CMMC Rollout, Waivers, & Self-Assessments, Oh My!

Thanks to a recently released memo from the Defense Secretary’s office, we’ve received some clarification on what to expect from the CMMC program in terms of rollout, waivers, and the availability of self-assessments. Let’s break down the key points and discuss the implications for DoD contractors.

On January 17th, the Office of the Secretary of Defense cleared a memo for public release with the subject Implementing the Cybersecurity Maturity Model Certification (CMMC) Program: Guidance for Determining Appropriate CMMC Compliance Assessment Levels and Process for Waiving CMMC Assessment Requirements — talk about a mouthful!

Fortunately, this memo includes insights which live up to the leviathan subject line. The memo is directed to contracting officers (COs) who will be responsible for preparing solicitations on behalf of the DoD and provides answers to questions many within the DIB have expressed regarding several key areas of the CMMC program.

Rollout Timeline

According to the recent memo, all procurement requests where contractors (including subcontractors) may handle Federal Contract Information (FCI) must include CMMC Level 1 “upon publication of the final Title 48 CFR DFARS rule.” Based on publication of related regulations, this will mean organizations need to be able to demonstrate Level 1 compliance 60 days after publication of the rule.

Nonetheless, organizations should ensure they are compliant with the 15 requirements of FAR 204.52-21 as soon as possible. Given the reduced number of requirements, it serves as a good starting point for organizations which will ultimately need to achieve Level 2 or 3, as mentioned in our previous blog post Don’t Overlook Level 1: Foundations of CMMC Success. Doing so will limit the possibility of missteps at the starting line once the Title 48 rule is finalized.

There are no major updates when it comes to the rollout of CMMC Level 2 and Level 3. Level 2 will be required 12 months after publication of the rule. Level 3 will be required “when DoD policy requires the application of [NIST SP] 800-172.” Per the DoD CIO's phase-in timeline, this is expected to be 24 months after publication of the rule.

Self-Assessments

We already knew Level 1 would require only self-assessment, so there are no revelations there. However, there is some new information regarding the applicability of self-assessments for Level 2.

As indicated in the final CMMC rule (32 CFR 170), self-assessments will be permitted for Level 2 at the discretion of the CO, but the memo clarifies that self-assessments will not be permitted for any organization handling CUI which falls under the “Defense” organizational index grouping within the NARA CUI registry. This includes:

• Controlled Technical Information

• DoD Critical Infrastructure Security Information

• Naval Nuclear Propulsion Information

• Privileged Safety Information

• Unclassified Controlled Nuclear Information – Defense

This indicates that self-assessments will not be used as a way to “ease into” the CMMC requirements. Organizations which anticipate handling Defense-specific CUI should be prepared to need certification 1 year from the finalization of the Title 48 rule. Given that it can take 12-18 months for organizations to implement the required security controls, schedule and undergo a C3PAO audit, and receive certification, contractors should begin planning now to ensure they have sufficient time for preparation.

Unsurprisingly, given the expectation for it to apply to particularly sensitive forms of CUI, Level 3 provides no allowance for self-assessment. This brings us to our next point…

Clarification on Level 3 Scope

The memo provides long-awaited guidance on the types of information which will fall under the requirement for Level 3 certification. This includes “mission critical or unique technologies” based on the following factors:

• “CUI associated with a breakthrough. unique. and/or advanced technology;

• “Significant aggregation or compilation of CUI in a single information system or IT environment; and

• “Ubiquity - when an attack on a single information system or IT environment would result in widespread vulnerability across DoD.”

Level 3 was expected to be required for highly sensitive information, so these factors illuminate the areas which will be targeted. For example, artificial intelligence research will likely fall under the classification of “breakthrough, unique, and/or advanced technology,” especially given the Vice President’s recent comments about the importance of American AI technology during a trip to the Artificial Intelligence Action Summit in Paris.

The second and third factors imply that targets for the Level 3 requirement will include (a) contracts including large swaths of CUI across a range of categories and (b) large contractors whose security directly impacts that of the DoD and other partners. This makes sense, given that a security breach affecting an organization with access to a substantial amount of CUI or a prime contractor with many subs would have a more detrimental impact than a breach affecting an organization with only a limited amount of CUI or one lower in the supply chain.

Fortunately, the memo also indicates a Security Classification Guide must be provided with Level 3 contracts to “allow for the segregation of information such that information that need not be covered by CMMC Level 3 can be handled appropriately at [lower certification levels].”

This clarification will make it easier for a large prime contractor to differentiate certification level requirements among its subcontractors, rather than flowing down the Level 3 requirement to all subs. The memo calls out that extraneous flowdown of Level 3 requirements through the supply chain would incur “significant cost to the program,” which is a refreshing consideration for the burden of compliance imposed by CMMC.

Waivers

The memo provides guidance for COs with regard to options for waiving certification requirements. However, it repeatedly mentions that waiving the certification requirement is not a waiver of the responsibility to implement the underlying controls. The memo references other existing regulations within DFARS which mandate these controls, regardless of the CMMC program.

As for Level 1, the memo specifically states, “There are no circumstances likely to warrant approval of requests to waive CMMC Level 1 requirements.” Since these are defined as the “basic safeguarding” requirements for all government contractor systems in FAR 52.204-21 and the CMMC program mandates only a self-assessment, this is an unsurprising development.

At Level 2, the memo differentiates between waivers for self-assessments versus certification. Similar to Level 1, the memo specifies there are “no circumstances likely to warrant [waiver of] CMMC Level 2 self-assessment requirements.” The memo cites the DFARS 252.204-7012 requirement for contractors with access to CUI to implement the NIST SP 800-171 controls and the DFARS 252.204-7019 requirement for self-attestation of their implementation as the reasoning for this decision.

For contracts where Level 2 certification would be required, waivers may be permitted “in rare circumstances.” However, any solicitation including a certification waiver will require an “alternative protection plan” to be submitted by the contractor and reviewed as part of the selection process. This implies that, while receiving a waiver for certification may be permitted when bidding on a contract, lack of certification could still be a contributing factor in whether an organization is selected for award.

Level 3 similarly specifies that assessment requirements may be waived. However, it specifies only third-party assessments and does not appear to indicate that assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) can be waived due to Level 3’s applicability to “mission critical technologies and programs.”

Closing Thoughts

The recent Defense Secretary memo providing guidance on CMMC level and assessment requirements answers several of the most common questions which have been posed by members of the DIB. This clarification will help organizations proactively assess their compliance needs as we get closer to the go-live date for CMMC.

At Triumvirate Cybersecurity, we specialize in guiding organizations through the intricacies of NIST SP 800-171 implementation and CMMC compliance. As a Cyber AB Registered Practitioner Organization (RPO) led by the former IT security & compliance lead for one of the first 50 organizations to pass a CMMC early-adopter JSV assessment, we’re uniquely qualified to answer your questions and assist you on your path to certification.