August 25, 2023

Podcast - What Do the Newly Released CMMC 2.1 Documents Mean?

Regulatory Phishing Podcast Series

In this episode of "Regulatory Phishing," government contracts and cybersecurity attorney Eric Crusius examines the newly released Cybersecurity Maturity Model Certification (CMMC) program documents. Mr. Crusius breaks down assessment guides and the scoping guidance for CMMC Levels 1, 2 and 3. He also explains the significant impacts these documents can have on the CMMC ecosystem.

Listen to more episodes of Regulatory Phishing here. 

Now, we've heard a lot about the Cybersecurity Maturity Model Certification. In fact, our previous episodes have already touched on it quite a bit. Something interesting happened in the last few weeks that I think warrants a separate episode, and that is the release of eight documents connected with CMMC by the Office of Management and Budget. Now, these documents appear to have been inadvertently released by OMB because they were pulled back and they appear to be maybe in a somewhat draft form, but they do reveal an interesting roadmap for folks who are looking at a CMMC assessment and work with DOD and know that CMMC assessment is coming their way eventually. So among those eight documents that were released were model overview assessment guides for Levels 1, 2 and 3 and scoping guides for Levels 1, 2 and 3. And within these documents, there were some surprising things, a lot of things that we thought were confirmed. But there were some things that surprised me, at least, anyway. And we're going to run through that to give everyone an idea of what these documents say, and hopefully that will help inform folks who are listening about what to expect for CMMC. We don't know when the proposed rule or final interim rule will be released, although it is with OMB now, so the best guess is sometime in 2024. And if it's released as a final interim rule, as we've said before, that means that CMMC may be put into contracts fairly quickly. If it's released as a proposed rule, there'll be a time for a comment, and those comments will be digested by the Department of Defense, and DOD will release a final rule. So we wouldn't expect to see CMMC until 2024. But short of that — and we should see something from DOD by the end of this year, 2023, and hopefully push CMMC along so there's some certainty in the marketplace.

CMMC Model Overview

Let's start with the model overview. And the model overview had some pretty interesting information in it. It confirmed that the kind of information that would be protected under the CMMC model would be federal contract information and control and classified information. Federal contract information uses an existing definition as well as a new one that we don't know yet. But I imagine it's going to be consistent because it points to a regulation that has not been released yet. In fact, these documents point to numerous regulations and subsections that have not been released yet. So fascinating to see kind of how the sausage is made behind the scenes. They also define controlled, unclassified information using existing definitions. And they spell out the three levels, which we knew already. Level 1, which works off of FAR 52.204-21, basic safeguarding of covered contractor information systems and the 15 controls therein. Level 2, NIST Special Publication 800-171, version two and 110 controls therein. And then for Level 3, we knew all along there's going to be some kind of subset of NIST Special Publication 800-172. But now with this release, we kind of see the controls that DOD is planning on using. Assuming these documents are finalized, the way they look now, 24 controls from NIST Special Publication 800-172. It also confirmed that a contractor seeking assessment has the option of getting their whole organization assessed or just a specific enclave. And a specific enclave could be helpful because it limits the scope of an assessment and limits the cost of an assessment. Of course, contractors and companies have to kind of figure out what works best for them. It also talked to the fact that each level of certification are independent from each other, and this will take an outsized meaning as we kind of discuss in a few minutes one of the assessment guides. But it talks to the fact that each level is an independent requirement. Each level requires a separate assessment. It also confirms that there are 14 CMMC domains that align with the 1,480,171 families, and for Level 3 duty is inserted, the organizationally defined parameters within NIST 800-172 controls that are specified for Level 3. And that means if you look at 800-172, there are some essentially blanks in the controls, and these blanks allow for an agency to insert their parameters for that control. So for instance, if we look at 3.2.1 E, which concerns training of individuals, DOD is inserted. That training at no less must be completed at least annually by certain individuals. So they've inserted the at least annually into that control.

