Here we are sitting in the final quarter of 2021 still waiting on the Department of Defense (DoD) to provide any guidance around potential changes to the Cybersecurity Maturity Model Certification (CMMC) requirement. 2021 seemed like the year we would start receiving some much needed clarification into the CMMC requirements since the Defense Federal Acquisition Regulation Supplement (DFARS) published the Interim Final rule in late September 2020 that went into effect at the end of November 2020 introducing 252.204-7019, 7020, & 7021. The anticipation was for the CMMC 3 Party Assessment Organization’s (C3PAO) to start entering the marketplace to begin the measured roll out of CMMC over the next 5 years. Where do we stand today in regards to CMMC? Pretty much where we have been standing for some time now. At the starting line.
In late March of 2021, the DoD initiated a review of the CMMC. Since then, the DFARS Interim Final Rule has been awaiting a review report tasked by the Defense Acquisition Regulations Council (DARC) Director to review public comments and provide a report. The last scheduled due date was late in September which was pushed out again to November 3rd, 2021 (2019-D041). This has left a mixed feeling from the Defense Industry Base on how long or if CMMC will make it through the review process. In my opinion CMMC will survive the process since so much time has already been invested and the question become what will be different once the changes are made. If I had to pull out my crystal ball based on experience in other certification models like Payment Card Industry Data Security Standard (PCI DSS) and Health Information Trust Alliance (HITRUST) I will say that there will be some type of self-assessment type option for CMMC Level 1 with review and introductions of an interim assessment between audits.
What to do today?
If you have not already completed your NIST 800-171 self-assessment then that would be an excellent place to start. With the DFARS Interim Final the requirements of a NIST 800-171 self-assessment to the Supplier Performance Risk System (SPRS) came into effect if bidding on any new contract work with the DoD. Many of the DIB have already submitted if not working towards completing their self-assessment submission to the SPRS. When submitting you information though it is important to note that the information should be accurate and that it can be backed up through documentation and technical controls. The reason is that those controls and documentation if not actually in place can/will come back to bite you in the event of a breach or through a whistleblower complaint. The Department of Justice (DoJ) in October 2021 announced that they will be cracking down on DIB not adequately protecting DoD information. Deputy Attorney General, Lisa Monaco, mentioned that the DoJ will “extract very hefty fines” along with protecting any whistleblowers that bring DIB violations to light. This becomes a lot more burdensome for a DIB to dispute allegations if the evidence to prove otherwise is sitting right in the SPRS.
Robert Metzger, a well-known attorney on Procurement, Cyber & Supply Chain Law, co-authored a paper just on that topic. With the Interim Final Rule introducing DFARS 252.204-7019 & 7020 this provides “the DOD with visibility into the extent of a contractor’s actual technical compliance with the 7012 clause and NIST SP 800-171”. Albeit tempting to get a perfect score it is explained that it is very important to accurately document and follow through with documented Plan of Actions and Milestones (POAMs) in your submission or risk opening yourself up to the DoJ if they come knocking at your door.
More Info
For additional information on CMMC preparation, contact us at info@ktlsolutions.com. KTL Solutions is a CMMC Registered Provider Organization with CMMC-RP’s on staff to assist you.