The CMMC Rule … Finally

Cole French:

CMMC rulemaking is complete. It's been a long and winding journey. The destination, often feeling elusive, on a road paved by drafts, speculations, and opinions.

If you're seeking clarity on CMMC and the final rule, you won't want to miss this conversation, where we dive deep into the most important details that you need to know to continue moving CMMC forward in your organization.

Welcome to the Cyber Compliance and Beyond podcast, a Kratos podcast that brings clarity to compliance, helping you leverage compliance as a tool to drive your business’s ability to compete in any market. I’m your host, Cole French. Kratos is a leading cybersecurity compliance advisory and assessment organization, providing services to both government and commercial clients across varying sectors, including defense, space, satellite, financial services, and healthcare. Now let’s get to today’s episode and help you move cybersecurity forward.

The CMMC rulemaking process has not been easy. From the initial framework released in 2020, to the industry outcry about cost and burden, to the 2.0 revision in 2021, to joint surveillance assessments during rulemaking to the final rule. Finally, there's been a lot of twists turns, and it might happen soon speculation. Make no mistake, even with the final rule published and many questions answered, there's still many details to iron out and finalize. Those will take yet more time, but the final rule gives us a firm path forward.

In today's detail-rich episode, we answer your most pertinent questions about the rule. Questions like, when can assessments start and when will CMMC be required in contracts? How does the rule impact my use of external service providers? How do I know what changes to my system will initiate the need for a reassessment? What's the status of FedRAMP equivalency and requirements for FedRAMP authorization, and much more. We've switched things up a bit for today's conversation. As the leader of our CMMC practice here at Kratos, I've switched seats, sitting in as the guest for this episode.

Joining us today as guest host is Justin Padilla, who's the Senior Director of Cybersecurity Services here at Kratos. Justin's questions are informed by a wealth of experience across many compliance frameworks. We hope you enjoy this episode.

So I know normally I facilitate and host this podcast, but as our CMMC capability lead here at Kratos, I figured I would bring a good friend of mine, Justin Padilla on today to kind of switch roles and sit in the facilitator seat while I sit in the hot seat and answer questions about the new CMMC rule. So with that, I'll turn it over to Justin and Justin, you can dive in and ask away.

Justin Padilla:

Yeah, thanks for this opportunity. Cole, I'm thrilled to be filling in. With the Federal Register releasing the 32 CFR part 170, the CMMC program rule. It was such a major event we wanted to bring an expert on to dive into the details about what we're seeing in this and who better of an expert than yourself? I don't know if a lot of people know that you are actually our CMMC capability lead in addition to being the podcast host, but here we are.

Cole French:

Absolutely happy to be here and I think this will be fun. Looking forward to it.

Justin Padilla:

All right, so without further ado, Cole, now that the final rule is published, do we know when assessments can actually start?

Cole French:

We do. The rule was published on October 15th, and 60 days from that date is the date on which the rule goes into effect. And by virtue of that, then assessments can begin and that date is December 16th, so right around the corner.

Justin Padilla:

Another common question: can companies begin their certification before the date? Meaning can they do pre-assessment work before that date and then just issue the final report on December 16th?

Cole French:

So we're saying no to that. The rule doesn't speak to that specifically, but from what we understand and what we've been hearing, we're saying don't begin any activities. The only activities between now and December 16th should be scoping or contract negotiations, putting a contract in place and then scoping, making sure you understand what the scope of that assessment's going to be, because obviously that's needed to put a contract in place to conduct the assessment. Those two activities can take place between now and December 16th, but any other assessment activities should be held off until December 16th or later.

Justin Padilla:

So there's definitely going to be some early adopters, security-conscious, kind of those first to market companies that want to get their CMMC certification. But moving on to something that a lot of other folks might be curious about, when can we start seeing CMMC Level 2 requirements in DoD contracts?