Level 1 Overview

Looking at the specific levels, let's start with Level 1. The Level 1 organization or organization seeking Level 1 can use a third party to help validate their controls, but it's still considered a self-assessment. And when they're done, they put a score or their assessment into a Supply Performance Risk System, also known as SPRS. But they also note that there's a self-assessment report. It is unclear whether that self-assessment report is something that is automatically generated by virtue of the score that's put in or if that's a separate narrative that a contractor has to complete. If it's the latter, that's obviously an additional burden on contractors to do that. And we'll probably see more, of course, when the proposed rule or final interim rule is released. And as I said earlier, the organization seeking assessment has the duty to define the scope, which assets will be included within the scope of the assessment itself. This is obviously a fairly tricky topic for contractors to do this, no matter which level they are in. To figure out which level they are in doesn't really matter, they have to still define the scope contractors are to use even with Level 1 NIST 800-171A as a guide. So as part of the assessment, contractors can interview staff. Documents that are relied upon must be in their final form. And these documents can include policies, training materials, system and network flow diagrams. Also, validation through testing is important, and in order to be Level 1 compliant, not surprisingly, all 15 controls must be met or not applicable. One interesting thing in this assessment guide that we didn't see anywhere else is are some changes, some edits within the guide itself. There are some parts of Level 1 assessment guide that are in red and crossed out, and all of these parts pretty much deal with the situation where another contractor is inheriting a system from a contractor and what happens in that circumstance. So the crossouts take away kind of the parameters for an inherited system. It may mean that it's dealt with elsewhere. It may also mean that inherited systems have to go through a regression assessment. That remains to be seen. But just an interesting note from the Level 1 assessment guide.

Also, of course, the scope for FCI is any kind of FCI, any kind of assets that are processed or transmit FCI. And out-of-scope assets — and this is true for Levels 1, 2 and 3 — are not assessed against CMMC requirements. But the assessment guide notes that FCI is a broad category of information, so the self-assessment that a contractor goes through needs to address a wide array of assets, but that does not include specialized assets such as the Internet of Things assets or assets that deal with the industrial Internet of Things or government-furnished equipment. So you want to take a look at that.

For with respect for Level 2, we see some important changes versus Level 1. And I'm going to just flip open this document, so you may see or hear some page flipping as I'm talking here, because I want to tell you the Level 2 assessment guide is 265 pages long. Now, that is not a weekend project. And I would even say that Level 1 is not a weekend project. I've said that a lot, quite a few times in presentations I’ve made. Level 1 is not something to sneeze at. It’s not something you take for granted. It’s not something where you just say, "Oh yeah, we're compliant," and go on the Supplier Performance Risk System and know compliance. It is a process that a contractor has to go through, and if there is any kind of audit or anything like that by the Department of Defense, they're going to want to see that that process was went through and they're going to want to see the controls have been validated in one some way, shape or form. So it's really important to do that.

Level 2 Overview

If you look at the Level 2 assessment guide, Level 2 allows for conditional certifications, and conditional certifications occur when the contractor is not compliant with all 110 controls but is compliant with enough of the important ones in order to get a conditional assessment. That conditional assessment can only occur if a contractor uses Plans of Actions and Milestones, POAMs, to essentially finalize compliance with those outstanding controls, and they have to do so within a certain time period. That time period isn't noted in the assessment guide, but I imagine it will be noted in the regulations. In fact, the assessment guide points to additional regulations. And it does appear from the language in the assessment guide that a contractor with a conditional certification will be able to get and perform contracts. But again, a conditional certification will be dependent on meeting certain factors, making sure that the controls that are critical are met, and the controls that are not as critical have open POAMs, and those POAMs are resolved within a certain period of time. So very important to kind of think about that.

