S2 E35: CMMC is Finalized, What Comes Next?

Audio version

CMMC Finalized, What Comes Next?

Transcript

Jordan Eisner: Welcome to another episode of Compliance Pointers. I’m your host, Jordan Eisner, and I’m joined today by Chris Abacon, aka Bacon. How’s it going, Bacon?
How’s it going, Bacon?

Chris Abacon: What’s going on, everybody?

Jordan Eisner: Chris, good to have you on again. For those of you who don’t recall, Chris is former Navy, over 10 years, I believe, in the Navy, working in several different IT roles. I saw on the profile, it was Navy blue team analysts, as if they’re being the other color.

Chris Abacon: Yeah, there’s the blue team and the red team, right?
I was part of the blue team, the defenders. Red team are the… They’re like the pen testers, right?
So in a sense, I’m blue team for CompliancePoint, right? So you got the pen testing crew as the red team. So it’s pretty cool.

Jordan Eisner: There you go. So, and now on the civilian side, as you just alluded to, you’re working Compliance Point, and more importantly, our clients to help them from that angle.
So I think you’ve been on at least one podcast previously.

Chris Abacon: I think I’ve been on one, yes.

Jordan Eisner: So it’s good to have you back, and we’re talking about a similar topic again. Sorry to typecast you as the CMMC guy.

Chris Abacon: Oh, I like that typecast. I’m all for it.

Jordan Eisner: And for our listeners, CMMC, Cybersecurity Maturity Model Certification. But if you click this and you’re listening or you’re watching, you probably already knew that.
And so that’s what we’re going to get into today. It’s been finalized. That’s supposedly of significance. You’ll have to forgive me. A bit of a cynic with CMMC because it seems like we’ve been hearing and talking about it for a long time. But that’s part of why we’re doing this episode, and that’s part of what Chris is going to get into. Expand on, elaborate on, and hopefully leave our listeners and viewers with a bit more of an understanding of why this is important as they step away from this.
So we’ll start simple question. Softball, who’s going to win the election?

Chris Abacon: Oh, no.

Jordan Eisner: I’m just kidding. You don’t have to go there in the slightest. I’ll stop you there. I wasn’t making sure you were paying attention to what I was asking.
Why is it significant that CMMC is being finalized? And why might people not realize that it’s being finalized or it hadn’t been finalized previously? Walk us through a little bit of the trajectory where we are now and why it is significant that it is being finalized.

Chris Abacon: Well, I mean, really, to understand the significance, we really got to go back to 2010 November. It’s going to be the executive order, 13556, that really published controlled unclassified information as a means to protect it. Because there were essentially every branch within the government had their own categorizations and markings for controlled unclassified information. 13556 really constitutes it and aggregates it into one nice little program under NARA, which is National Archives. So they’re the ones that really push this effort, at least from the government and federal perspective.
But going into CMMC as itself, the rule was originally published. So the interim final rule was published. So that was for code of federal regulations in November 2010. So the interim final rule for 48 CFR became effective November 30, 2020, establishing that little five-year period.
So in this area, CMMC 2.0 was introduced about a year later. And it covered all the tiered models, the assessment requirements, and the phase implementation. And within the DOD dib, it still wasn’t the, I would say, FUD, per se, or the anticipation of it, still wasn’t there because it was just so far off.
Everybody knows, at least that’s familiar with the federal rulemaking, that process takes a long time. It takes a very, very long time. Nearly now that we’re at the end of an election cycle, the CMMC final rule is now supposed to be taking effect December 16.
So CMMC level 2.0, which is the three-tier requirement, which denotes level 1, 2, and 3, published in November 2021. And it’s really just been anticipation to that point.
You’ve got buildup all over the marketplace, all over LinkedIn, and various cybersecurity conferences and people and subject matter experts talking about the specific rule. And finally, it’s now significant because the new rule finally takes into effect on December 16, 2024.

Jordan Eisner: We’re going to talk a little bit about that phase rollout. And I know I have some questions for you where you can expand on that for our audience.
You mentioned end of an election cycle. Is there any way that what happens with this election could change the date?

Chris Abacon: No way. Not at this point.

Jordan Eisner: No way. No chance. You heard it here.

Chris Abacon: I mean, really, to get to this point, it had to go through various government… The Office of Undersecretary of Defense, right? It’s had to go through OIRA, which is… They work with the Code of Federal Regulations. The actual specifics of what goes on there, I’m not familiar with, but it’s gone through these specific steps for so many periods.
I think personally, because of the end of election cycle, you got people at the end of their terms, they’re pushing this stuff out. That’s kind of my theory, but it makes sense.
I think historically, a lot of regulations have been pushed out at the end of administrations. So it’s kind of cool that we’re finally seeing it take into effect on December 16.

Jordan Eisner: You say cool, I’m sure others say something else. Depends on how you’re looking at it. It’s in the eye of the beholder.

Chris Bacon: From us as the subject matter expert perspective, right? But as an organization seeking assessment or even certification, that might not be the case, right?