Cole French:

Given the long runway we've had with CMMC over the last four or five years, depending on how you calculate it, there's a lot of folks who've invested a lot of money, a lot of time, a lot of resources into getting ready for this. So they're going to want to jump in and get their certifications right away, and that's great. I hope organizations really do that. That's what we hope for this.

Obviously, security is our number one objective here, and specifically security within the Defense Industrial Base. So the sooner we can get these organizations certified, the better. But as far as when they'll be required in contracts, that is going to be covered in the Title 48 rule, which is still in rulemaking. So sometime later this year, early next year, we anticipate that rule will go into effect and that will cover when contracts will require CMMC certification.

Justin Padilla:

So that gives us some good clarity on the timing and rollout, but what if somebody isn't actually directly contracting with the DoD, but they're still providing services to the Defense Industrial Base companies. Is there anything that those organizations can do around that?

Cole French:

The CMMC certification is an open market essentially. Obviously it's focused on the DIB and there's a certification mechanism and a contractual requirement piece of it, which we've already alluded to. But any organization can undergo a CMMC certification assessment and receive a CMMC certification.

The issue is we don't really know what the mechanics of that will look like because one of the components of receiving the certification is an annual attestation requirement, and that annual attestation requirement is in SPRS, which is the system of record for DIB contractors. Well, if I don't have a contract with the DoD, I don't have a way to enter an annual attestation in SPRS, or at least I'm not aware of one currently.

So I think the specifics of how that's going to play out over time is to be determined. But absolutely, if you're an organization, particularly if you're an external service provider or a managed service provider providing services to a DoD contractor, you should really consider attempting to achieve a CMMC certification. It will definitely ease the burden on the organizations that you're providing services to when they have to go through their assessments if you already have a CMMC certification.

Justin Padilla:

So there's nothing holding them back, it's just they might have to go through a few more extra steps to maintain that continuous monitoring process?

Cole French:

Absolutely. Yep.

Justin Padilla:

So that's important information to know for many businesses out there. And it may just be me, but it seems like I've noticed a stark increase in the amount of external service providers (ESP) that are supporting this space. Does the final rule speak to anything about ESPs and how they're being treated with this new final requirement?

Cole French:

That actually was one of the major changes from the draft rule to the final rule was the language and requirements on external service providers. So essentially, there's two types of external service providers. There's an external service provider that is also a CSP, and it's actually referred to way an ESP that is a CSP. And then there's an external service provider that is not a CSP. CSP for reference is cloud service provider. So essentially we have ESPs that break on two different planes. One is they're also a cloud service provider. The other is they're not a cloud service provider.

So for the cloud service providers, that's where FedRAMP and FedRAMP equivalency come into play if they're processing CUI. So if the organization in question is leveraging an ESP that is a CSP and using it to process store transmit CUI, then that ESP needs to comply with the FedRAMP equivalency requirements, which I think we're going to talk more about in just a little bit that remain largely basically unchanged from the original draft rule.

But then if however, an ESP that is a CSP is only processing, storing, transmitting what we call what is security protection data, which that's actually a new term in the rule, but not CUI, then that particular ESP is in scope for the OSC's assessment, but they're not required to adhere to the FedRAMP equivalency requirements.

And then on the other side of it is an ESP that's not a CSP. So that could be staff augmentation, that could be leveraging a managed service provider to help manage your infrastructure. So in those cases, it all depends on the way in which that ESP is accessing your environment. So if you as the OSC access the ESP environment, then now that ESP environment or the components in that ESP environment come into your scope. And then if however, on the other hand, you're an OSC and you've brought on ESP staff, staff from an ESP to augment your operations, as long as you've provided and trained those staff according to your policies and procedures, then the services they provide are part of your scope. But the organization itself, the external service provider is not in scope for your assessment.

So it's a little complicated. We will definitely spell this out with more clarity in the show notes, but essentially ESPs, they define them in a more clear manner and they definitely provided a path for you to leverage ESPs and not have to adhere to the FedRAMP equivalency requirements and also not have to bring them fully into scope.

