Nothing from the government comes without gobs of documentation

The Cybersecurity Maturity Model Certification program has been in gestation at the Defense Department longer than a baby elephant. CMMC is still not operationa...

Tom Temin The Cybersecurity Maturity Model Certification Program has been in gestation at the Defense Department longer than a baby elephant. CMMC is still not operational, but boy, it has produced documents just out new scoping documents. And do contractors need to read them well? Federal Drive with Tom Temin is joined by  Holland & Knight contracting attorney Eric Crusius.

Interview Transcript: 

Tom Temin These documents, scoping documents, these are just out. What exactly are they and why are they important?

Eric Crusius It’s really interesting. They were out they were released on OMB’s website and then they were pulled back. So the suspicion is that there were draft or final draft documents. I think it’s still important to kind of look at them because they’re probably final draft documents in that how CMMC is is going to be very close to what those documents are. And what they do is they show kind of how CMMC is going to be scoped and they also show how assessments should go for the different three levels and which controls are going to be utilized for those three levels. So there’s a lot of things were confirmed, but there is also some new information in there that I think contractors should pay attention to.

Tom Temin The idea of scoping. There’s three levels of scoping. What does that actually mean?

Eric Crusius Yeah, so there are three CMMC levels. That is all but confirmed. And for each level what assets that a contractor has is going to be within scope. So for level one, for instance, specialized assets won’t be in scope, and that’s kind of Internet of Things, government furnished equipment, things like that for level two. Normally those specialized assets will also not be in scope, but for level three, they will be in scope. And then that’s one way to look at scoping. Another way to look at scoping is which part of your organization is going to be covered by CMMC. CMMC doesn’t have to be a whole organization certification. It could just be essentially a certification that covers the assets you want to cover and those are the assets that are going to have the information in them that is has to be covered like.

Tom Temin Right. So for companies that have commercial operations, commercial businesses may not need to come under CMMC as long as there’s no crossover right networks and data between commercial and government.

Eric Crusius Right. They could have this little section of the company or their IT system that has CUI in it that is covered by CMMC and everything else will not be scoped at all.

Tom Temin So you would need an enclave almost. It’s to use the technical term for, you know, that walled off area of your maybe put it in the cloud and then it’s not on your data center.

Eric Crusius That’s exactly right.

Tom Temin All right. And then the level three is the big contractors, the ones that are all in government.

Eric Crusius Right? Those are kind of the common name. I won’t name any of them, but the common name contractors that everyone knows about that build ships, that build airplanes, things like that. They could also cover smaller contractors, maybe IT providers that have specialized information that’s important to the government. So we’ll have to see how many folks are covered by level three, but that’s going to be a subset of NIST Special publication 800-172. Looks like about 24 controls, at least according to these close to final draft documents.

Tom Temin So essentially they tell you what you need to do to be CMMC compliant depending on the level 1-2-3 that you’re at.

Eric Crusius Yes. And it’s kind of interesting, like who determines whether you’re compliant or not For level one, it’s a self-certification. There’s nothing to stop a contractor from hiring somebody to come in and help them get there. But in the end it’s going to be the contractor putting their signature on the line, certifying themselves to DOD. For level two, there’s a third party that would come in for most level two.

Tom Temin Yeah, this whole assessment scheme is that up and running? I mean, there were people that were getting certified to be third party assessors. Do they still exist and are they still certified?

Eric Crusius Yes. Actually, the ecosystem, as they called, is growing. The CMMC accreditation body, now known as the Cyber AB, holds a call every month where they discuss how many folks are in the ecosystem. And it looks like the third party assessors, there’s more than 40 now and that’s not just assessor teams, but some assessors may have more than one team to their name. So there could be even more and there’s a lot more in the pipeline. And then for level three, you can only get a level three assessment after you’ve gotten a level two assessment with third party assessor. Level three is the government itself certifying to those additional 24 controls.

Tom Temin Got it. And those are really serious controls. I mean, these are things that you would expect the large contractors probably have in place anyway, as a matter of course.

Eric Crusius That’s right. And I think for the large contractors, CMMC is not going to be a heavy lift. They’re doing these things already. I think where we’ll see struggles are the small, medium sized contractors that don’t have these robust IT systems and those are the ones that are most vulnerable and those are the ones that our foreign enemies know are the most vulnerable. So those are the ones that are attacked most frequently.

