As part of our continued commitment to helping organizations prepare for CMMC, we are curating some of the most relevant frequently asked questions from authorized resources and providing an overview of them in our CMMC FAQ series.
What is the DFARS Interim Rule and how does it impact CMMC and DOD prime and subcontractors?
The DFARS Interim Rule is a rule issued by the Department of Defense that went into effect on December 1, 2020. The new rule applies to all contractors who are subject to DFARS 252.204-7012 clause, which is based on the contractors handling CUI. The rule will therefore apply to all DoD primes and subcontractors who are in possession of CUI. The DFARS Interim Rule will be in effect from December 1,2020 until the successful implementation of CMMC in the next 5 years. This Interim Rule includes three new clauses:
DFARS Clause 252.204-7019 outlines a requirement that all contractors (primes and their subcontractors) that handle CUI must complete a new NIST 800-171 Self-Assessment, which contains a new scoring methodology, and post this self-assessment score in the DoD’s Supplier Performance Risk System (SPRS). The assessments must be completed, and scores posted before a contract can be awarded to a contractor. The self-assessment also requires a completed System Security Plan (SSP) and a Plan of Action and Milestones (POAM) for all 800-171 requirements that are currently not being met by the contractor’s system.
Finally, the Defense Contract Management Agency (DCMA) will be conducting random audits of these self-assessments to ensure that primes and their subcontractors are accurately self-assessing their systems.
DFARS Clause 252.204-7020 states that the DoD will conduct the assessments for Medium or High-risk contractors. The clause itself outlines this process. Contractors are required to provide the DoD with access to their facilities, systems, and personnel for the DoD to conduct these assessments. The DoD will then post the summary of these scores within the SPRS (e.g., 100 out of 110 requirements met) as well as an expected implementation date for all requirements to be implemented. The contractor in question will then have 14 days to rebut any findings in question and/or provide evidence for controls that could not be assessed by the DoD during the initial assessment. The contractor also must insert the substance of this clause into all subcontracts.
Finally, DFARS Clause 252.204-7021 defines the scope and requirements for the CMMC itself. This clause includes the definition of a current CMMC score (No older than 3 years), the requirement to maintain CMMC certification throughout the duration of the contract, and the requirement for subcontractors to also maintain a CMMC certification.
How do you pass CMMC certification assessment?
The answer to this question depends on what level of CMMC assessment you are required to undergo. The requirements for a Level 1 assessment are significantly different from the requirements for a Level 3 assessment, which are significantly different from a Level 5 assessment. A Level 1 assessment consists of 17 CMMC Practices which must be met before CMMC certification can be awarded. A Level 2 assessment is 72 total CMMC Practices, a Level 3 consists of 130 total CMMC practices, a Level 4 is 156 total CMMC Practices, and a Level 5 consists of 171 total CMMC Practices. The best place to determine what Level of CMMC assessment your organization will require is the specific contract that is being bid on, which going forward, should include a required level. However, for contracts already in place, if you are a prime or subcontractor for a prime in possession of DoD CUI, you will at least need a Level 3 assessment.
With that said, there is currently no way to pass a CMMC assessment. A CMMC assessment must be completed by a C3PAO, who themselves need to undergo CMMC certification. At the time of writing, there are no C3PAO firms authorized to conduct a CMMC assessment, which is where DFARS Interim Rule comes into play. In the meantime, to prepare your organization for a CMMC assessment, your organization should examine the latest CMMC documentation and determine which CMMC practices are in place, and which are still being implemented. All practices within the CMMC assessment your organization is undergoing must be implemented prior to the assessment. To achieve certification, all practices at the CMMC level being assessed must be in place in order to be certified and the CMMC does not allow for Plans of Actions & Milestones (POA&Ms). The CMMC-AB does however allow for a 90-day remediation period, wherein a contractor has 90 days to remediate any findings identified by the C3PAO. If a practice is not in place after 90 days, the Organization Seeking Certification must restart the CMMC assessment process.
What happens if your C3PAO determines that a practice has not been implemented sufficiently?