Justin Padilla:

All right, let me try and simplify this. So I'm going to toss out some examples and see if you can tell me which requires FedRAMP equivalency, which doesn't, how it would be in scope, things like that. So I'm using a cloud service for storing my CUI. FedRAMP equivalency? No?

Cole French:

Yep. FedRAMP equivalency. Absolutely.

Justin Padilla:

What about if I'm using a vulnerability scanning tool to scan my environment that contains CUI?

Cole French:

Would not require FedRAMP equivalency, would not have to adhere to FedRAMP equivalency. So perfect. Yeah, great example. You're only talking security protection data, so it's a security protection asset. So the tool itself is in scope for your assessment as an OSC, but it does not have to adhere to the FedRAMP equivalency requirements. It only needs to meet the Level 2 requirements for your scope.

Justin Padilla:

So that security protection asset needs to comply with all the CMMC requirements, procedures, policies, all this stuff that you have defined as an organization, but it doesn't require that FedRAMP equivalency package or FedRAMP authorization?

Cole French:

Correct. Yep. Which is an important update, right? Because the draft rule, it was basically any ESP had to have a CMMC certification, which was going to have a drastic impact on the entire ecosystem because you would have all the OSCs or DoD contractors, but then also any organization they were leveraging in any way, shape or form would have to either have a certification or adhere to these FedRAMP equivalency requirements, or both.

Justin Padilla:

Yeah, the FedRAMP equivalency has been a big topic almost in the same breath as CMMC. They've all been intertwined. So with that specifically, were there any FedRAMP equivalency updates that were included in the rule?

Cole French:

Not to the FedRAMP equivalency requirements. So the FedRAMP equivalency requirements are pretty straightforward, either FedRAMP moderate or higher authorization or meeting the FedRAMP equivalency requirements defined in DoD's memo from the end of 2023, beginning of 2024, which actually are more stringent than your FedRAMP moderate authorization.

Again, no changes to that, but an important distinction that DOD actually explicitly stated in response to some of the public comment in the rule is that FedRAMP equivalency is not required, or FedRAMP certification was the term they used, is not required for tools or for cloud service offerings that do not process store or transmit CUI. So again, what we were talking about earlier, security protection assets, tools that only process store transmit security protection data do not have to abide by that FedRAMP certification or the FedRAMP equivalency criteria.

Justin Padilla:

So now when we think about assessments, another crucial piece is the team that conducts them. Have there been any changes there?

Cole French:

Yes. So the final rule actually spelled out what comprises an assessment team. So essentially, you have three required components, and that is number one, a lead CCA. To be a lead CCA does not require a separate certification, but it does require, and the rule does spell out additional experience, both management and certification experience. And then also instead of the standard industry certification, it does require an advanced industry certification within a list published by the DoD.

And then also you need to have a CCA, and then a third member of the team has to be what's called a QA or quality assurance, and they also have to be a CCA, but they cannot be part of that assessment team. So again, lead CCA and a CCA at a minimum. So two people at a minimum. You can have additional folks on the team, they have to be at least a CCP certified and also have successfully achieved Tier 3 suitability. But then you also have to have that QA function that is outside of the assessment team. And I think that's an interesting construct that they've come up with. I think it's good. I think it was always the intention.

However, now that they've said you have to have at least two assessors plus the QA function, it'll be interesting, some of these smaller organizations in the ecosystem, some of these smaller assessment organizations, they may have to leverage a third party, they may have to hire an additional assessor outside of their organization to fulfill that role. Could increase costs, could have an impact on costs I think for assessments. Maybe it will, maybe it won't, but I think there's potential there.

Justin Padilla:

Now let's talk about something that was kind of promised but not fully documented. And what I'm referring to is the Joint Surveillance Voluntary Assessments (JSVA). Originally it was said that people that went through this process, if they were successful, they would receive a certification once rulemaking became final. Now, that was never documented anywhere, at least from the DoD, and so people were taking a gamble. Did the new rule say anything about this?

