Part Two of our expose on the Current State of CMMC webinar. Part One, sponsored by AFCEA, was paneled by Katie Arrington, CISO for the Office of the Under Secretary of Defense for Acquisition & Sustainment, and Col. Karlton Johnson, USAF (Ret.), chair, CMMC Accreditation Body (CMMC-AB) board of directors. 

CMMC Updates - Part 2

Read First: Current State of CMMC, Part One

The webinar focused on DoD contractors who haven't started or are just starting CMMC preparations and offered an update on CMMC implementation and its impact on small businesses, as well as the CMMC-AB's role in creating the CMMC certification program going forward. 

FedRAMP, Microsoft and CMMC

Federal Risk and Authorization Management Program (FedRAMP) standardizes security assessment and authorization for cloud products and services used by federal agencies for consistently protecting federal cloud data within software as a service (SaaS) application to infrastructure as a service (IaaS) and hardware as a service (HaaS) scenarios.

DoD contractors who choose commercial cloud services are required to use only cloud services that have gone through the FedRAMP process. What about Microsoft products? There are still some questions about Microsoft products and what's acceptable for certifications. 

Microsoft Office 365 has four cloud environments. Microsoft Office 365 is the commercial product, but government users require higher security data environments, Office 365 GCC (Government Community), Azure Government and GCC High.

With a number of Microsoft resources from the government cloud, as well as GCC high and FedRAMP certified cloud, Mr. Johnson explains that there's risk involved if they haven't closed outstanding POAMs. If that is the case, CMMC Level 3 certification could be delayed depending on what the POAM represents. 

"There are POAMs that are normal and there are some that are not," Ms. Arrington explained. "For example, if you have a POAM like adding your multi-factor authentication CMMC and you set the POAM for 30 days, then we come back six months later and you haven't implemented it, that's a problem because you've gone to risk."

On Reciprocity

One of the key discussion points has been reducing costs for DoD contractors and developing some level of reciprocity with other programs, what constitutes reciprocity, what doesn't and where it's best applied. More information will come from DoD in the coming months about reciprocity between CMMC requirements and other cybersecurity audit programs critical to contractors seeking CMMC certification.

For the DoD, reducing overall costs for contractors working toward CMMC certification is a priority and reciprocity is one way to do it. Ms. Arrington and Mr. Johnson have indicated that CMMC reciprocity may be available for government certification programs such as the Federal Risk and Authorization Management Program (FedRAMP) and intends to work with the GSA and DoD to align the requirements, methodologies, and levels of the CMMC and FedRAMP programs.

The DoD has completed its reciprocity assessment for the Defense Contract Management Agency's (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Currently, there is a guidance memo pending signature that is expected to solidify the extent to which contractors assessed by the DIBCAC will be granted reciprocity with respect to their CMMC certification.

What is DIBCAC?

The DIBCAC was established in 2017 for provisional audits and spot-assessments of contractors who've suffered a cybersecurity incident. In February 2019, the Undersecretary of Defense for Acquisition signed "the block change memo" declaring that cybersecurity was now an auditable element of DoD contractor business systems. Up to that point, there were no cyber entities auditing defense contractors. 

The National Institute of Standards and Technology (NIST) is responsible for the Cybersecurity Framework that contractors follow to identify, detect, and respond to cyber-attacks. While the NIST standard and controls have existed for some time, the NIST doesn't certify NIST, it merely creates the standard. 

The Defense Contracting Management Agency (DCMA), along with the CIO came together to form the Defense Industrial Base Cyber Assessing Council (DIBCAC) in order to draft the assessment methodology of looking at a contractor's posture and how they were implementing the 110 controls of the NIST-171 Cybersecurity Framework. Currently, DIBCAC teams assess defense contractors and help determine what the cost model will be for the CMMC. 

Conflicts of Interest

The CMMC-AB started to establish governance procedures to identify steps that need to be taken to prevent conflicts of interest and define standards that the government was developing for CMMC.

