In this post we provide an overview of the most salient takeaways from the DoD’s proposed CMMC 2.0 rule, with a focus on how the rule will affect small businesses. Note that this is the DoD’s official publication of the CMMC 2.0 rule, which it has been chatting about — and which we have been explaining about — since it had to “adjust fire” after the ill-received proposition of the first CMMC model in 2020.
Totem’s thoughts and comments are in [brackets].
The Bottom Line Up Front (BLUF)
Everyone wants to know the numbers to start, so here you go.
The DoD provides the following estimates for the number of businesses in the Defense Industrial Base (DIB):
- Total DIB: 221,286 entities. Small businesses account for 163,987 or 74%
- Entities subject to CMMC Level 1: 138,201 = 62%
- Total CMMC L2 entities: 80,598. L2 self-assessment: 4,000 / 80,598 = 5% [There has been much talk over the years about the “bifurcated” Level 2, where some businesses would not have to have a “certification” assessment from a 3rd party. The DoD estimates only 5% of businesses will have that option, so don’t get your hopes up!]
- Total CMMC L3 entities: 1,487
The DoD estimates CMMC will cost the public and the government ~$4B a year, and between $42B – $62B over 20 years. That’s just the assessments, not the implementation of the security requirements. A Level 2 Certification Assessment is estimated to cost a small business ~$105k!!! (Even the L2 self-assessment is estimated at ~$37k)
Assessment costs include:
time spent, by OSA (the contractor) and ESP (any relevant third-parties), gathering implementation evidence
conducting/participating in the assessment (OSA and ESP)
post-assessment work
affirmation cost: submit information into SPRS, POA&M closeout
[Concerned about the costs of implementation of the cybersecurity standards (FAR 52.204-21 and DFARS 252.204-7012)? Too bad, the CMMC rule is only about assessment, not implementation. The rule refers us to the DoD’s Office of Small Business Programs (OSBP, who promulgate Project Spectrum) and NIST’s MEPs for “resource and funding assistance options”.]
"The Department currently has no plans for separate reimbursement of costs to acquire cybersecurity capabilities or a required cybersecurity certification that may be incurred by an offeror on a DoD contract. Costs may be recouped via competitively set prices, as companies see fit."
"Prospective contractors must make a business decision regarding the type of DoD business they wish to pursue and understand the implications for doing so."
Some general notes about the proposed CMMC 2.0 rule
- Rule comments are due to the DoD by 26 Feb 2024. You can post comments here.
- CMMC-related contractual processes (Title 48) will be proposed by the DoD in a separate rule. It is formalization of this separate rule that will allow the DoD to include CMMC requirements in contracts.
- DoD PMs will determine which CMMC level applies to contracts / procurements. Service Acquisition Executives or Component Acquisition Executives may waive CMMC (DFARS clause 252.204-7021) from solicitations or contracts, but the contractors will still be required to implement the cybersecurity controls.
"The requiring activity knows the type and sensitivity of information that will be shared with or developed by the awarded contractor..."
[Emphasis ours and LOL. In our experience the DoD is not familiar enough with the specific types of information developed by the DIB.]
- Prime contractors will determine CMMC level for subcontractors, if not already defined in the contract.
- CMMC will be a requirement at the time of contract award, no exceptions. We will be required to plan for adequate time to receive a certification by the time of contract award, to account for any unforeseen delays (e.g. C3PAO assessment delays).
"The three-year validity period should provide adequate time to prepare for and schedule subsequent assessments for certification."
More detailed notes on each CMMC Level
The proposed CMMC 2.0 rule includes a stratified CMMC model, with three layers, as shown in the image below. In this section we’ll break down what is expected at each layer.
CMMC Level 1
Scoping: all assets that handle (store, process, transmit) FCI, including people, tech, facilities, and External Service Providers (ESP, aka “Managed Service Providers” or MSP) are in scope for the assessment. (See our notes below about how CMMC affects ESP.) The Organization Seeking Assessment (OSA, aka your company) is responsible for defining the assessment scope. A single entity can define different boundaries for different CMMC Levels. If the scope changes during the “validity period” (3 years), a new assessment may be warranted.