Cole French:

It does as a matter of fact, and it does promise certification for those organizations that did successfully complete a joint surveillance assessment, and to reiterate that, eligibility for that conversion is a final score of 110. So a perfect score. That could have included one POAM closeout assessment, but at any organization that went through a JSVA got that perfect score will get their CMMC certification.

The issue that is to be determined and we've heard conflicting information on is who will grant that certification? So again, those joint surveillance assessments were conducted jointly with DIBCAC from the DoD and then also C3PAOs, and we conducted several of those assessments and worked with the DIBCAC teams on those. The question is whether we as the C3PAO will confer that certification or whether that's certification will come from DIBCAC, because remember technically the JSVAs were DIBCAC high assessments technically. From a I guess “legal” standpoint, they were DIBCAC high assessments, not CMMC assessments.

Justin Padilla:

But at the end of the day, they're going to get a certification?

Cole French:

They are going to get a certification.

Justin Padilla:

I would imagine for most that's all they're concerned about.

Cole French:

Exactly. Yeah, the semantics of it are less important, for sure.

Justin Padilla:

So in reading through the rule, which is extensive, there was one piece of information that I kind of pulled out that I thought was kind of juicy, and you tell me a little bit more about it, but it was essentially the CMMC Level 2 had two options. One was a self-assessment and one was a certification assessment done by a C3PAO. Did the rule go into any additional details or criteria about who would be allowed to go through the one versus the other?

Cole French:

It does not go into detail on what would trigger either or. So the criteria to determine which assessment would be required doesn't go into that. It does for Level 3, however, it does actually enumerate the criteria that would be involved in making a determination for a Level 3 certification.

The rule, however, does in DoD's analysis, provide a breakdown of the expected number of organizations that are going to be required for each certification level and certification type, which I think was... While it didn't provide the criteria, it definitely indicates if you're hoping for a Level 2 self-assessment, like you said, that's kind of juicy, that wow, I don't have to go through a third, I don't have to hire a C3PAO to do an assessment. According to DoD's analysis, there's going to be about 221,000 organizations that require some type of CMMC certification, whether that's Level 1 self-assessment or a Level 3, only about 4,000 or 2% of those organizations are they expecting to require a Level 2 self-assessment.

Conversely, Level 2 C3PAO assessments, about 76,500 organizations or 35%, and then almost all the rest of them are Level 1 self-assessments. So very few Level 3 assessments. So I think that analysis by DoD provides a pretty clear indication that Level 1 self-assessments and Level 2 C3PAO assessments are going to be really where it's at from a CMMC perspective in terms of contractual requirements.

Justin Padilla:

And even from a Level 3 perspective, it's my understanding that you actually have to go through the CMMC Level 2 assessment prior to going to 3. Is that correct?

Cole French:

That is correct. Yep.

Justin Padilla:

So as I mentioned, I haven't been able to read through everything. It was a very extensive rule, but taking a look at it, were there any items in here that drew controversy or was spoken about a lot that we haven't touched on here?

Cole French:

I'm glad you brought that up, because you're exactly right. The rule, like we've mentioned already, super long and there's a lot in there, and I think there's a tendency to jump right to the rule itself and really want to dive into that and for good reason. And so I think it's easy to overlook the public comment section because DoD did enumerate all the public comments, and now obviously they consolidated them for readability and all of that, but they also answered and addressed a lot of those public comments and they answered some questions in those public comments that I think are important.

So yeah, the public comments definitely addressed some open issues or some unanswered questions, and that's not to say that there aren't still a lot of unanswered questions and open issues as it relates to CMMC. I think that's kind of become, unfortunately, one of the hallmarks of CMMC is just we're kind of, we're building the plane as we fly it kind of thing.