They actually have definitions of conditional certification assessments and conditional self-assessment, because, if you remember, a Level 2 is a split level. They're going to allow self-assessments in certain select programs, with the vast majority of their peers requiring a third party assessment from a certified third party assessment organization, C3PAO. And then incident is among the other terms that are defined within this Level 2 assessment guide, and incident as a definition looks pretty similar to the definition that you see in DFARS Clause 252.204-7012 They also refer to the definition in this special publication 800-171 rev. 2, specifically Appendix B, page 54. It looks fairly similar to those definitions there. But remember, incident is not just an actual intrusion. It could mean some kind of other action that compromises the system. So just be wary of just limiting your idea of an incident to an actual intrusion. Again, with Level 2, like I mentioned, with Level 1, it's not just the compliance score that is reported, but there's an accompanying report that contains the findings associated with each requirement. So it remains to be seen how specific this report needs to be for Level 1 or Level 2 or Level 3 for that matter. But there does seem to be an indication it's not just going to be the insertion of a score into SPRS. There's going to be something more required by contractors. So very interesting. And we're going to talk a little bit about this more in the assessment scope document for Level 2, but there is a reference to external service providers and the standards that they have to meet within the assessment guide itself.

Moving on to the Level 2 assessment scope — and remember, Level 2 is a split level, as I mentioned before. There's self-assessments and there are third party assessments. So, you know, kind of reference to what I said earlier, that each level is seen as its own distinct level, one is not subsumed by the other. They mentioned early on in the assessment scope — which is a much smaller document, you could read it in probably 20 minutes — and for this they note that in order to get a Level 3 certification, which is done by DOD, you have to achieve a Level 2 final certification and then complete all the Level 3 security requirements before seeking a Level 3 certification assessment. So it's a lockstep thing. Level 2, then Level 3. With respect to security protection assets, they note in here that security protection assets are going to be assessed against all CMMC requirements. This is the same as what occurred in the documents that were released a couple of years ago. But it's still interesting, and it's still important to note what is a security protection asset. Well they have a chart with examples for technology that includes cloud-based security solutions, VPNs for facilities that includes co-located data centers, security operations centers, organizations seeking assessment, office buildings and for people, and includes consultants who provide services for cybersecurity and includes enterprise network administrators and managed service provider personnel who implement system maintenance. So all of those assets are going to be assessed against the CMMC certification requirements. Specialized assets will not be. They'll be reviewed in these systems' security plan but not assessed against other cybersecurity, CMMC security requirements. So just an interesting note there, and I'm previewing what I'm going to say with respect to those assets for Level 3, because there's an interesting little wrinkle there on that.

Levels 1 and 2 Have Separate and Distinct Requirements

So with respect to Levels 1, 2 and 3, there's an interesting kind of dialogue about use cases at the end of this document, page nine, and it talks to the fact that Levels 1 and 2 are separate and distinct levels with separate and distinct requirements. So just because you're our client with Level 2 doesn't mean you're actually compliant with Level 1. That's a separate assessment. So if a contractor has federal contract information and control and classified information, they have to do an assessment for Level 1 for that federal contractor information and a separate assessment for Level 2 for that controlled unclassified information. So I'll just kind of read from the document here, because I think it's very interesting.

A CMMC Level 2 self-assessment or CMMC Level 2 certification assessment, regardless of result, does not satisfy the need to assess the federal contract information environment. If FCI is processed, stored or transmitted within the same scope as CUI and the CMMC Level 2 scope and the methods to implement the Level 2 security requirements could apply towards meeting the CMMC Level 1 assessment objectives, OSA may choose to conduct the assessments concurrently, but two distinct assessments are required. The organization seeking assessment (OSA) is still responsible for ensuring that only authorized users and processes have access to data regardless of its designation.

So it's saying there that they are required to undergo two separate assessments. Now, it's possible that some of the Level 1 requirements can be subsumed by Level 2, but they're saying if you have FCI and CUI, that's two separate assessments. So that's interesting to see that in this document, and it'll be interesting to see how contractors treat that.