If your C3PAO has determined that a practice has not been sufficiently implemented, as currently outlined by the CMMC AB, your organization will have a period of 90 days to remediate these practices and conform to the CMMC practice. But not all practices are equal in terms of their difficultly to remediate. For some gaps, this 90-day period may be sufficient for remediation, but other practices may take longer. In the event that a gap cannot be remediated within 90 days, your organization will have to reapply for an assessment after the gap has been addressed and begin the CMMC certification process again.
What organizations make up the CMMC ecosystem?
Function within CMMC Ecosystem
Department of Defense
Created the CMMC Framework
Defense Industrial Base
The organizations that the DoD uses as an industrial asset, of direct or indirect importance for producing equipment or services for the Nation’s armed forces.
CMMC Accreditation Body
Validates CMMC assessments and credentials organizations within the CMMC Ecosystem
CMMC Assessors and Instructors Certification Organization
Arm of the CMMC-AB that is responsible for training and certifying assessors
Registered Provider Organization
Organizations that can performing consulting work related to the CMMC framework
Employee at an RPO who performs the consulting work
CMMC Third-Party Assessor Organization
Organizations that can perform CMMC assessments.
Organization Seeking Certification
Organization that is undergoing a CMMC assessment.
Can participate in a CMMC assessment under the supervision of CA-1 and higher-level assessor
Certified CA-1 Assessor
Can perform a CMMC ML-1 assessment and supervise a CP
Certified CA-3 Assessor
Can perform a CMMC ML-1 or ML-3 assessment and supervise a CA-1 or lower-level assessor
Certified CA-5 Assessor
Can perform any level of CMMC assessment and supervise any level of assessor
What CMMC certification level is required for prime and subcontractors that possess CUI?
The level required for CMMC that prime and subcontractors will need to meet will be dependent on their contracts and the information they obtain from the government. If an organization possesses CUI, the organization will be required to be at least CMMC level 3, however the Department of Defense has indicated that they will specify the required CMMC level in both Requests for Information and Requests for Proposals. Depending on the type of CUI, organizations may be required to be certified at level 4 or 5.
How should an organization prepare for CMMC certification?
As the CMMC certification requires all controls in place and operating effectively to be certified, we recommend working with an independent party that has CMMC experience prior to engaging in the CMMC assessment. The independent party can perform a gap or readiness assessment to determine if you are meeting the controls at your desired CMMC level before you attempt the certification review.
Before working with an independent party to perform a gap or readiness assessment, it is critical to review the CMMC level 1 and CMMC level 3 assessment guides, which can be found at: https://www.acq.osd.mil/cmmc/draft.html. These guides will provide the required background knowledge for your organization to determine which CMMC practices the organization needs to meet for the level of CMMC certification being sought. Within these assessment guides are the specific CMMC practices that must be in place as well as the processes that must be in place to support these practices. Policies should be written to fulfill these processes. As an example, the process to support Access Control (AC) practices states that organizations must “Establish a policy that includes Access Control”.
Finally, the entire IT environment does not require CMMC assessment and certification. Only portions of the environment that store, process, transmit, or receive CUI and FCI are required to undergo CMMC certification. Therefore, your organization should analyze the environment to determine which portions of the environment contain CUI and FCI. To simplify the implementation of CMMC practices and CMMC assessment, the portions of the environment containing CUI and FCI can be isolated within a network enclave. Segmenting this portion of the network or system from the general IT environment will reduce the scope of the assessment and simplify the implementation of CMMC practices.
When will an organization need to be CMMC certified?
An organization will need to be certified at the required CMMC level specified in the contract to obtain the contract for work from the DoD. The DoD has indicated it plans to do a phased rollout of CMMC requirements within prime contracts starting in FY21 with approximately 15 pilot contracts, continuing to increase that roll out over the next 5 years, including rolling out CMMC level 5 requirements in contracts starting in FY22. As it currently stands, all DOD prime and subcontractors will need to be CMMC certified at the appropriate level specified in their contracts by 2026.
