Search

CMMC Rollout: Where to Next?

Several people have asked me about this one. I posted this in the NDIA forum a week or so ago to generate discussion there on the current status of CMMC. Reposted here for the broader audience. Although we might have a great discussion about which of these two trains are rolling toward us, either way something big with growing momentum is coming down the tracks.

Stacy Bostjanick Shares Updated DOD CMMC Rollout Schedule

Ms. Bostjanick has indicated in a couple of forums now that the DoD is projecting an updated CMMC rule release in March of 2023. She and John Ellis have provided some information in public forums on what they "intend" for that to look like. All intentions are subject to rulemaking and they have been clear they were sharing what their intended results would be not guaranteeing that is how things would turn out. Still, as Organizations Seeking Certification (OSC's) those comments, along with the new scoping and assessment guides offer some insights into what we should prepare for.

1. What can be POAM'd will be limited. The allowance of POAMs or Plans of Actions and Milestones resulted in a big sigh of relief from many. We should realize though that these are NOT going to be used and applied as the Federal Government does for their own systems under 800-53. The enforcement for contractors is going to be tougher. Admittedly POAMs as an unconstrained parking orbit for things your plan to get to someday is not good for the security of our sensitive information. Two constraints are planned for POAMs.

a. First is the 180-day time limit. POAM'd items at assessment are time-bound to 180 days, and subject to an assessment of completion. The plan is to require a different Lead Assessor to have to return to the OSC and verify that the POAM items are complete. Failure to complete the POAM close-out assessment will result in the loss of interim certification.

b. Second is that a little over half of all the controls will not be eligible for POAMs. They must be in place. The DCMA methodology for Basic Self Assessments has a scoring mechanism that weights all the controls 5, 3, or 1 point. Only 1 pointers are planned to be eligible for POAMs.

2. Basic Self Assessments (BSA) of continued compliance will be required annually. Basic Self Assessments are already required triannually (unless you get a DIBCAC Medium or High Assessment which also counts) for all holders of CUI. These assessments will need to be attested to by a senior executive of the company. Think C suite in my view, not the manager of IT compliance. In many companies, CMMC is seen as an IT problem and pushed off as far down the chain as possible, and the current BSAs were submitted with little oversight other than "we told the DoD what they wanted to hear right? Roger boss. 110 out of 110." That will be changing. The C suite person signing off will be attesting that they are meeting the controls and open themselves personally up for False Claims Act risk, particularly in cases where the delta between what we told the DoD and what the reality is on assessment day is significant.

3. A lot more companies think they are in good shape than the DoD does. John Ellis said not long ago that 19,904 companies as of the day of his talk, had a BSA score in the Supplier Performance Risk Management System (SPRS) database. The DoD estimates that 80,000 companies hold CUI and will likely require an independent 3rd party assessment. 75% of the companies with scores, scored themselves 110 out of 110. Based on two years of DIBCAC assessments only 25% of all companies assessed met most of the required controls. 75% had seriously deficient programs. Think on that. 75% of the companies reporting believe they are fully implemented. DoD assesses that 25% of companies are mostly implemented.

a. DIBCAC has announced that they will be starting a new wave of Medium, paperwork-only assessments. They plan to call companies on Monday and require delivery of an SSP to them by Friday.

b. Also, there is a disconnect between 20K SPRS scores and the DoD estimate of 80K companies that require them. To an extent, this is a failure of contracting officers to add a submission of these scores to their process, although it has been required for all new contracts, contract modifications, and extensions since Nov 30, 2020. If you are a company that has NOT submitted your SPRS score and you may handle CUI, consider doing so. Not having this in could make it a crisis when the contracting officer finally asks for it.

4. Asset Management. The Asset Management domain went away with the removal of the Delta 20 controls. Yeah, no more pesky inventory right? Wrong. Seriously wrong. There is new work, that many have not recognized, in the new CMMC 2.0 Scoping Guide. They greatly expanded the definition of assets (that in turn need to be inventoried) and add the requirement that all assets be categorized in one of 5 ways. Time to add a new field to your asset management database and realize that just keeping track of your laptops in a spreadsheet is NOT going to meet the CMMC 2.0 requirements.

5. Evidence. This is not one that John or Stacy have discussed but really is a growing realization on my part as we work through the Scoping and Assessment guides and anticipate the CMMC Assessment Process (CAP) guide. Proving you are doing a control requires work beyond just executing it. Collecting and sharing evidence with an assessor under CMMC 2.0 is going to require work from the OSC. I believe everyone should be considering the creation of an Evidence Locker. That place in Sharepoint, or a share drive, etc. where you store your pieces of evidence, and you can make them available to an assessor when they arrive. Start that process early. There are a lot of evidentiary requirements.

Of course, as we have been saying all along your list of what you have to do is not the 110 controls. It is the 320 assessment objectives that go along with those controls. If you are not tracking your compliance through the assessment objective lens, you are missing critical points that will likely cause problems come assessment day.

Thoughts, comments? Others see it differently. Been a while since we had a CMMC thread going. Thought I would drop in an update and see if I could generate some conversation.