Treatment of External Service Providers

Another interesting thing in this document is how external service providers are treated. There's a whole page on this, page 10 leading into the very end of page 11, and external service providers are required to get a CMMC Level 2 certification or have a FedRAMP moderate or equivalent certification. And I'll clarify that a little bit. The document talks to how if these ESPs are handling controlled unclassified information, they need to be compliant with CMMC. They can be compliant, or they could show compliance at CMMC if they're offering. Is FedRAMP authorized at the FedRAMP moderate or higher baseline in accordance with the FedRAMP marketplace? And I was reading from the document there — or if they're not FedRAMP authorized, that they're FedRAMP moderate baseline but meet statutory requirements equivalent to those established by the FedRAMP moderate baseline in accordance with the DFARS clause I mentioned earlier, 252.20.470.12, they can potentially be considered to be compliant with CMMC. That's going to require a little bit more vetting out. We'll have to see how this is kind of washed out in the regulations, but that's very interesting. External service providers need to be compliant with CMMC Level 2 if they're handling controlling classified information or FedRAMP moderate or something where they account for all those controls in that plan that they have. So very interesting for Level 2 to see that there.

Level 3 Overview

Level 3 was interesting as well because we didn't know very much about Level 3 except that they were going to be some controls from NIST 800-172 that were going to be assessed. And that in fact is the case. And it looks like about 24 controls of account grew quickly from the index here. It looks like about 24. And again, these documents are draft docs. It looks like they were pulled back by OMB. So they may not be the final version of what’s going to occur, but really important to kind of see where DOD is headed with this. They note that for a Level 3, assessments are formed exclusively by DOD. This is in the assessment guide for Level 3. CMMC Level 3 only applies to systems that have already achieved a CMMC Level 2 final certification, and CMMC Level 2 consists of consent requirements specified in NIST 800-171. So that confirms what we already knew about Level 2, which we've already discussed. The really interesting wrinkle here is kind of the scoping for a Level 3 assessment, and the way it's written, it almost makes it seem like if you're going to get a Level 3 assessment, you use a Level 3 assessment scope even against the Level 2 controls. So that means that's critical because specialized assets are outside of scope for Level 2, but not outside the scope for Level 3.

Level 3 Specialized Assets and CMMC Assessment

For Level 3, specialized assets go through the entire, go through the entire CMMC assessment. So they have to meet all the controls that are required. And I'm going to read from this and you could draw your own conclusions, but "the organizations seeking certification must have received a Level 2 certification of all systems included within the Level 3 CMMC assessment scope prior to requesting a Level 3 assessment." Very interesting there. So that leads me to believe, the way it's written, that it's possible that specialized assets will be within scope under Level 2. If a contractor is going to seek a Level 3 assessment, those specialized assets are noted throughout these documents, but they include, as I mentioned before, Internet of Things, industrial Internet of Things, government-furnished equipment, things like that, and there's some other categories as well. So we'll have to just see where this nets out, but that could be a very interesting thing. They also talk about conditional certifications and conditional assessments and the impact of that. But it does appear, at least the way it's written right now, that conditional assessments may allow for the receipt of contract awards. So we'll just have to wait and see on that.

And then they issued a Level 3 assessment scope and just confirming within that specialized assets are assessed against all CMMC requirements under this. This Level 3 assessment scope does note the different kinds of asset categories that we find. So I think it's worth checking out just for that reason alone. And they do specify what the specialized assets are. They include government-furnished equipment, Internet of Things or industrial Internet of Things, operational technology, include industrial control systems, building management systems, property control systems and physical access control mechanisms, restricted information systems and test equipment. So they do talk a little bit more about how they are within scope for Level 3. Specialized assets, and this is from the document, are part of the Level 3 CMMC assessment scope, and then they say to regulation that has not been released yet, the organizations seeking certifications should prepare for these assets to be assessed against all CMMC requirements unless they're physiologically isolated into purpose-specific networks with no connection to the Internet or other networks. Specialized assets may have limitations on the application of certain security requirements to accommodate such issues. Intermediary devices are permitted to provide the capability of the specialized asset to meet one or more CMMC requirements. So specialized assets for Level 3 are within scope, and we'll have to see how it's written up. But it's possible that these specialized assets will be within scope for Level 2 if a contractor is seeking a Level 3 assessment. So some really interesting stuff from this release by OMB in the CMMC documents.


I hope this was a helpful walkthrough, and we'll of course keep you updated as things develop with CMMC. Thanks for joining us and look forward to seeing you on the next podcast.

Related Insights