Tom Temin Sure. We’re speaking with attorney Eric Crusius. He’s a partner at the law firm Holland & Knight. And you said there are some new things after the papers, after the certification, scoping documents were withdrawn and reissued. What is new here that people might not have known a couple of months ago?

Eric Crusius So one interesting thing is that for level one and level two, they talk about a self, well for level one, a self assessment report, and for level two, an assessment report. That it’s not clear whether that’s a separate report that a contractor has to generate or that’s automatically generated based on which controls they’re compliant with. But the assessment report could be the significant new document that contractors have to produce in order to demonstrate that they are past those controls. So that’s one thing that’s really interesting. There’s also talk about conditional assessments, which we knew about. It’s unclear whether those conditional assessments will allow a contractor to perform, absent a final assessment that is good for three years. The conditional assessments demonstrate that they’re mostly there. But there’s still things that are outstanding, and they’re called plans of action and milestones that they have to finish within a certain period of time. There are a lot of references to regulations within these documents that have not been released yet. So we’re anticipating a full suite of regulations that will come out to support CMMC.

Tom Temin Yeah, I mean, every time they come out with some of these new policies for contractors, they run hundreds of pages.

Eric Crusius Right. And, you know, they do deal with also external service providers. You mentioned it earlier that a lot of contractors and I think it’s a smart decision, will offload a lot of the storage of their CUI to a third party who is already set up for this. And there are specialized providers out there who do that. And according to these documents, it looks like these third party providers will have to have a CMMC assessment or fedramp moderate or the equivalent of that. So that’s not surprising. But it’s interesting to see it in black and white because we didn’t know which way DOD would go with that.

Tom Temin So the Microsoft Azure Cloud, AWS, Google Cloud and some of the others have that moderate certification under Fedramp. So that would seem like a safe harbor here.

Eric Crusius That’s right. But that wouldn’t take care of all the controls because some of the controls deal with the interconnection between the contractor and those safe harbors. Some of the controls are purely physical access to the contractors, physical space where CUI may reside.

Tom Temin Plus, user activity, I imagine, must be covered in some of these documents.

Eric Crusius Absolutely. Passwords. How much permission each user has? Exactly to your point. So those safe harbors will take care of a lot of the controls, but not all of them.

Tom Temin And how will all of this back up to contracting officers? I mean, there’s some rulemaking that has to happen to make this effective, I presume. And I don’t know what the state of that is, but at some point, will this get into the FAR such that DOD contracts will have this clause referencing all of these scoping documents?

Eric Crusius Absolutely. And the DOD clause A, D-FARS clause is at OMB right now. So it’s the last stop before it’s released. Now, we don’t know if it’s going to be released as a proposed rule or a final interim rule. If it’s released as a final interim, well, we could have CMMC sometime this fall. If it’s a proposed rule, it’s going to be a little bit of a longer time period. But that is okay because most contractors are not ready for it yet.

Tom Temin Right. I mean, the proposed period for comments could be 30 days or 60 days and then they would turn it around another 30 or 60 days as a final rule.

Eric Crusius Right. And I anticipate they’ll get a ton of comments in there. So could it be even longer than that so we could see CMMC towards the end of 2024, beginning of 2025, if it comes out as a proposed rule this fall.

Tom Temin And not to get too arcane, but could the comments on the proposed rule then back up through the pipes of the system and then find their way into redoing or alteration of the scoping documents in the first place?

Eric Crusius Absolutely, yes. That’s why these are not final documents. But it’s a great place to look, to see, to start. And we should also know that this is just one of many things that are happening right now. There’s some FAR rules that have just passed through OMB that will institute new cybersecurity controls on non DOD contractors and reporting requirements if there’s a breach. So we haven’t seen those rules yet, but they have just passed through OMB. So I anticipate we’ll have more to say on that soon.

Tom Temin Yeah. And then I guess the question is, does all this get harmonized at some point? So this is doing business with the government. Here’s the scope of cyber you’ve got to have.

Eric Crusius Right? You remember when the FAR came out, the idea was to harmonize contracting across the government. Here we are with each agency having its own version of the FAR that layers on top of the FAR, and it’s the same thing happening with cybersecurity, unfortunately, where we have different agencies with different requirements. I’m hoping at some point they will be harmonized because it gets very difficult for contractors to follow the bouncing ball for all these different agencies. It’ll help put my kids through college, but it won’t help the contractors very much.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories