With the proposed final rule for the Cybersecurity Maturity Model Certification (CMMC) dropping late at the end of last year, many organizations have only just gotten around to figuring out what that means for them. The expansive rule has a lot to digest, but we’ve pulled out a few key takeaways relevant to all organizations that might be thinking about CMMC and what it means for them.
95% of Level 2 contracts will require C3PAO assessments. This means that nearly all contractors who handle Controlled Unclassified Information (CUI) and work on Level 2 contracts will need to sit before a Certified Third Party Assessor Organization (C3PAO) to achieve certification. While Level 1 will just need to submit a self assessment, you should not expect to be able to do that for Level 2 contracts as there will only be a very limited number of contracts that allow for Level 2 self assessment in place of C3PAO assessments.
Only 1 point controls can be POAMed, but not all 1 point controls are POAMable. This is a little bit different than what we were hearing in the months leading up to the new rule being released. We were expecting all controls currently worth 5 points in the Supplier Performance Risk System scoring to be required to pass an assessment, but it appears that all 3 point controls and many 1 point controls will be required to be in compliance at the time of assessment and cannot be placed on Plans Of Action & Milestones (POAMs). Encryption is a special case as it allows for partial credit and also is able to be placed on a POAM.
Annual affirmations are required at all levels of CMMC. At every level of CMMC you will need to either conduct and submit a self assessment or submit an affirmation. While C3PAO certification assessments will only be necessary every 3 years, your organization will be expected to maintain your security program continuously between assessments. You’ll be expected to provide proof of these efforts through an affirmation process led by the senior management that owns the information system.
Perfect JSVA scores with no open POAMs can be directly transferred to a Level 2 certification. An exciting part of the new proposed rule is that any organization that goes through the Joint Surveillance Voluntary Assessment (JSVA) process and gets a perfect score (110/110) will be able to transfer that assessment directly to a Level 2 CMMC certification. If your organization has been aligning itself to DFARS 7012 then you might already be prepared for CMMC and you could get a leg up on the competition by going through the JSVA process before CMMC rolls out. This would cut down on the wait for C3PAO assessment that will surely be backlogged and reward your organization for its commitment to cybersecurity.
With the comment period wrapping up and the rule making process heading into the response to public comments phase, hopefully we’ll see a final rule released with urgency. Regardless, there’s lots to like about the changes from CMMC 1.0 to CMMC 2.0 and we’ll likely see a few more good changes in the final rule before the end of this year. If your organization is preparing for CMMC hopefully these takeaways can be used to guide your strategic thinking in the meantime.