Fraudsters, pathfinders, pilots and final rule. Third-party assessment organizations (3PAOs), the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and controlled unclassified information. This is what you need to know about the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) program.
Based on two events last week where leaders from the DoD and the CMMC Accreditation Body spoke, here is the breakdown of the latest of this much-watched, anxiety-inducing cybersecurity and supply chain initiative:
About a year ago, the Pentagon warned against third-party vendors who said they could get Defense industrial base contractors ready and possibly approved under CMMC. They were making that claim before DoD even finalized the standards. As DoD gets closer to testing the standards this spring, fraudsters are once again trying to take advantage of unsuspecting companies.
“We had an individual reach out to us on LinkedIn, and they fell prey to one of the companies who is not certified, who is saying, ‘hey, pay me, let me come in, I can get you certified.’ And they didn’t get what they paid $10,000 for. And now they’re coming back to us, and where’s my certification?” said Stacy Bostjanick, the director of CMMC policy in the Office of the Under Secretary of Defense for Acquisition and Sustainment, during the Jan. 25 webinar sponsored by FedHealthIT and G2Xchange FedCiv. “So please be careful and wary of how you bring these contractors and consultants in. Understand that if you’re bringing somebody in to consult with you, to help you prepare for CMMC, it really should have gone through some of the CMMC-AB training. If you really want to ensure that you’re getting the right information, you need to go with people who’ve who have had the CMMC-AB training and have a certification through them. And then that way, you’re less likely, I hope not at all likely, to have somebody try to take advantage of you in that scenario.”
Do your homework to make sure the assessors and third party assessment organizations are CMMC-AB certified. Currently there are 100 assessors that have received provisional approval from the AB and 73 approved third-party assessment organizations (3PAOs).
This is a key term for vendors to understand. DoD did three pathfinders using CMMC requirements: the Missile Defense Agency, the Navy and the Defense Logistics Agency. MDA held the first pathfinder, and the Navy’s and DLA’s are ongoing. In each case, DoD is testing out the CMMC assessment approach.
“We had tabletop exercises where we came together and we figured out what would the RFI language look like. We had the contractor as part and parcel with this so they could tell us whether certain information was not helpful to us. We need to have this kind of information for us to be able to prepare and understand what we’re looking at,” Bostjanick said. “We also went through a mock RFP and a post-award conference and an adjudicate dispute resolution challenge. We also took the assessors and ran them through the first run of the training. We use the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) team, since the detect team had already been out on the ground doing the DoD assessments in accordance with the NIST 800-171 methodology. We felt that we wanted to have the members of the DIBCAC team, as well as the members from the Carnegie Mellon Software Engineering Institute and Johns Hopkins Applied Physics Laboratory, that put together the model, go through the training to ensure that the training was presented in a way that it met the tenants and the understanding of what we wanted out of the model.”
For the DLA pathfinder, DoD said it will use real CMMC assessors to continue testing out the CMMC approach.
Pathfinders are not pilots, but they do matter quite a bit. DoD would do themselves and CMMC a service by detailing how the pathfinders worked, what they found and what they learned.
DoD announced the first seven pilots in December, and Bostjanick said at least three more are in the works. During the initial roll out of CMMC, the Pentagon said it plans to pilot CMMC with 15 total acquisitions. Diane Knight, who is DoD’s CMMC lead for pilots and pathfinders, said the big challenge for the pilots is the timing of the acquisitions themselves and whether they can still make awards in 2021.
“Our expectation is about 100 subs per prime, so we’re thinking about 1,500 companies will have to be CMMC certified for the pilots,” Bostjanick said. “Now, the one thing that you have to be aware of is our expectation is that only 20% of the companies in the DIB actually handle controlled unclassified information, the vast majority of the companies are going to fall into the CMMC level one arena. They’re not going to need to go up to that level CUI.”
Bostjanick said DoD also is working with the General Services Administration and the Department of Homeland Security on potential pilots.
“We’re working with all of those groups to make sure that we can meet the timeline, because the last thing we want to do is to affect anybody’s acquisition and slow it down,” she said. “We have to assess the acquisition, make sure that we have all the resources and capabilities in place, and that’s how we’re moving out. We’re building and we’re growing.”
First off, the excitement over the last week that DHS was all in on CMMC wasn’t accurate. It’s no surprise DHS, GSA and probably others are paying attention and interested, and in some cases may be adding CMMC to the master scope of the contract, but there is no evidence from DoD or any other agency that these other agencies are adopting the standards part and parcel.