How will third parties such as managed security providers (MSPs) and cloud service providers (CSPs) impact an organizations CMMC certification requirements?
A contractor can inherit practice objectives. A practice objective that is inherited is met because adequate evidence is provided that the enterprise or another entity, such as an External Service Provider (ESP), performs the practice objective. Evidence from the enterprise or the entity from which the objectives are inherited should show they are applicable to in-scope assets and that the assessment objectives are met. For each practice objective that is inherited, the Certified Assessor includes statements that indicate how they were evaluated and from whom they are inherited. If the contractor cannot demonstrate adequate evidence for all assessment objectives, through either contractor evidence or evidence of inheritance, the contractor will receive a “NOT MET” for the practice.
What type of evidence is required to prove that each practice has been implemented?
There are three types of objective evidence that are recognized by the assessor. For each practice, two out of the following types of evidence will be required:
Examine: The process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects or artifacts to facilitate understanding, achieve clarification, or obtain additional evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time. For an artifact to be accepted as evidence in an assessment, it must demonstrate the extent of implementing, performing, or supporting the organizational or project processes that can be mapped to one or more CMMC practices and those artifacts must be produced by people who implement or perform the processes.
Interviews: The process of conducting discussions with individuals or groups of individuals in an organization to facilitate understanding, achieve clarification, or lead to the location of evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time. For an interview statement to be accepted as evidence in an assessment, it must demonstrate the extent of implementing, performing, or supporting the host, supporting function or enclave processes that can be mapped to one or more CMMC model practices; interview affirmations must be provided by people who implement, perform, or support processes.
Tests: The process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time and institutionalization. For a test/demonstration to be accepted as evidence in an assessment, it must pass its requirements and criteria while being observed by the CA and assessment team. Any failed test results in a failed CMMC practice/control or process.
What is Federal Contract Information (FCI)?
FCI is information that is not meant to be released to the public and is provided by or created for the Government under a contract during the development or delivery of a product or service. FCI does not include information that the Government provides to the public, such as the data on public Government websites, or transactional data used to process payments by the Government. If your organization is only in possession of FCI and not CUI, you will only need a Level 1 assessment performed.
How much will a CMMC assessment cost?
The answer to this question depends on a number of factors. First and foremost is the level of CMMC certification that your organization requires. A CMMC ML-1 assessment consists of 17 CMMC practices and an ML-5 assessment consists of 171 CMMC practices. Because of the differences in the number of practices being assessed at each level of CMMC certification, a higher-level assessment will cost more than a lower level CMMC assessment. The second factor that will have a direct effect on the cost of the assessment is the scope and complexity of the environment being assessed. A relatively simple system or network segment will cost level overall to assess than a situation where the C3PAO must assess the entire IT environment. Katie Arrington, Chief Information Security Officer for the Acquisition Office of the DoD has estimated that a level 1 CMMC assessment could cost as little as $3,000-$5,000, however, these numbers are only estimates based upon the currently outlined CMMC requirements. As these requirements change, so will these estimates, where they may increase or decrease.
In addition to the certification assessment cost, organizations will also have to consider costs associated with preparing for a CMMC assessment (i.e. consultants, gap analysis, etc.) and purchasing technology necessary for meeting CMMC requirements (i.e. SIEM tools, Firewalls, etc.).
The more important item to note is that for current DoD contractors, the cost of the CMMC assessment and remediations that fall under the 90-day remediation period are considered as allowable costs by the DoD. This means that current defense contractors are able to be reimbursed for the cost of having the assessment performed and validating the remediation efforts. It is critical to note, however, that the initial costs of actually getting the environment ready for the CMMC assessment are not considered allowable costs at this time and will be paid fully by the Organization Seeking Certification.
Do you need to use GCC High to meet CMMC requirements?
