will be no trade offs or fines associated with non-compliance. In order to win a contract or successfully rebid on a contract, you will need to pass the audit. It is critical to start with these basic steps.
- Create an System Security Plan (SSP). A properly written SSP and set of policies will be the baseline for all levels.
- Configure your information systems to NIST 800-171 or migrate to one.
For more information and to stay up to date on the latest requirements, hear from Katie Arrington and team at the Cloud Security and Compliance Series (CS2) that will be in Indianapolis on Feb 11 and San Diego April 14. You can register for CS2 San Diego by clicking the image below.