Controls: identical to the FAR 52.204-21.
Assessment procedures: use the NIST 800-171 assessment objectives for those controls that map to the FAR 52.204-21 controls. (There is a table in the rule that lists these objectives: https://www.federalregister.gov/d/2023-27280/p-1273).
Plans of Action and Milestones (POA&M): will not be allowed. All objectives must be MET; otherwise the organization fails the self-assessment.
CMMC Level 2
“predicated on program criticality, information sensitivity, and the severity of cyber threat.” https://www.federalregister.gov/d/2023-27280/p-317
As with all assessments at all levels, senior official affirmation is required after the assessment, and annually thereafter, and after POA&M closeout. POA&M for select requirements are allowed, but must be closed out within 180 days of the assessment. The two types of assessment are as follows:
All CMMC Level 2 contractors will need to self-assess against NIST 800-171A at least every three years. If the organization has a POA&M at the time of assessment (i.e. deficiencies in the cybersecurity program) it’s considered “Conditional”; only without a POA&M, or after the POA&M is closed out, is the assessment considered “Final”.
The organization is eligible for contract award with either Conditional or Final, as long as the assessment has been affirmed. Self-assessment is required every three years, with annual affirmation. DoD estimates the L2 self-assessment + affirmation to take ~152 hours, of which the ESP spends about 88 hours. [We think this is a bit high, but correct order of magnitude.] The proposed CMMC 2.0 rule makes it sound like all subcontractors of a Prime that has a contractual Certification assessment requirement will be ineligible for a Self-Assessment option:
“If a subcontractor will process, store, or transmit CUI in performance of the subcontract and the Prime contractor has a requirement of Level 2 Certification Assessment, then CMMC Level 2 Certification Assessment is the minimum requirement for the subcontractor.” https://www.federalregister.gov/d/2023-27280/p-1426
When required by contract for a Certification Assessment, we must hire an “authorized or accredited” C3PAOs (CMMC 3rd party assessment organizations) to perform the assessment against NIST 800-171A for us. (https://www.federalregister.gov/d/2023-27280/p-1300) Most (95%) of organizations at Level 2 will have to hire a C3PAO.
Here again, if the OSA has a POA&M at the time of assessment the assessment will be considered “Conditional”; without a POA&M or after the POA&M closeout the assessment is considered “Final”. During the assessment, any controls deemed NOT MET can be re-evaluated up to 10 days following the “active” assessment period. The C3PAO will have to do a POA&M closeout assessment [expect to pay more for this].
The organization is eligible for contract award with either a Conditional or Final and affirmation. Certification is required every three years with annual affirmation. Certifications will last 3 years, and C3PAOs will enter results in a DoD-maintained database called “eMASS”, which will interface with SPRS. Only a list of artifacts and a hash of those artifacts will be uploaded into eMASS; the gov’t will not be collecting your actual documents. C3PAOs will keep “working papers” from the assessment for 6 years.
For a small business, the DoD estimates a Level 2 certification-assessment + affirmation will take ~310 hours, of which the ESP (MSP) spends about 176 hours. Additionally, it will take the C3PAO 120 hours for a 3 person team, or a solid business week for the C3PAO team to conduct the assessment. [Again, we think this is a bit high, but correct order of magnitude.] [The ESP (MSP) estimated hours work out to about $45,000 spent with MSP, simply to support the assessment!] The assessment results must be checked over by a quality assurance person at the C3PAO, who cannot be a member of the assessment team [more cost to us!] (https://www.federalregister.gov/d/2023-27280/p-1183).
Companies that scored a perfect 110 on a DIBCAC High assessment, including Joint Surveillance Voluntary Assessment (JSVA), within three years of the effective date of the proposed CMMC 2.0 rule are eligible for a CMMC Level 2 Final Certification; however these companies still must submit an affirmation.
