In another show of momentum toward implementation of the Department of Defense’s CMMC framework, the Cyber Accreditation Board (Cyber AB) recently released its draft CMMC Assessment Process (aka CAP). The release of the CAP means that voluntary assessments can begin. In fact, according to Matthew Travis, CEO of the Cyber AB, several assessments are already scheduled to start this month.
Organizations queuing up for the opportunity to be assessed now understand the competitive advantage of positioning themselves to achieve CMMC Level 2 certification. They’re staying ahead of the curve by clearly demonstrating to primes that they will be in compliance when CMMC is implemented via an Interim Rule expected in March 2023. Release of the CAP keeps CMMC’s implementation schedule on pace.
What is the CAP?
The CAP—yet to be formally endorsed by DoD—provides guidance for third-party assessments of organizations seeking to achieve CMMC Level 2 certification. Note that any organization that handles Controlled Unclassified Information (CUI) will need to achieve at least CMMC Level 2, as verified by an independent third-party review.
The CAP’s purpose is ensure the highest possible accuracy and quality of third-party assessments—and, importantly, to maximize consistency across the assessments whether they’re done for a small bolt shop in California, a massive Navy ship builder in Maine, or anywhere in-between.
All CMMC Level 2 third-party assessments will be conducted by Certified Third-Party Assessment Organizations (C3PAOs), which are accredited by the Cyber AB after intense training and high-stakes testing. For the voluntary assessments that can begin now, auditors from the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will partner with and oversee the C3PAOs’ work. DIBCAC, the DoD’s ultimate authority on compliance, is lending its weight to the assessments under a Joint Surveillance Voluntary Assessments program created by the DoD for this purpose.
At this point, prior to CMMC rulemaking, the voluntary assessments will be based on NIST SP 800-171 and done in conformance with DIBCAC High methodology. According to Matthew Travis of the Cyber AB, the draft CMMC Interim Rule provides for converting these Joint Surveillance Voluntary Assessments to CMMC Level 2 certification when CMMC 2.0 goes into effect.
What does this mean for defense contractors?
Release of the CAP is a significant step toward making the CMMC program a reality. Federal rulemaking action to implement the CMMC framework is expected in March 2023, with CMMC requirements appearing in DoD contracts 60 days later.
The security controls required for CMMC Level 2 certification will align with the 110 security controls of NIST SP 800-171. Notably, defense contractors that handle CUI are already required to comply with NIST SP 800-171.
This means that defense contractors need to take action now to:
- Raise your organization’s cybersecurity levels and comply with NIST SP 800-171
- Get your SSP (System Security Plan), POA&M (Plan of Actions & Milestones), and other required documentation in order. The SSP serves as the basis of your self-assessment to follow
- Conduct your NIST SP 800-171 self-assessment and submit your score to the DoD’s Supplier Performance Risk System (SPRS). Defense contractors have been required to conduct NIST SP 800-171 self-assessments and submit SPRS scores since release of the DoD’s November 2020 Interim Rule. The Interim Rule is on track to become a Final Rule in December 2022—yet another sign of the DoD ramping up its efforts to secure the Defense Industrial Base (DIB)
Additional guidance from the CAP regarding compliance with DFARS 252.204-7012 (c)-(g) and FedRAMP standards
The CAP’s guidelines make it clear that assessors will examine evidence of compliance not only with the NIST SP 800-171 requirements outlined above, but with additional requirements including:
- Compliance with DFARS 252.204-7012 (c)-(g) requirements for cyber incident reporting. Briefly, the requirements are:
c) cyber incident reporting to the DoD Cyber Crimes Center (DC3)
d) malicious software, if discovered, to be submitted to DC3
e) media preservation and protection for 90 days
f) provide DC3 access to additional information if requested
g) assist DoD with cyber incident damage assessment if requested
Note that if an organization uses a cloud service provider (CSP), the CSP also must comply with 7012 (c)-(g). Organizations should confirm and ask for documentation that their CSP meets these requirements.
- Meeting FedRAMP Moderate Baseline or Equivalency standards, or higher, if a cloud service provider (CSP) is used for storing, processing and sharing CUI. FedRAMP stands for the Federal Risk and Authorization Management Program, and “Moderate Baseline” is an official certification within the FedRAMP program. The CAP states, “Ultimately, the OSC [Organization Seeking Certification] is solely responsible for their relationship with any External Cloud Service Providers and how those cloud services…are meeting the requirements for CMMC certification
This means that contractors need to confirm that their CSP is either FedRAMP Baseline Moderate or that it can demonstrate Equivalency. The CAP specifies two criteria for the demonstration of Equivalency:
- The OSC or the External Cloud Service Provider has provided a body of evidence documenting how the External Cloud Service Provider’s security controls are equivalent to those provided by the FedRAMP Moderate baseline standard
- Said body of evidence has been attested to by an independent, credible, professional source
It is important to not simply accept a CSP’s self-attestation of Equivalency; instead ask for documented evidence that it meets the two CAP criteria above
Risks of non-compliance
Momentum is building toward implementation of CMMC 2.0. Prime contractors, who have the most to lose, fully understand the risks to their business of being unable to demonstrate compliance with DoD requirements. To protect their businesses, they also have already begun to expect their subcontractors to make progress toward requirements. Indeed, the Nov. 2020 DFARS Interim Rule requires primes to take responsibility for the security of their supply chains.
If you are a small- to mid-size company aiming to continue to do business in the DIB, you want to avoid being seen as a weak link in the supply chain. Instead, the best move you can make to safeguard the long-term viability of your business is to start now to position yourself to meet CMMC Level 2 requirements. Release of the CAP is another clear sign that CMMC 2.0 is becoming reality.
About PreVeil
PreVeil is a state-of-the-art encrypted file sharing and email platform that offers uncompromised security for storing and sharing CUI. Organizations can easily add PreVeil to their existing IT environments (including Microsoft 365 Commercial), dramatically reducing the time and expense required to achieve compliance.
- Find out more about PreVeil and how it complies with DoD cybersecurity mandates here on this one-page, two-minute read.
- Schedule a free 15-minute consultation with one of our compliance experts to answer your questions about DFARS, NIST and CMMC requirements.
Read PreVeil’s briefs:
- NIST SP 800-171 Self-Assessment: Improving Your Cybersecurity and Raising Your SPRS Score
- Case Study: Defense Contractor Achieves 110/110 Score in NIST SP 800-171 DoD Audit
- Meeting the System Security Plan Challenge
- The DFARS Interim Rule: What you need to know
- DoD to ramp up assessments of NIST SP 800-171 compliance: Final DFARS Rule coming Dec. 2022 means more enforcement
- PreVeil enables CMMC Level 2 compliance with M365 Commercial
- Complying with the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC 2.0)