On July 27, 2022, the Cybersecurity Maturity Model Certification (“CMMC”) Accreditation Body, Inc., which is now known as the “Cyber AB,” published a pre-decisional draft of its CMMC Assessment Process (“Draft CAP”). That process will only apply to Level Two of the CMMC Model.1 The Cyber AB is the entity responsible for providing accreditation to CMMC Third-Party Assessment Organizations (“C3PAO”), which in turn assess Defense Industrial Base (“DIB”) contractors and subcontractors in accordance with the Draft CAP.
The Draft CAP will be part of the Department of Defense’s (“DoD”) process to verify that contractors possessing sensitive unclassified government information take necessary steps to protect their information systems and data from the threat of cyber attacks. As explained in the November 17, 2021 advanced notice of proposed rulemaking, the new CMMC framework is designed by DoD “to protect sensitive unclassified information that is shared by the [DoD] with its contractors and subcontractors [the “DIB”] and provide assurance that Federal Contract Information (“FCI”) and Controlled Unclassified Information (“CUI”) will be protected at a level commensurate with the risk from cybersecurity threats, including Advanced Persistent Threats.”2 The CMMC framework will require DIB contractors and subcontractors to implement certain cybersecurity protection standards.3 Among other things, contractors will be required to “perform self-assessments or obtain third-party certification” demonstrating compliance with cyber threat requirements “as a condition of DoD contract award.”
The CMMC program will include three security levels: Level 1 – Foundational; Level 2 – Advanced; and Level 3 – Expert.4 With respect to CMMC Level 2 (which the Draft CAP covers), the advance notice of proposed rulemaking anticipates that it will be bifurcated into (i) prioritized acquisitions involving CUI, which will require an independent third-party assessment; and (ii) non-prioritized acquisitions involving CUI, which will require an annual self-assessment and annual company affirmation. The DoD will not include in solicitations the CMMC requirement for DIB contractors and subcontractors, under DFARS clause 252.204-7021 (Contractor Compliance with the CMMC Level Requirement), until the DoD completes its ongoing rulemaking process for the CMMC requirements.
The Draft CAP is “the CMMC doctrine providing the overarching procedures and guidance for C3PAOs conducting official CMMC Assessments of organizations [i.e., government contractors] seeking CMMC Certification.”5 The Draft CAP is designed to ensure C3PAOs conduct CMMC Assessments in an accurate and consistent manner. Further, the Draft CAP describes the required activities that C3PAOs must follow and is divided into the following phases:
- Phase 1: Plan and Prepare the Assessment
- Phase 2: Conduct the Assessment
- Phase 3: Report Assessment Results
- Phase 4: Close-Out Plan of Action and Milestones (POA&Ms) and Assessment
The Cyber AB designed these four phases to ensure all CMMC Assessments meet the following objectives:
- Achieve the highest possible accuracy, fidelity, and quality for CMMC assessments conducted by C3PAOs
- Maximize consistency to ensure that different assessments conducted by different C3PAOs and assessors yield the same verifiable results and outcomes each time
- Improve the cybersecurity defensive posture and the cyber resiliency of the DIB by providing effective and efficient assessments that are well-planned, executed in consistent fashion, and accurately reported
The Cyber AB has opened a 30-day comment period on the Draft CAP and the overall CMMC framework for the public and members of the CMMC Ecosystem.6 The Cyber AB is seeking stakeholder participation to “improve the CAP and inform future adjustments to the CMMC model itself.”7
While the Draft CAP and CMMC rulemaking move toward implementation, DIB contractors and subcontractors should become familiar with the procedures outlined in the CAP and prepare for impending CMMC assessments in order to ensure that they are eligible for contracting opportunities when the DoD begins to include the CMMC certification requirements in solicitations.
Although contractors have time before such certifications are required, DIB contractors and subcontractors should prepare to comply with the CMMC requirements; for instance, many contractors already have implemented all or most of the cybersecurity requirements detailed in NIST 800-171. Companies wanting to get ahead of the curve should consider retaining the services of an authorized C3PAO for a voluntary CMMC assessment. According to a July 2022 Cyber AB Town Hall, “these assessments will be conducted by C3PAOs under the [DIB Cybersecurity Assessment Center] existing authorities.” Indeed, the draft CMMC rule is expected to provide a process for these assessments to be “convert[ed] to CMMC Level 2 Certification upon the completion of Rulemaking.”
2 After developing and then withdrawing an initial CMMC program last year, DoD has developed CMMC 2.0, which provides a new approach to protecting sensitive unclassified information in the possession of contractors. The changes between CMMC 1.0 and CMMC 2.0 are summarized in the “Way Forward” section of the notice of proposed rulemaking. Among other things, CMMC 2.0 will reduce the number of security levels from five to three, develop a time-bound and enforceable Plan of Action and Milestone process, and require government-led assessments at CMMC Level 3.
3 These cybersecurity protection standards are found in National Institutes of Standards and Technology (“NIST”) Special Publication 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) available at https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final (last viewed on Aug. 15, 2022).
4 CMMC 2.0 will eliminate CMMC 1.0 Levels 2 and 4. CMMC 2.0 Level 1 will remain the same as CMMC 1.0 Level 1; CMMC 2.0 Level 2 (Advanced) will be similar to CMMC 1.0 Level 3; and CMMC 2.0 Level 3 (Expert) will be similar to CMMC 1.0 Level 5.
5 CMMC Assessment Process, Version 1.0 available at https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf (last viewed on Aug. 15, 2022).
6 The CAP defines the CMMC Ecosystem as: The interactive community of all CMMC professionals, including C3PAOs, Assessors, Instructors, Licensed Training Providers, Licensed Publishing Partners, Registered Practitioners, Registered Provider Organizations, as well as the Department of Defense and the CMMC Accreditation Body.
7 CMMC Assessment Process, Version 1.0 available at https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf (last viewed on Aug. 15, 2022).