Scoping: Scoping in Level 2 sounds the same as the existing CMMC L2 scoping guide [which has changed a bit, see the next link below]. Note, however, that according to the Scoping Guide, at Level 2, you still have to maintain a separate CMMC L1 assessment / affirmation:
“A CMMC Level 2 Self-Assessment or CMMC Level 2 Certification Assessment, regardless of result, does not satisfy the need to assess the FCI environment. If FCI is processed, stored, or transmitted within the same scope as CUI in the CMMC Level 2 scope, then the methods to implement the CMMC Level 2 security requirements could apply towards meeting the CMMC Level 1 assessment objectives. The OSA may choose to conduct the assessments concurrently but two distinct assessments are required.” https://www.regulations.gov/document/DOD-2023-OS-0096-0003
The DoD leaves the door open in the rule to remove the -7019 and -7020 clauses from future contracts, but does not make any commitments. https://www.federalregister.gov/d/2023-27280/p-290.
Controls: identical to the NIST 800-171rev2 [Yes, rev2 is explicitly called out in the proposed CMMC 2.0 rule many times; DoD needs to address the coupling of CMMC to a specific revision of the NIST 800-171].
POA&Ms: only the following controls are allowed to be deficient at the time of assessment:: only one point controls (or 3.13.11 if only 3 points deducted) can be deficient, and none of the 1 point Level 1 (FAR 52.204-21) controls can be deficient. Your overall SPRS score must be at least 88/110. Point values are the same as posted in the DoD Assessment Methodology.
CMMC Level 3
CMMC Level 3 adds the controls in NIST 800-172, for contractors who handle more critical CUI [or what Totem calls “CUI+”]. The DIB Cybersecurity Assessment Center (DIBCAC, office under the Defense Contractor Management Agency, DCMA) will perform this assessment. POA&Ms are allowed like in Level 2, with DIBCAC performing the POA&M closeout assessment. The Level 3 Certification will also last three years. DIBCAC will enter assessment results in eMASS and SPRS. The same Conditional vs Final assessment results in this level. Certification must occur at least every three years, with annual affirmation. The DoD estimates NRE and RE costs to comply with additional L3 controls at $2.7M and $490,000, respectively. The DoD estimates the Level 3 certification assessment + affirmation to take an additional ~98 hours. [WOW.] The OSC is responsible for maintaining artifacts and hash values of documents associated with the assessment for six years from the date of assessment.
Scoping: Same as Level 2, with the addition that Contractor Risk Managed Assets and Specialized Assets are in scope, the latter of which may be protected by “intermediary device”. [No examples of intermediary devices are provided, but one can suppose a “jump box” is an example (a computer used specifically to provide an proxy interface to another computer).] Additionally, during the Level 2 assessment precursor to the Level 3 assessment, OT and IoT are now fully IN SCOPE, unless they are physically or logically isolated. Level 3 scope cannot be greater than Level 2 scope; i.e. the Level 3 system must be subject in entirety to the Level 2 controls as well.
Controls: There are 24 additional controls at Level 3, which are a DoD-selected subset of NIST 800-172, and these controls are listed in the rule: https://www.federalregister.gov/d/2023-27280/p-1258. All additional controls are only worth 1 point in the assessment scoring system.
POA&Ms: must have a score at least 80%, and none of the following controls can be deficient: 3.6.1e, 3.6.23, 3.11.1e, 3.11.4e, 3.11.6e, 3.11.7e, 3.14.3e.
How the proposed CMMC 2.0 rule affects External Service Providers (ESP)
The proposed CMMC 2.0 defines an External Service Provider (ESP) as:
“external people, technology, or facilities that an organization utilizes for provision and management of comprehensive IT and/or cybersecurity services on behalf of the organization. In the CMMC Program, CUI or Security Protection Data ( e.g., log data, configuration data), must be processed, stored, or transmitted on the ESP assets to be considered an ESP. (CMMC-custom term)”
If we use an ESP as defined above, the ESP must have a CMMC level certification equal to or above our own:
“If an OSA utilizes an ESP, other than a Cloud Service Provider (CSP), the ESP must have a CMMC certification level equal to or greater than the certification level the OSA is seeking. For example, if an OSA is seeking a CMMC Level 2 Certification Assessment the ESP must have either a CMMC Level 2 Certification Assessment or a CMMC Level 3 Certification Assessment.”
