Pentagon Releases Draft CMMC Standard
They say the third time is a charm. I am not sure with the DoD, but it seems like they are trying. It seems like they are trying to do it right this time.
The rule was released last week as a draft rule. The clock started on a 60 day comment period. It is likely that the rule won’t be finalized for a year. The good news about that is that given what we know about the requirements, that helps give you time to get prepared.
Also remember that the certification process itself will take time – potentially months and they will not schedule you until they at least think that you have a strong chance of passing the test.
Okay, what have we learned? Here are some things and we will post a video on our video blog in the next two weeks with more information.
- Up until last week, saying Not Applicable to a requirement required a doctor’s note from the CIO of the DoD. No longer. All you need now is an excuse that the assessor believes. Make sure the story is good because the assessor is staking their reputation on your story.
- On the other hand, if you say that you have alternate security measures in place that are as good or better than the requirements – that does require a doctor’s note from the DoD CIO.
- Remember the story about you can PoAM some items. Well, we know more about that now. We already knew that you had to complete any PoAM items within 180 days or they would revoke your provisional approval. That has not changed. We also knew that you could not have a PoAM for any of the hard items – those items which are worth either 3 or 5 points. That has not changed either. Now they have added 5 more 1 point items that can’t be PoAMed like physical security and escorting visitors. That means that more than 80 percent of the requirements are no PoAMable.
- External Service providers like your MSP must be CMMC Level 2 certified BEFORE you can be certified. That is going to greatly limit the number of MSPs that are candidates for you to use. Right now, that number is zero, which will be a problem for small businesses that depend on them
- Cloud Service Providers that have access to your security data like event logs and other security data will need to be Fedramp Moderate certified or equivalent. Again, this will limit the number of CSPs that are candidates to use.
- Scoping will be critical and you should shop around for certifiers before you sign anything to make sure that you and they agree on the scope. BEFORE you sign up.
- Be careful if an MSP (or what the DoD calls an External Service Provider or ESP) says they are certified. Make sure that the services that they are providing to you are included in the scope.
- Nowadays it is hard to find any security tools that do not include a cloud component. That means that you have to be very careful about the tools that you use. Make sure that you understand whether security tools that you use or are planning to use either do NOT have a cloud component or that if it does have a cloud piece, that piece is Fedramp Moderate or higher.
- Not all programs will require CMMC certification and DoD will likely waive CMMC requirements for many programs, at least in the first few years. Waiving the requirement is an all or nothing thing – they can’t just waive it for some contractors and subs in a program – they have to waive it for everyone, so they will think carefully about that. On the other hand, if 90 percent of their vendors are not certified, that will shut down the DoD’s procurement process, so that is not an option either.
- What DoD would like primes to do is to stop sharing CUI with subs so all the subs need to deal with is CMMC Level 1, which is pretty simple. And which can be self-certified every year. If that is possible, it makes everyone’s life easier.
Those are some of the things that we have learned, but there is still a lot more reading to do.
Also remember that there are more regulations in the works that have not been released, including new requirements for level 1 and a new version of 800-171 due out in the early spring.
It is highly unlikely that most companies will be able to do this without help. If you think you need help, please contact us.
Credit: The Pentagon