In our last blog, What DoD Contractors Need to Know About the New Cybersecurity Maturity Model Certification, we covered the essential components and driving factors behind the DoD’s new federal requirement. This post addresses some of the unanswered questions around the CMMC and digs into new CMMC updates.
The CMMC of the Past
The primary guidance of our previous post was to alert DoD contractors to stay tuned for further updates from the Cybersecurity Maturity Model Certification Accreditation Board (CMMC-AB). It was recommended to use the issued regulation and briefings from the Office of the Under Secretary of Defense for Acquisition & Sustainment OUSD(A&S) to prepare organizations for certification to the best of their abilities.
LogRhythm published a spreadsheet mapping of the control practices of CMMC to the various existing federal guidelines as an aide for companies looking to see where they may already have coverage within their existing control environments. This is a useful tool for those looking to perform a quick assessment of the overlap with CMMC practice requirements and an organization’s existing control environment.
At that time, there were a few major questions that were largely unanswered, that new CMMC updates address:
- Which organizations will be approved C3PAO’s that can issue these certifications?
- What level of CMMC will my organization be required to meet?
- When and how many CMMC requirements will be coming out in 2020 and 2021?
After approximately four months, multiple national conversations, and various RFPs from the CMMC-AB, some of those questions above are still relevant today; however, there have been a developments that individuals following the CMMC rollout should be aware of.
CMMC Updates: Evolving Relationship Between CMMC-AB and DoD
The relationship between the DoD and the CMMC-AB was further clarified this summer when the Under Secretary of Defense for Acquisition and Sustainment, Ellen Lord, and Ty Schieber, Chairman of the CMMC-AB, signed a Memorandum of Understanding (MOU) that established each organization’s roles and responsibilities to help ensure a secure defense industrial base (DIB).
Since that time, the DoD has sought to establish a new contract with the CMMC-AB — the finalization of which is still pending. This comes amongst various reports of the CMMC-AB experiencing inner disagreements, board member changes, and criticism over the appearance of a pay to play mechanism via a proposed sponsorship or partner program.
The latter has been refuted by Mark Berman, communications chairman for the CMMC-AB and a statement of disagreement on proposed sponsorships by the CMMC-AB was issued on LinkedIn by Katie Arrington, CISO of the OUSD(A&S). The media attention and public scrutiny that has been displayed thus far is further evidence of the significant impacts that CMMC could have on the DIB.
Pending DFARS Rule Changes
One of the primary reasons people have not seen CMMC requirements appearing in DoD contracts to date is a pending Defense Federal Acquisition Regulations (DFAR) rule update from the Office of Management and Budget (OMB) that will allow the DoD to include CMMC requirements in their contracts.
The OUSD(A&S) had previously said some delays might occur since rule changes require a public hearing. Given the concerns of COVID-19, public gatherings have been delayed and made it difficult to organize for the requisite hearings and approvals. The latest reports suggest the DFARS rule change will be finalized by end of November.
CMMC Assessor Training has Started!
On August 31, a four-day training occurred that included 73 “provisional assessors.” The training was slated to involve a mix of live and self-paced training, followed by an exam. After provisional assessors are certified, they are going to be involved as part of CMMC Third-Party Assessment Organization (C3PAO) teams to implement CMMC Pilots and Pathfinders. They will represent provisional qualification through a verifiable logo and listing on the CMMC-AB marketplace on CMMC-AB.org.
Initially, the Provisional Program will provide Level 1 assessments and could expand up to Level 3 over time. To clarify, these provisional assessors won’t be able to give an official certification but are intended to provide feedback to the CMMC-AB and once the pending DFAR’s rule change is complete, those assessments could become formalized.
For more information, visit the Provisional Program page, on the CMMC-AB website
The Future of CMMC: Q4 2020 and Beyond
Requirements for CMMC in RFP’s are expected to show up sometime in November of this year now that assessor training is underway and the DFARs rule change is pending completion. Companies will not have to be certified at the time of bidding, but for a contract to be awarded, certification must be obtained.
According to the National Defense Magazine, a recent presentation of Arrington’s indicated the scheduled rollout of contracts requiring CMMC and approximate number of companies involved in those contracts in 2021 and beyond. See below for that breakdown.
LogRhythm Can Help with CMMC Requirements
To help our customers navigate the requirements of CMMC, LogRhythm has released a standalone module to help the DIB demonstrate their cybersecurity maturity for the future C3PAO’s. “Compliance Automation Suite: CMMC” utilizes the LogRhythm Consolidated Compliance Framework (CCF) rules and methodology which were built using the same influencers of CMMC such as NIST 800 special publication series, as well as ISO 27001.
Companies will find value whether they’re demonstrating compliance with CMMC level one all the way up to level five. The module features AI Engine rules, alerts, investigations, and reports that directly support many of the requirements of CMMC and augment or reduce the cost of others.
As LogRhythm’s technology stack grows and expands, we continually enhance our CCF methodology and supporting modules to provide the highest-quality product to our customers.