[So basically all of our external IT and security operations service providers will need their own CMMC certification. This drastically increases the number of organizations that need CMMC certifications. How ESPs are supposed to get certified without access to SPRS (a CAGE code is required) is not clear at all from the proposed rule.]
ISPs and telecom providers are not subject to CMMC, unless they are defense contractors, and as long as CUI is encrypted during transmission through their services. Cloud SP that handle CUI must be FedRAMP Moderate (or above) authorized, or at CMMC L2 self-assessment, may meet “equivalency” if the CSP provides their SSP and Customer Responsibility Matrix (CRM) to the OSA for review.
The proposed CMMC 2.0 rule will be implemented in phases
The DoD plans to phase CMMC 2.0 into contracts over a three year period to:
“ensure adequate availability of authorized or accredited C3PAOs and assessors to meet the demand”. https://www.federalregister.gov/d/2023-27280/p-391
DoD anticipates it will take two years for existing contract holders to become CMMC certified.
“DoD intends to include CMMC requirements for Levels 1, 2, and 3 in all solicitations issued on or after October 1, 2026”. https://www.federalregister.gov/d/2023-27280/p-230.
Government Program Managers (PM) will have ultimate discretion over contractual inclusion until then.
“An extension of the implementation period or other solutions may be considered in the future to mitigate any C3PAO capacity issues, but the Department has no such plans at this time.” https://www.federalregister.gov/d/2023-27280/p-236.
“…the Department will issue policy guidance to government Program Managers to govern the rate at which CMMC requirements are levied in new solicitations.” https://www.federalregister.gov/d/2023-27280/p-284
Phase 1: begins effective date of the final rule [assuming the Title 48 acquisition rules are finalized before then]. At this point, a CMMC Level 1 and Level 2 self-assessment requirement goes into all solicitations, contracts, and some existing contract options (this latter part at the DoD’s discretion). CMMC Level 2 certification assessments may be required at DoD discretion.
Phase 2: begins six months after beginning of Phase 1. In this phase, CMMC Level 2 certification requirements will go into all applicable solicitations, contracts, and some existing contract options. CMMC Level 3 certifications may be required at DoD discretion.
Phase 3: begins one calendar year after the beginning of Phase 2. In this Phase, CMMC Level 2 and Level 3 certification requirements (where applicable) are injected into all contracts, except for CMMC Level 3 certifications in contract option periods, which can be required at DoD discretion.
Phase 4: begins one calendar year after beginning of Phase 3. All new solicitations and contracts have CMMC 2.0 requirements. [Note that depending on how quickly the DoD can get the proposed CMMC 2.0 rule as well as the associated Title 48 rule finalized, the Phase 4 implementation date may be past the 26 October 2026 target date.]
Notes on the "Ecosystem" of Assessors, Cyber AB, C3PAO, and CAICO
There will be one Accreditation Body for CMMC, with mission to accredit C3PAOs. Will also oversee the Cybersecurity Assessor and Instructor Certification Organization (CAICO). This is the Cyber AB.
The DoD CMMC Program Management Office (PMO) will subject prospective C3PAOs to FOCI (foreign ownership, control, or influence) risk assessments.
C3PAO are required to have an appeals process, managed by the quality assurance staff, which can be escalated to the Cyber AB, which will have final authority. Disputes about the CMMC Level in the contract will have to be directed to the government Contracting Officer. There is no minimum time to wait after a failed assessment to schedule another assessment. https://www.federalregister.gov/d/2023-27280/p-242.
Members of the Cyber AB will be prohibited from participating in CMMC activities for six months after leaving the AB. [Six months is not enough; huge Conflict of Interest opportunities working to accredit C3PAO and then be able to join their staff six months later.]
The Cyber AB is responsible for policing conflicts of interest and professional conduct in the ecosystem.
Ecosystem members cannot participate in an assessment of an organization for whom they helped prepare for the assessment.