Jordan Eisner: But that was part of what was adapted, right? Just to consider size of different organizations and hurdles that you’re going to put on different contractors based on their complexity and who they’re working with. But I’m getting ahead of myself or I’m getting off topic.
While this rulemaking was happening, a DFARs rule change is also moving along. Tell us about that and the impact that had with CMMC.

Chris Bacon: So, in specific terms, there are two things, right? There are two specific rules to take note. There’s a 32 CFR part 170, which is the CMMC program rule, which is the actual rule that we’re talking about, the one that’s going to be taking into effect in December 16th. It establishes the program itself from the federal perspective.
48 CFR, right, I think it’s part two of four, is the DFARs, Defense Acquisition Regulations, right? So, that’s on the DOD-specific side.
So, this is where the DOD can take and establish certain rules, regulations, and milestones within the CMMC rule that can trigger their requirements and implement them into DOD contracts themselves.
CMMC is established. Now, DOD needs to put a rule in to trigger it and put it into the actual DOD contracts.
So, consider 32 and 48, right? Those are the two complimentary rules. 32 CFR December 16th, 48 CFR sometime mid next year.

Jordan Eisner: Well, let’s go back to the phases of the CMMC rollout piece. Expand on that. Talk about some of those for our listeners. What’s the importance or what can they expect as the phase approaches this is rolled out?

Chris Abacon: So, the phase rollout supposedly, it’s going to be implemented and in effect upon the publishing of the 48 CFR rule. So, that’s going to be the DOD one. It’s going to be sometime mid next year.
So there’s going to be four phases. Phase one is the inclusion of level one and level two self-assessments in contracts. So, it’s going to be effective once the DFARs rule again is published. So self-assessments, self-attestations and SPRs, right? Supply risk management system, right? Or supplier risk performance. It’s one of those. It’s the DOD supplier scoring system, right? So it’s where companies go in there and self-attest to the requirements based on NIST 800-171 Rev. 2.
Now phase two is going to be the requirement for actual C3PAO assessments in certain level two certifications. So, that’s going to be some of them, right?
So there’s that little phase where it’s like, hey, organizations that know that they have to require level two, right? I’m sure they know who they are, right, based on the level of sensitivity that they’re working with the government, right? Certain of them, some of them will be requiring a level two actual C3PAO assessment.
My thing is I would just say that you should just be able to prepare for that, right? Like, hope is not a course of action. You should, I think if you’re level two, my recommendation is based on your contractual requirements, get ready for that level two C3PAO assessment, not that self-assessment.
Now phase three is going to bring, it’s going to include level two C3PAO assessment requirements and options to exercise, and options to exercise active contracts, right? And then level four is the full implementation of CMMC requirements.
CMMC requirements is going to be all the way up to level three, level three organizations know who they are. There are, you know, a lot of things at play at that point.
But the big thing too, one thing I forgot to mention with respect to level three, phase three, it’s actually some phase three level three certifications will be required. So if you’re a level three company, like we all know who they are, some of them will be required to go through a Dibcac assessment in phase three.
Now, starting with phase two, each of these phases becomes effective one year after the following phase. So it’s essentially going to be a 36-month rollout after the phase one start. So give yourself three years or so. I mean, it’s there to soft-roll companies into the CMMC ecosystem, give them time to prepare. But in my perspective, you’ve known this was common since 2021, right? You’ve had plenty of time to prepare.
So, when an organization gets that contract line item, right, at the time of award, it’s going to need C3, and it’s going to have to have a level two C3 PAO assessment. Just be ready for that.

Jordan Eisner: Okay. I was trying to think of something. I forgot what I was going to ask with all the different…

Chris Abacon: You get lost in these phases, right?
Especially when you’re thinking, oh, this year, that year, and there’s just so many nuances to CMMC, specifically when it comes to the rule systems. It’s easy to get lost in this, but that’s what we’re here to help.

Jordan Eisner: I’d say maybe a key takeaway from what I heard from you is if you’re teetering between one of the levels, expect the best, prepare for the worst.

Chris Abacon: Correct. That’s a good course of action.

Jordan Eisner: We talked previously about what we’re talking about in this, and this was going to be a quick hit, I think, episode. As we start to wrap, I think a good bow on this for our listeners would be for organizations that need CMMC, what are some next steps or just steps that you’re recommending?
As you said, you’ve known about this perhaps for three years, but as we see a lot in the industry, it’s a hurry up and wait and procrastination. Coming out of this finalization, this is a significant thing. What are some steps you recommend to start and then ultimately to achieve CMMC certification with those organizations that have to self-certify or even the ones that need third parties?