No. This is a common question related to CMMC compliance, so common in fact, that Regan Edens of the CMMC Accreditation Body (CMMC AB) has even addressed this question back in early 2020. The answer provided is that GCC High is not a requirement to meet any level of CMMC assessment. The current commercial and GCC versions of Office 365 can be configured to meet all the requirements of NIST 800-171, which the CMMC framework is based upon. Because of this, GCC High is not a requirement to pass a CMMC assessment, but when using the commercial or GCC versions of Office 365, extra attention should be paid to the configuration of the environment to ensure compliance with NIST 800-171 and CMMC practices is implemented correctly.
With this comes a large caveat, however. If you are a current contractor with the Department of Defense and subject to DFARS clause 252.204-7012 (DFARS or DFARS 7012), GCC High is the only offering from Microsoft for Office 365 that can be configured in a manner that is compliant with the DFARS 7012 requirements. This also holds true for manufacturers, exporters, and brokers of defense articles or defense services who are subject to International Traffic in Arms Regulations (ITAR). If your organization falls into either of these categories, GCC High will meet all the CMMC framework practices, at any level of assessment, when configured correctly. In either case, your organization should already be in GCC High, though some contractors do make the choice to ignore this, running the risk of falling out of compliance with DFARS 7012 and ITAR.
If you believe that your work with the DoD may expand after achieving CMMC compliance, migrating to GCC High might make sense in the long term.
Are prime contractors and subcontractors required to complete a NIST 800-171 self-assessment in the Supplier Performance Risk System (SPRS) since the DFARS interim rule went into effect on November 30, 2020?
Beginning on November 30, 2020, contracting officers will have to confirm that an organization has an active SPRS assessment in its system before awarding a new contract or exercising an option under an existing contact where the contractor or offeror is required to implement NIST 800-171. The assessment in SPRS cannot be older than three years.
Based on the above, November 30, 2020 is not a deadline for every contractor and subcontractor. However, if you are a prime contractor and you are planning to bid on a new contract with DFARS 252.204-7012 included or a current contract with DFARS 252.204-7012 included that has an exercise option looming, then it is highly recommended that you complete a self-assessment in SPRS system as soon as possible.
Should I enter my self-assessment into SPRS even if my score is low or even negative?
It is unclear on how the DoD will use the scores entered in SPRS when awarding contracts and if the actual score will impact decisions. Since contracting officers will have to confirm that an organization has an active SPRS assessment in its system before awarding a new contract or exercising an option under an existing contact, it is recommended to complete a self-assessment in SPRS even if the score is low or even negative. Contractors without scores in SPRS bidding on new contracts with DFARS 252.204-7012 included, will not be considered when the contract is awarded.
Are prime contractors required to flow down requirements to their subcontractors for completing a self-assessment in SPRS?
Yes – prime contractors will be required to confirm that all subcontractors included a contract they are bidding on have an active score in SPRS.
As a subcontractor, are we required to comply with our prime contractor’s request for us to complete a self-assessment in SPRS?
Technically, you are not required to complete a self-assessment in SPRS unless you are bidding on a new contract with your prime contractor that includes DFARS 252.204-7012 or if your prime contractor’s contract that includes DFARS 252.204-7012 has an exercise option looming.
Most prime contractors are planning for future contracts and are currently requiring all their subcontractors to complete self-assessments in SPRS. Considering how many subcontractors prime contractors may work with, it makes sense that prime contractors would require this, since they do not want to be overlooked for future contracts because their subcontractors do not have an active scores in SPRS.
What will reciprocity look like for companies who have already achieved FedRAMP authorization?
There are plans for CMMC to provide reciprocity to organizations that have successfully completed a FedRAMP certification. However, there has not been an official policy document outlined on when this will happen or how it will work.
Schneider Downs currently offers CMMC readiness and consulting services as a Registered Provider Organization (RPO). Our team includes a Certified CMMC Provisional Assessor, and several other members currently in process of applying for CMMC Certified Assessor status who plan on completing training in Q2 of 2021. OSCs should note that a single firm cannot perform both consulting and audit services for a single client per the CMMC-AB standards. In the meantime, until such requirements are made public, we can help your organization prepare for CMMC by performing an assessment against the NIST 800-171 framework.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.