There’s a lot for manufacturers in the defense industrial base (DIB) to be thankful for this year.
In addition to its declared intention to onshore (or reshore) acquisitions more aggressively, the DoD published its CMMC 2.0 update in the Federal Register production on 5 November 2021. The changes announced indicate that the DoD is serious about building a cyber-resilient supply chain that is characterized by a diverse base of small and midsized companies—and that the concerns registered by at least 850 DoD vendors were taken into consideration. In particular, the DoD has addressed some of the most onerous, troublesome, and confusing barriers to participation that were raised by the CMMC 1.0 provisions:
- Streamlined Cybersecurity Control Expectations. The five-level model has been reduced to three and the authoritative source for those controls is NIST SP 800-171. This simplifies the amalgam of frameworks posited under CMMC 1.0.
- Level 1, the foundational or basic hygiene level, aligns with the basic requirements for handling federal contract information (FCI) as defined in FAR 52.204-21. This clause on the Basic Safeguarding of Covered Contractor Information Systems references “facts, data, or opinions… provided by or generated for the Government under a contract… [that’s] not provided to the public.” Implementation of the seventeen basic controls in NIST SP 800-171 should be underway and documented in a plan of action and milestones (POA&M).
- Level 2, the advanced hygiene level, aligns with DFARS 7012 requirements for handling controlled unclassified information (CUI). This clause has been in place since 2016, at which time the 31 December 2017 deadline for its implementation by DoD vendors was established. This level references all 110 controls described in NIST SP 800-171 and requires a plan of action and milestones (POA&M) to document progress toward control implementation.
- Level 3, the expert level, is softly equivalent to the former “CMMC Level 5” designation but is under review by the DoD for further clarification.
- Reduced Third-Party Assessment Burden. The DoD received considerable feedback about the anticipated cost of using third-party assessors. It also received information about highly questionable activities by members of the CMMC-AB with respect to conflict of interest and predatory practices being initiated by consulting companies. Briefly, companies that only handle FCI (Level 1) and non-prioritized CUI (some Level 2) must perform an annual self-assessment. Companies that handle prioritized CUI (some Level 2) must undergo a third-party assessment. Companies at Level 3 are subject to government-led assessments.
- Focused and Reasonable Organizational Security (a la Sarbanes-Oxley). NIST SP 800-171 constitutes the foundation for practicing reasonable security. At the same time, the express participation on the part of senior executive management is required as a way of showing commitment to cybersecurity as a business—not just IT—risk and problem. For Levels 1 and 2, the DIB company leadership must affirm annually the declarations made in the annual self-assessment. This is similar to the provisions of Sarbanes-Oxley Act of 2002, which underscored the importance of corporate governance with respect to financial reporting. NOTE: Those companies at Level 2 that have contracted for prioritized acquisitions including CUI and those companies at Level 3 will be subject to third-party assessments.
- Reinstatement of POA&Ms and Waiver Process. A formal plan of action and milestones (POA&M) with deadlines may be used by DoD suppliers as evidence of intention. The DoD is considering a general waiver process. The latter has not yet been formalized or approved.
- Expansion of Third-Party Assessor Pool. The allegation by certain DoD appointees that private companies cannot provide consulting, training, or other services pertaining to CMMC has been challenged. There is no such law.
- Redaction of Maturity Level Proof. The awkward melding of practice and maturity that was attempted in the CMMC pilot is suspended. Only the security controls contained in NIST SP 800-171 need be referenced. This eliminates the book of evidence requirements as evidence for verification by third-party assessors.
- Suspension of FAR and DFARS Clauses. The DoD will not approve inclusion of a CMMC requirement in DoD solicitations until appropriate updates are made to the Code of Federal Regulations (CFR), specifically Titles 32 and 48.
- Reassignment of CMMC Oversight.
The good news—the reason to give thanks—is that the DoD sincerely wants to build the resiliency and diversity of its supply chain. Its reconsideration of the CMMC situation is a profound commitment to shared responsibility and reasonable expectations with respect to cybersecurity.
Building back stronger—together. A great reason to give thanks!