But some tidbits I think that came out of the public comments are the first one, the need for reassessment. I know a lot of certification frameworks have requirements that stipulate when a reassessment is required, right? So a CMMC certification is good for three years, but what if in year two I make substantial changes to my operating environment? Does that mean I need to get a reassessment? What does that mean? The rule doesn't speak to that. However, in the public comments, DoD did provide some examples both of what would constitute the need for a reassessment and then also changes that would not constitute the need for reassessment.

So on the one hand, a reassessment would be required, in DoD's words, if there were any significant architectural or boundary changes made to the previous assessment scope, such as an expansion of the network or mergers and acquisitions, which I think in the DIB space is significant. I think there's a lot of merger and acquisition activity that goes on. I know we're an organization that experiences a lot of that, so bringing in an entirely new organization that was a separate entity previously would definitely be a substantial change to your assessment scope.

Now, conversely, they do also define what they call operational changes to an assessment scope. So adding or subtracting resources, but those resources still following the existing SSP, you would not need a reassessment in those cases. So those operational changes would be covered by your required annual attestation of compliance. So that's one.

Another, CUI marking, I think some folks thought the rule might speak to CUI marking and handling. That's a common issue and source of frustration is I think I have CUI, but I don't know because it's not marked. What should I do with it? Those kinds of things. And DoD took a pretty clear stance that CUI marking is outside the scope of the rule and said as such in their response to public comments. So CUI marking and handling for now is existing DoD policy, procedure guidance, NARA policy procedure guidance. Essentially what we've had up until this point, nothing new.

Justin Padilla:

Understanding that is critical because as you make decisions about your business, that could necessitate another certification, something you definitely want to be aware of. It's really awesome that they provided some examples in there, even if they didn't go into great detail within the rule itself, those comments or feedback on the comments is valuable.

Cole French:

Absolutely. Yeah.

Justin Padilla:

So Cole, we've discussed the requirements of when CMMC is going to be incorporated into contracts, but they had previously mentioned something about a phased rollout. Did the rule provide any information on what that phased rollout might look like?

Cole French:

It did. It actually spelled it out in pretty good detail, I would say. And this was one that the phased approach stayed the same from the draft rule to the final rule. They just extended each phase. So in the draft rule, each phase was six months, four phases, each phase six months. In the final rule, one year each. So as we mentioned earlier, the Title 48 rule will be the trigger for those contractual requirements. And then by virtue of that will be the trigger for the phases to begin. So Phase 1 will begin when the Title 48 rule in effect, and essentially Phase 1 is all the Level 1 and Level 2 self-assessments.

DoD could start requiring C3PAO Level 2 assessments in Phase 1, but that's at their discretion. Then in Phase 2, they'll start requiring Level 2 C3PAO certifications as a condition of contract award primarily. And then Phases 2 and 3 is Level 2 C3PAO assessments as a condition for exercising contract options, and then Level 3 rollout. And then you get into Phase 4, and that's considered complete rollout. And by that point, their contract language is in place for all the different types of assessments that would be required.

Justin Padilla:

That's really valuable information. I'm sure that a lot of people will appreciate the guidance that you've been able to provide here. Thank you so much, Cole, for allowing me to step in as the guest host, and for you, I'm offering to be our guest expert and breaking down these complex but essential details about the CMMC rule.

Cole French:

Absolutely. Thanks for sitting in Justin and asking these questions. And like I mentioned, we'll put this all in the show notes and we'll put it in a very concise format and we'll also put some additional info that I think is valuable for folks out there in the ecosystem. And yeah, appreciate this opportunity and hope this was useful.

Thank you for joining us on the Cyber Compliance and Beyond podcast. We want to hear from you. What unanswered questions would you like us to tackle? Is there a topic you’d like us to discuss, or you just have some feedback for us? Let us know on LinkedIn and Twitter, at Kratos Defense or by email at ccbeyond@kratosdefense.com. We hope you’ll join us again for our next episode and until then, keep building security into the fabric of what you do.