Ecosystem members must report to the Cyber AB any civil or criminal offense related to fraud, larceny, embezzlement, misappropriation of funds, misrepresentation, perjury, false swearing, conspiracy to conceal, or a similar offense.
All C3PAO assessment team members will have to undergo a Tier 3 background investigation, or meet “the equivalent of a favorably adjudicated Tier 3 background investigation.” https://www.federalregister.gov/d/2023-27280/p-1170
CAICO is responsible for training, testing, authorizing, certifying, and re-certifying CMMC assessors, instructors, and related professionals. Certifications are good for 3 years.
Certified CMMC Assessors (CCA) must be 1) Certified CMMC Practitioner (CCP), 2) have three years of cybersecurity experience, 3) one year of assessment/audit experience, and 4) hold an industry baseline certification, e.g. Security+, CISSP, CISA, etc. The assessment lead CCA must have 5 years cybersecurity experience, 5 years of management experience, 3 years of assessment/audit experience, and a baseline cybersecurity management cert, e.g. CISSP, CISM, etc. CCA are tightly restricted as to what IT components they can use in the assessment:
“Only use IT, cloud, cybersecurity services, and end‐point devices provided by the authorized/accredited C3PAO that they support and has received a CMMC Level 2 Certification Assessment or higher for all assessment activities. Individual assessors are prohibited from using any other IT, including IT that is personally owned, to include internal and external cloud services and end‐point devices, to store, process, handle, or transmit CMMC assessment reports or any other CMMC assessment-related information.” https://www.federalregister.gov/d/2023-27280/p-1223
CCI (Instructors) cannot also provide CMMC consulting services. [So this means instructors aren’t allowed to keep up with actual practice. Totem has submitted a comment on this.]
CCP can participate in CMMC L2 assessments with CCA oversight.
Miscellaneous notes and tidbits about the proposed CMMC 2.0 rule
When determining labor costs, the DoD’s cost of labor increase factor for benefits is 51% for government employees and 30% for private sector. [LOL, who said government jobs weren’t worth it?]
“In the CMMC Program, CUI or Security Protection Data (e.g., log data, configuration data), must be processed, stored, or transmitted on the ESP assets to be considered an ESP.” https://www.federalregister.gov/d/2023-27280/p-1066
“Periodically”, when used in the rule and in our cybersecurity programs, is to mean no less frequently than one year. https://www.federalregister.gov/d/2023-27280/p-1080
“Fundamental research” that is “shared broadly within the scientific community” is by definition NOT FCI/CUI: https://www.federalregister.gov/d/2023-27280/p-185
CMMC is applicable to joint ventures (JV) if they operate a covered system.
“Organization-defined” means determined by the OSC/OSA: https://www.federalregister.gov/d/2023-27280/p-1259
Your components you use to connect to a CSP that handles CUI are in scope: https://www.federalregister.gov/d/2023-27280/p-1331. [This means BYOD and any other devices, even those connecting to VDI solutions, are in scope. This is unfortunate wording, and Totem Tech has submitted a comment on this…]
DoD states in Section 170.24(c)(2)(i)(5) “Future revisions of NIST SP 800–171 Rev 2 may add, delete, or substantively revise security requirements.” https://www.federalregister.gov/d/2023-27280/p-1449 [To us this indicates that the DoD has perhaps mistakenly referred specifically to “Rev 2” throughout the entire rule, as “Rev 2” will not be revised, 800-171 will be revised into Rev 3.]
Government systems operated by contractors are not covered by this rule.
Wrapping up
So there you have Totem’s notes and comment on the proposed CMMC 2.0 rule. Admittedly, it’s a lot.
If you’re facing CMMC assessment at any level, and not sure where to start, check out our CMMC Compliance Roadmap.
Once you’re ready to start on your journey, join us in one of our quarterly CMMC Readiness Workshops. We keep the cohort size small, to maximize your time asking us questions about your organization’s compliance.
If you just want to complain about CMMC, we feel ya. Hit us up on LinkedIn and commiserate 😉
Good Hunting everyone!
–Adam
