This post was originally published on C3 Integrated Solutions’ website.
Waiting (and Waiting) for CMMC…
As the months tick by, a number of our clients have been asking us about CMMC – some, no doubt, hoping that plans for CMMC have been sidelined due to COVID. No such luck: CMMC is still on track, and sits squarely in the future for all DoD contractors. So, let’s break down the current status and provide some predictions for what’s coming in the near future.
…But First: DFARS
Back in May 2020, Katie Arrington, Chief Information Security Officer for the Department of Defense’s Acquisition and Sustainment Office – and the lead on CMMC – noted that the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 would need to be updated prior to CMMC moving forward., This DFARS rule change is still stuck in inter-agency review but could be released for public comment any day now. Once released, a 90-day countdown clock will begin for CMMC. DFARS revisions will be subject to a 60-day public comment period, followed by at least another 30 days of review and update. The final release of the DFARS 7012 revision is the triggering event for CMMC. Our understanding is that any and all new or renewal contracts between DoD contractors after the final issuance of the DFARS 7012 revision will hold CMMC clauses.
What This Means for Contractors
Many questions still remain about what the new CMMC requirements will mean – especially in the short term – for DoD contractors. Unfortunately, we don’t yet know a lot of answers. Once CMMC becomes part of DoD contracts, its unclear whether contractors will have any sort of grace period to become certified, since auditors are still being trained (more on that below). In addition, its unclear whether certain contractors – for example, those who have contracts that are up for renewal immediately – will get to move to the front of the audit and accreditation line. Regardless of the process, there will undoubtedly be a bottleneck of contractors wanting and needing to become certified. At C3, we’ve been counseling our clients to start down the road to compliance sooner rather than later, to assist that process, we’ve developed a model to leverage GCC High for CMMC compliance.
CMMC Audits Start with the Auditors
You can’t have an audit without an auditor. The CMMC Accreditation Board (CMMC-AB), which serves as the authorized training, credentialing and accreditation ecosystem for CMMC, just released a core group of eleven organizations called Licensed Partner Publishers (LPPs), who will begin creating a training curriculum based on the upcoming DoD CMMC Assessment Guide (more on that below). The curriculum will allow the LLPs to provide the materials for Licensed Training Providers (LTPs), which are the universities, community colleges and other learning institutions who will ultimately train Certified Professionals and Certified Assessor applicants. In other words, the textbooks are now being written to train the trainers, who will then teach the auditors how to audit.
If so, you may be wondering how training can be developed to enforce requirements that are still in flux, and how companies will be able to pass an audit, without understanding the rules for the audit itself, at least yet. As many of us know, it won’t be the first time (or the last) a plane got built in-flight. Our hunch is that the DoD will attempt to get CMMC out the door, knowing that it will multiple course-corrections along the way.
We do know that the CMMC-AB is currently conducting provisional or “friendly” audits, before the final CMMC rules are published, in an effort to test out the process. Additionally, the first group of 25 auditors have passed the training with an expectation that 72 auditors total will be trained by the end of the year. As we mentioned before, it may be (hopefully) that DoD will build in a grace period to allow for the audit process to evolve. We shall see.
The Assessment Guide: the “How” for the “What” of CMMC Controls
As I mentioned above, the CMMC-AB is working with the DoD to develop Assessment Guides which will become the roadmap for how the CMMC controls will be implemented. The Assessment Guide is expected to be released soon – some say as early as September or October – and the industry is eagerly waiting to see what the guides will say.
In a recent webinar conducted by our friends at Summit 7, Microsoft’s Richard Wakeman, and CMMC-AB member Jeff Dalton joined Summit 7 leadership to discuss a variety of cloud security topics, including CMMC. Speakers specifically addressed the CMMC Assessment Guides, hinting that they would be heavily weighted to on-prem environments. Its not surprising, as those environments are likely to be perceived by the CMMC-AB to be the “low-hanging fruit” whose systems can be parked behind a firewall and more easily assessed as compliant. However, we know that is not the reality for most organizations, especially now in a cloud-centric world. Our advice is that cloud-based organizations should not be overly concerned; as we mentioned before, this process will necessarily evolve. Cloud-based organizations should make their voices heard and wait for the second round.
Getting Into GCC High is Going to Get Easier
Microsoft’s Richard Wakeman did deliver some good news: it will soon become easier for organizations to get into GCC High. We’ll be disseminating any new information in the coming weeks, as we hope this will make the process easier and shorten the timeline for approval for GCC High.
Drawing a Line in the Sand with CUI Data
And speaking of Richard Wakeman, we were pleased to see that Microsoft has recently taken a stand with respect to GCC High and Level 3 compliance, reporting that Microsoft would adopt a high watermark strategy to help companies accomplish data protection goals and ONLY certify Controlled Unclassified Information (CUI) in the US Sovereign Cloud. Their thesis:
“CUI is defined by a program that includes all categories under a single umbrella. Not all CUI markings are protected precisely the same way. However, it can be untenable to discern the various restrictions for CUI given consolidated language used by standards and regulations. In addition, the complicated array of markings are often not applied effectively. As a result, the reduced risk data protection strategy is to opt for the highest watermark possible for protection of CUI, rather than risk it by adopting a lower control set. CUI has export-controlled data as a common high watermark, to include ITAR regulated data. ITAR has a data sovereignty requirement. In other words, CUI effectively requires data sovereignty.”
Said differently, while ITAR/NOFORN is a subset of CUI data, there is no mechanism within the CUI program or CMMC to distinguish the two, especially as a service provider. Therefore, Microsoft must assume that any client protecting CUI data may include ITAR/NOFORN data. As a result, Microsoft must assume that ITAR/NOFORN data is present which requires the US Sovereign Cloud (i.e. GCC High and Azure Gov)
We highly recommend that anyone who may need to become CMMC compliant take a look at Richard Wakeman’s full article. Its an incredibly valuable discussion of CUI and an important, pre-emptive stand that Microsoft is taking in the versions of clouds that they will certify – and what the CMMC audit process will ultimately require of the organizations whose data resides there.
Getting Ready: How C3 Will Help you Prepare
For nearly two years, we at C3 have been watching, waiting and preparing for CMMC, knowing that it could be the single most important development the DoD contractor community has ever faced. I personally felt an obligation to understand all that CMCM entails – from the guiding policy, to the evolution of the controls, to the methodology of accreditation – because as a founder and owner of a company myself, its in my DNA to help our clients guide their businesses successfully through this process.
In addition to accumulating a massive amount of information on CMMC, I’m glad to announce that we’re now in the final states of a product solutions update. This solution set will codify an incremental/modular process that fully maps to the applicable CMMC controls. The product set is scalable and applicable to any business who is facing the necessity of CMMC compliance, and is built on an adaptable framework to accommodate the inevitable changes in the CMMC process. We’re currently working with a number of clients to implement this, and I’d welcome the opportunity to talk with you about how we can help your company.
C3 will continue to monitor the process of CMMC, but most importantly, we’ll continue to work in parallel to the process, making sure our offerings match what are clients need to be successful. If you’re interested in learning more about CMMC and how to best position your company for an audit and compliance, I encourage you to contact C3 Integrated Solutions, subscribe to our newsletter, and to follow us on social media.
James Lucier is a Partner and Vice President Technical Services at C3 Integrated Solutions, full-service IT provider based in Arlington, VA that specializes in securing our nation’s Defense Industrial Base through cloud-based solutions and industry leading partners. James has over 20 years of experience managing the deployment and support of mission-critical systems and applications, specializing in project management, business transformation, healthcare IT, operations, cloud technologies, Office 365, and Azure.