If an organization has multiple subdivisions and one of those subdivisions is an assessor, there is a conflict of interest. Bottom line: if you're an assessor, you can't assess your own organization. Mr. Johnson confirms that the AB is looking at different types of conflict of interest examples so defense contractors "have better guidance to understand what's an anomaly and what's not." 

Keeping it Equal with Set-Asides

What about small business set-aside contracts? Arrington explains, "we want to make sure that it's equal and that you have an opportunity to grow." Whereas CMMC Level One represents the basic requirement that all government contractors will need to establish, when you move into CMMC Level Two and beyond, the cost to become cybersecure goes up and the competition becomes more fierce. This is especially true for defense agencies without cybersecurity personnel on staff.  

According to Arrington, by the time contractors come to Level Two certification, they have to ask themselves whether they want to manage that path to CMMC internally or outsource it. As part of the DFAR rule, Arrington said "we want you to build that into your rates now to make you as competent as possible to compete in a fair system." The 70/12 clause lacked fairness because contractors who attested to all 110 controls but with no validations may not actually be doing them making them able to offer reduced rates compared to a company doing all 110. 

"We're making sure that the prime has to maintain those percentages of small business and set-asides within them. And we're carving out work so that as we look at it, we want to elevate and we want to bring the smalls up in the maturity level and work with the primes on that every day," Arrington said. "For example, a company with four ISO certifications that spent a lot of money were seen as less competitive because price points and our overhead margins were higher– because they were doing the right thing."

Can You Lose CMMC Level 3 Certification?

As a defense contractor, you can lose a CMMC Level Three certification, according to Ms. Arrington, "if you had a serious cyber incident that in cyber forensics found out that you knowingly, willingly, and were fully negligent in maintaining a control that you had been audited on, you're going to have a problem."

On the other hand, there's no concern when an attack like Solar Winds occurs where many are affected through no fault of their own. Arrington warns, "But if there's a cyber incident at your company, and it happened because you weren't deploying your multi-factor authentication, then you are at risk and we [DIBCAC] would issue a corrective action report (CAR) immediately." While the DIBCAC would issue the CAR, the CMMC-AB has ultimate authority over a contractor's certification.

Ms. Arrington makes it clear that "if you have repeated offenses resulting from inadequate security controls, you would go to debarment and not be able to service existing contracts." 

Mr. Johnson explains it this way, "If an organization has been negligent in how they've managed their cybersecurity and an incident happens and after an investigation you are found to have been negligent in that regard, that's when the conversation starts of whether or not the certification will need to be pulled."

Mr. Johnson wants you to ask yourself, "Have you done everything that you possibly can [to be cybersecure]? Have you done the criteria? Have you been truthful about the criteria?" If the answer is yes, you are good. Unfortunately, some organizations in the past were not truthful about whether or not they did the controls. 

What's up with C3PAOs?

The CMMC-AB is building the marketplace for Organizations Seeking to be Certified (OSC). If you're looking to hire or go through a C3PAO organization seeking certification, you'll have your choice of who you can go to by viewing the C3PAOs available in the marketplace.

Mr. Johnson announced that the RPSs and RPOs, which will be permanent within the ecosystem, can provide some initial guidance, but they're not certified in CMMC. "If you're a small business, you can go to a big firm and have them come in to look at you, or you can go to an RFP through an RPO and have them give you an initial look-through." 

For companies wishing to become C3PAOs, they'll need to be CMMC Level 3 certified, with no exceptions. The C3PAO selection process is stringent and includes meeting certain criteria that they'll be measured against. "Anybody that you see on the AB's website has all gone through the same criteria to get there," Johnson said. "It's clearly posted on the website right now what you need to do to become a C3PAO." 

Ms. Arrington finished the webinar reiterating that CMMC is going forward and that just because the administration has changed, "We are not. This is going forward. Don't be afraid, like I've said before, we don't want to lose you. We're doing this so that you are there in the long term, you are important to national security. You're part of our team. We're just trying to make sure you've got the best tools to defend yourself against adversarial actions." 

 Not there yet? We can help. Contact us to discuss your CMMC journey.

Schedule a Consultation


About the Author:

Leave A Comment