Chris Abacon: The first thing is to really, as an organization, choose or really identify your own proper certification level. Understand where your organization is processing federal contract information, so that’s information not for public release, that’s provided by or generated by the government under a contract to develop a specific product or service for the government. Contract information.
And also identifying as an organization where you have control and classified information. I think I’m going to skip it around here.
But with that said, understanding where your certification level is, if you’re going to be a level one, so just kind of recap, level one is a foundational, right? And that’s meaning that you handle federal contract information and you will need to meet the FAR regulation 5020421 cybersecurity requirements, which are about 15 or so requirements from NIST 800-171, right?
Most organizations are likely going to fall under advanced level two. And with my previous comment of some organizations will only have to self-attest, while some, I would say most, will have to go through a C3PA organization, prepare for the worst, expect the best, right? Make sure that you understand where you stand.
And now level three, it’s going to be, you’re going to be assessed by the DIPCCAC. Chances are you’ve already been assessed by the DIPCCAC at some point or have that communication with them. But in this case, right, identifying a proper certification level is really paramount.
Work with your, if you’re a subcontractor, communicate with your prime contractor. If you’re a prime contractor, chances are those big names that we all know, they’re already communicating with the DOD in that respect.
So one, identify your certification level.
Next, I kind of skipped ahead though, but identify your CUI and FCI. Identify which systems in your ecosystem, in your environment do the contracting and for FCI and identify where those data flows are and ensure that only those are documented, right? Those, FCI sticks to those specific systems and same with CUI.
You should track the flow of CUI and identify where, what areas of your business encounter the specific data. And really, I like segregation, right? In this case, right?
Keep reducing your scope and ensure CUI is only within the bounds, even if you have like a CUI room, for example, if you’re an organization that produces parts, bespoke parts for the government, right? Really narrowing your scope to a building, a room, better, right? Again, that is a huge aspect of this, right?
And then lastly, and then moving forward is the system security plan, right? Everybody knows the system security plan. You can’t move forward with CMMC unless you have a system security plan.
A system security plan is essentially how a document that describes how the organization protects FCI and CUI with accounting to 800-171 controls. There are 800-171 controls, right? There’s also 800-171 alpha controls with assessment requirements which have about 320 determination statements. So 320 statements in areas where you have to, as an organization, prove that you’re meeting this 800-171 slash CMMC requirements, right? So that is a huge part.
Also I think one little extra tidbit here is also identifying your security protection assets, your contractor managements assets, and your out of scope slash specialized assets.
I do want to give this tidbit here to security protection assets. It’s really the people and processes and technology that enable the protection of that CUI but don’t necessarily have to process and store CUI as they’re not CUI assets. This could be anything to your people, your processes and technology, your buildings, your security providers, right? So all that stuff documented in the SSP.And then the next step I would recommend is taking a look at yourself and doing a self-assessment.
Self-assessments can be done with the help of an external provider or yourself if you’ve got the team to do so. Conduct the self-assessment by identifying existing 800-171 and CMMC gaps. Usually in this case, utilize 800-171 alpha or 800-171A assessment requirements. A lot of the times people think, oh, it’s just 110 controls from NIST 800-171. That’s all we got to go with.
But an assessor is going to look at 800-171 alpha, which has 320 determination statements. But it depends anyway from like three to two statements per control or it could be up to like five, right? It really depends. But obviously the bigger and more difficult or more capital intensive requirements are going to have more determination statements, right?
And then next, design and implement controls based on the security gaps. Find that gap. Find those gaps and create that POA&M if you have that capability, right?
Then lastly, select the C3PAO, right? Once you guys have gone through that process conducting that self-assessment gap assessment and if you’ve gone and remediated those gaps and you feel confident enough to go with a C3PAO and do that assessment, select that C3PAO.
Go to the Cyber AB website. Find a C3PAO, connect with them. See if they meet your values, right? If you work with them as a, if you can synergize with them as an organization and then they can help you with that level two certification, right?
So those are my quick hitters

Jordan Eisner: It’s a lot, right?

Chris Abacon: It really is.

Jordan Eisner: I’m familiar enough to know the things you’re talking about when you say 800-171, this when you say SSP, right? And you can’t spell CMMC without SSP. And I know that sounds funny, but that’s a core part of it.
If you’re a defense contract and you’re listening or you’re watching this and CUI, FCI, any of this is like, wait, what is that? You need to talk to somebody, right? I mean, you need to be asking around. You need to be doing some research and be connecting and subscribing to these sort of channels to understand these requirements that are coming down and you need to increase maturity with your organization.
Now, most are going to know about this already, right? I think it’s going to be a rarity or an outlier if there’s some that are maybe new to the game that are trying to understand some of the stuff or they want to start competing in this marketplace. That’s more likely where there’s going to be some newfound lack of understanding around some of these areas.
But most of them have been in the space working with the DOD and 1.0 for a while. This is going to be familiar and they’re going to understand it.
So that was a long way of saying everything that you just broke down and went through, I think is going to hit home for most that are familiar with this. And if they’re not, then they need to continue to digest this information and go online for it.
So we’ll end there, Chris. Thank you for your time today. I would implore everybody listening that has questions to reach out to Chris, reach out to me, come to CompliancePoint’s website, Inquirer, through our website.
There’s many channels you can reach us and call in. We’ve got an email address connect@compliancepoint.com. And we’re very open to having conversations around this as organizations need to start preparing for CMMC or they’ve had time to start preparing for it.
But now the rubber hits the road. Start the clock on phase one and it’s Chris Point, you know, through your process from there. But it’s not something that you’re going to be able to cram for the test the night before.
Well, thanks, everyone. Until next time.