On August 4, the Office of Management Budget (OMB) released a series of documents detailing updates to the Cybersecurity Maturity Model Certification (CMMC) framework. While the documents' visit to the OMB’s website was short lived, they managed not only to introduce a shiny new acronym instead of the widely-accepted “OSC,” they also detailed the CMMC 2.1 Model Overview; Levels 1, 2, and 3 Scoping Guide; and even an Artifact Hashing Guide. Awooga. In this blog, our CMMC experts offer insight on three key points from the 2.1 data.
Senior Attestation
Among the many documents made briefly available last week, the “Paperwork Reduction Act Request for 32 CFR Supporting Statement - Part A” introduces a particularly noteworthy piece of information about changes to the CMMC framework. It states,
The OSA Senior Official or Principal who is responsible for CMMC compliance shall submit affirmations into SPRS for each assessment in the form of a signature, attesting that they have met the CMMC security requirements and will maintain the applicable information systems at the required CMMC Level.
In other words, someone in your organization’s C-Suite will be required to personally attest, in writing, to both the claim that CMMC requirements have been met, and the claim that the system architecture which enables this will be appropriately maintained. This individual will have to be someone legitimately senior; in almost all cases, it is unlikely that a Director of IT will be an acceptable means of meeting this requirement. Therefore, False Claims Act liability is being taken directly to the C-Suite.
Evidence Locker
The Paperwork Reduction Act Request also had this to say:
The OSC is responsible for compiling relevant artifacts as evidence and having knowledgeable personnel available during the assessment. The organizational artifacts are proprietary to the OSC and will not be retained by the assessment team unless expressly permitted by the OSC…the OSC creates a hash of assessment evidence (to include a list of the artifact names, the return values of the hashing algorithm, and the hashing algorithm used) and retains the artifact information for the period of the CMMC certification.
There are actually two points of interest here. The first is that you must have a complete evidence locker before the assessment starts. Our recommendation is to have at least one piece of evidence prepared to support each assessment objective, as opposed to each control. The second key point is a records retention necessity. As an OSC, you will be required to keep your artifacts and hashing algorithm stored for 3 years.
C3PAO Appeals
An additional piece of information worth noting from the OMB’s documents is the matter of Certified Third Party Assessment Organization (C3PAO) appeals. It has been widely understood that if an OSC does not agree with a given assessment result, it may formally dispute the assessment by initiating the Assessment Appeal process. This process, however, was revealed by the 2.1 documents to be with the C3PAO who conducted the assessment. In other words, the people who “fail” your organization have to repeal the fail themselves, as opposed to a neutral party. This lays the groundwork for potential conflicts-of-interest associated with third-party attestation that are likely to play out in a variety of complicated ways over the coming years, so this detail is one to track.
Conclusion
In short, the next iteration of CMMC is on its way, and it may very well arrive faster than expected. Tweaks to the certification process, including senior attestation, expanding evidence locker requirements, and post-assessment appeals, all promise that the release of CMMC information in October 2023 will be a major event for the space. As the fall draws closer, we recommend working toward compliance today. This can be done by identifying the CUI in your systems, familiarizing yourself with your existing contracts, and building your evidence locker. And as always, DCG is available for flexible consultation as your organization works toward compliance.