By Scott M. McAuliffe, CPA, CISA, CFE, Partner, Risk Advisory Services
Note: Important Change as of November 2021
The Department of Defense announced a major overhaul to the Cybersecurity Maturity Model Certification (CMMC) program. No new contracts will feature CMMC compliance requirements until the Department completes its rulemaking process for CMMC 2.0. Read our summary of the changes, Goodbye CMMC 1.0, Hello CMMC 2.0. For more detailed information, visit the CMMC website.
Keiter’s Cybersecurity team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.
Takeaways from the January 27, 2021, CMMC AB and DoD CMMC PMO Town Hall Meeting
On January 27, 2021, the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body (AB) and the Department of Defense (DoD) CMMC Project Management Office (PMO) held a joint town hall meeting to provide the latest updates on the CMMC program rollout. The meeting provided great insights into program timelines and what DoD contractors can expect in the near-term.
- The CMMC program is currently in the process of performing “pilot” CMMC assessments. The pilot assessments will continue over the next five years. The CMMC-AB anticipates that 15 prime contracts will require pilot assessments in 2021 and a total of 1,100 prime contracts will have pilot assessments performed over the next five years. The pilots assessments will target mid-size contracts that require ML-3 compliance. Since mid-size contracts often include numerous subcontractors, there will many subcontractors that will also be required to have pilot assessments performed. After the pilot program, compliance with CMMC will be required in all DoD RFP’s that are not related to COTS (commercial-off-the-shelf) products/services.
- While the CMMC requirement will not be fully rolled out until 2026, contractors still need to comply with DFARS 252.204.7012 if the solicitation anticipates that a contractor will have access to Controlled Unclassified Information (CUI). Under DFARS 252.204.7012, the contractor must implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting in Nonfederal Information Systems and Organizations.” The contractor must upload their NIST SP 800-171 assessment into the DoD Supplier Performance Risk System (SPRS). If a contractor does not meet a specific NIST SP 800-171 requirement, it must prepare and upload a Plan of Action and Milestone (POAM) to remediate. Additionally, the DoD has the right, if it chooses, to perform audits of contractor compliance with DFARS 252.204.7012.
- The presenters indicated that they have heard of CMMC requirements appearing in certain DoD solicitations. However, they reiterated that the DoD Chief Information Systems Officer (CISO) must approve the CMMC requirement within solicitations, which has not occurred. The DoD CISO is currently focusing on approving the CMMC pilot assessments.
- While DFARS 252.204.7012 allows for the possibility of contractors to have POAMs and still be awarded a contract, the CMMC does not allow for POAMs. The contractor must meet all requirements to be certified at the specific Maturity Level. For more information on CMMC Maturity Levels, read Understanding the DOD’s Cybersecurity Maturity Model Certification.
- If using subcontractors. the prime contractor is responsible for determining the CMMC Maturity Level at which the subcontractor must be certified based on the information to which the subcontractor has access.
- The prime and subcontractors are responsible for hiring a CMMC Third Party Assessor Organization (C3PAO) to perform their assessment. The contractors should hire their C3PAO from the CMMC AB Marketplace. The marketplace also provides access to Registered Practitioners (RPs) and Registered Provider Organizations (RPOs). RPs and RPOs provide advice, consulting, and recommendations to their clients. The presenters suggested that contractors hire authorized RPs and RPOs from the marketplace because they will have gone through the DoD approved training and can provide the specific guidance necessary to comply with a CMMC Maturity Level.
- The CMMC AB continues to accept and approve applications for RPs, RPOs, Assessors, and C3PAOs. Once approved, the vendors are listed on the respective CMMC AB marketplace. However, the RPs, RPOs, Assessors and C3PAOs are not fully certified until they complete the required training, which is still being developed. The presenters indicated that the training should be available in the second quarter of 2021. For C3PAOs, in addition to the training, the C3PAO must go through their own CMMC assessment prior to being certified to perform CMMC assessments.
Only 1,100 of the 50,000 active DoD prime contracts are expected to be selected for the CMMC pilot over the next five years. There is therefore a low likelihood as a percentage that any single contract will be selected, and most contractors do not have an immediate need to become CMMC certified. With that said, contractors that have access to CUI still need to ensure they upload their NIST SP 800-171 self-assessment to the DoD SPRS and execute on their POAMs. Additionally, all contractors should begin the process of performing CMMC readiness assessments so that they have plenty of time to remediate any gaps that are identified prior to 2026. As the CMMC Marketplace becomes more fully populated with C3PAOs, contractors would be wise to identify several assessors with the appropriate expertise who can be called upon when CMMC requirements emerge.
Keiter’s Cybersecurity team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors. Questions? Contact us: Email | 804.747.0000
About the Author
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.