Second, and maybe more importantly, DoD seems to be aware of “first-mover status” concerns and is ramping up so the playing field is level. Just look at the number of 3PAOs, assessors and other important pieces to get vendors ready. Will it be perfect? It never is. But the recognition of the concern is an important first step. This is why DoD said they will be piloting CMMC through 2026.
DoD released the interim CMMC rule in September and after accepting comments, it expects the final version to be out by mid-to-late summer.
Bostjanick said DoD is reviewing the comments on the interim rule and will send the final version to the Office of Management and Budget for approval in the spring time.
Since DoD released the CMMC rule as an interim final, it went into effect Nov. 30. This means DoD can move forward with the pilots under the regulations it outlined. You shouldn’t expect any significant changes in the final rule given DoD’s desire to roll out CMMC this year.
There are now 53 total 3PAOs and another 355 applications that are pending. Those 53 3PAOs have 100 certified assessors to work with to analyze how companies meet CMMC level one.
Bostjanick said the next step is to get the 3PAOs ready to do assessments under CMMC level 3.
“We are looking at having the first handful done by hopefully March, and then as we continue to move forward the DIBCAC assessors will reach out and set up the assessments with the 3PAOs. Once those assessors on staff are trained and have their suitability determinations … they will be able to do assessments. We will prioritize pilots to make sure those contractors who will participate in that will get priority and no one misses out on the opportunity to compete, and then they can move out from there,” she said.
The CMMC-AB and DoD expect to release the scoping documents for 3PAO assessments in the coming weeks.
“From a clients’ perspective, everyone is anxious to get going. They want to know what the timelines look like. They want to know what they can be doing today to kind of get going. And they also want to know how does this coincide or complement their other compliance initiatives and investments that they’ve made over the course of the year, not just FedRAMP, but in the in the commercial space, ISO certification, CMMI, all of those different things that play a part in this puzzle,” said Doug Barbin, a principal and cybersecurity leader at Schellman & Company, a 3PAO.
See the early discussion about fraudsters — only work with CMMC-AB certified and approved 3PAOs and assessors. The board has a list on its website. More importantly, however, getting the 3PAOs trained and ready to do assessments will take time and that’s one reason why many believe the Pentagon is biting off more than it can chew with CMMC. It’s also why DoD recognizes that the pilots will go on for five years because getting 300,000 companies through the process will be a huge task. DoD and the CMMC-AB also are trying to ensure consistency in the training, which may be another reason why patience is required.
DIBCAC — at the Defense Contract Management Agency (DCMA) — will play a big role in getting the 3PAOs and assessors ready to conduct CMMC reviews. There are 25 DIBCAC teams which the AB has approved as assessors.
“We were contacted by a DIBCAC assessor just at the end of last week. So we’ll be kicking off that assessment this week as well,” said Barbin said. “So we’re excited for that, as excited as you can be of being assessed. We do have different accreditation bodies that come in and poke at us throughout the course of the year.”
Additionally, Bostjanick said DoD is close to finalizing the DIBCAC assessment reciprocity memo, which would help companies that already went through the DCMA analysis not have to go through another review to ensure they meet CMMC level one requirements.
“Basically what we did with that one is, if you scored on a DIBCAC assessment of 70 or above, then the areas that you missed, you would only have to have those areas assessed for CMMC, plus the additional 20 requirements,” she said. “If you scored lower than a 70, then you have to have a full assessment redone. With FedRAMP, we have members from the CMMC-AB, the DIBCAC and GSA working on the reciprocity agreement for the components between GSA and CMMC to align them. Once we have gotten that drilled down and outlined, we’ll put a memo together with both GSA and DoD to say, ‘CMMC will accept these components, and if you’re FedRAMP moderate, then you may be equal to this level in CMMC.’”
She said the reciprocity effort with the DIBCAC and FedRAMP is a major focus right now for her team.
What vendors need to know
Reciprocity has been one of those big issues industry has called for since DoD launched CMMC. It’s good to know the Pentagon and GSA are taking this seriously. The sooner the reciprocity specifics are finalized, the better for all involved. At the same time, DoD relying on the DIBCAC to get 3PAOs ready for level 3 seems short sighted. There are only 25 DIBCAC teams and they can only do so many assessments, which in the long-term will slow down the process. One guess may be that as the 3PAOs become level three certified, they can, in turn, do level three assessments of others? That is unclear from DoD.