720-891-1663

NIST SP 800-171, CMMC 1.0 and CMMC 2.0
-- A History of DoD Efforts to Protect the DIB

The DoD has been working to improve cybersecurity over the last several years as news of nation-state sponsored theft of defense secrets makes the news on a regular basis. The biggest source of leaks of sensitive intellectual property is the hundreds of thousands of contractors that have access to sensitive but unclassified information called CONTROLLED UNCLASSIFIED INFORMATION or CUI.

In 2013 the DoD created a security requirement in the Defense Federal Acquisition Regulations called DFARS 252.204-7012 and then a few years later, NIST released a security requirement named SP 800-171. While both of these were a start to improving security for the defense industrial base, they didn't solve the problem.

What is CUI?

Controlled Unclassified Information or CUI was created after 9/11 via a presidential memorandum signed by President Bush. It was updated in 2011 by President Obama under Executive Order 13556. The Pentagon and other parts of the government are still working on implementing this 20 years later.

CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide policies.

CUI is not classified information. It is not corporate intellectual property unless created for or included in requirements related to a government contract. It is information that we do not want to fall into our adversary’s hands. An example of this is the design of the F-35 fighter, which China stole and then built their own.

Why is CUI Important and What is the CMMC?

Because there are fewer controls over CUI as compared to classified information, CUI is the path of least resistance for adversaries. Loss of aggregated CUI is the one of the most significant risks to national security, directly affecting lethality of our warfighters.

The problem was that people were claiming that they were compliant with these regulations but they were not compliant and no one was checking to verify it.

In early 2019 DoD upped the ante by releasing the Cybersecurity Maturity Model Certification (CMMC). This was the first time DoD required contractors, sub-contractors and suppliers to be CERTIFIED to participate in the DoD supply chain.

US Army Cyber Operations Center - Fort Gordon, Georgia

CMMC 1.0 vs. CMMC 2.0

The DoD released version 1 of CMMC as an emergency requirement and while that allowed them to deploy it quickly, it didn’t mean that it was going to be painless. In fact, especially for small businesses, the CMMC 1.0 was quite painful and expensive to implement.

As part of the emergency rule-making process, DoD was required to conduct a review and make changes if needed. That review was supposed to be complete in April of 2021. It was released this last November.

In November DoD released CMMC 2.0. This version is not yet approved under the governments rule-making processes. Here are some of the basics that we expect to see:

1. The five levels of CMMC are now three. Since the DoD never planned to certify anyone at levels 2 or 4, this is no loss and doesn’t really change much.

2. Contractors that have to comply with Level 1 can self-certify. These companies only need to have very basic security so self-certifying is a pretty low risk. Note that you cannot have access to CUI at level 1.

3. CMMC 1.0 Level 3, now called Level 2, may be split into two sublevels with the lower sublevel able to self-certify. The DoD has not explained how they are going to decide who can have access to CUI and self-certify and who has to have a third-party certify them. For those lucky ones who can self-certify, they have just reduced their compliance cost by tens of thousands of dollars. The higher level 2 companies will still need to get a third-party certification, just like the old level 3. It is anticipated that only 10-15% of folks at Level 2 will be able to self-certify.

4. Level 3 is going to require both a Level 2 third-party certification and also an extra certification done by DoD. They have not figured out how Level 3 is going to work, but that should not affect most contractors. It will probably be mostly those working for the intelligence community.

5. The 20 extra controls that were in CMMC 1.0 are gone, but only for now. The DoD has said that they are going to ask NIST to add them to the next version of 800-171, so this is only a short-lived reprieve.

6. The Process Maturity Levels from CMMC 1.0 are gone. These are probably gone forever, but you really should be doing these anyway. You just won’t be tested on them.

7. The Department of Justice says publicly that they are going to file lawsuits against companies that have lied about their 800-171 compliance. We have seen two settlements thus far, but expect more. This is a big stick because if the DoJ wins, a company could be disqualified from receiving any DoD contracts and can be fined millions of dollars.

8. The CMMC-AB (now referred to as the Cyber AB), in our opinion, is going to be in a holding pattern for the next year or two. With no published regulation, it is going to be hard to move forward. They are encouraging folks to voluntarily get certified. We assume most won't do this, but for those who do, there could be more government business.

9. The DoD says that they want to create some sort of incentive for companies to get certified before the regulation is approved. They have not said how that is going to work. Or, even if they have the authority to do that.

Here is the CMMC-AB AKA Cyber-AB organizational structure:

cmmc organizational structure

10. Certifications will expire. For self-certifications, an executive of the company will need to sign that they understand what they are signing and that everything that they have attested to (as in that they are fully compliant with 800-171) is true. You will have to do this every year. This is an easy place for the DoJ to come after you for fraud, disqualify you for future contracts or place onerous requirements on you.

At the higher levels, certifications will last three years – or at least we think that is true.

It is also possible (or even likely) that the Pentagon may require that classified network owners be certified as well, although they have not said this publicly. Yet.

NOTE: We will update this web page as more information is released by the Department of Defense.

For more info, please see our FAQ page HERE.

The CMMC Model

The CMMC will encompass three maturity levels that range from "Foundational" to "Expert". The intent is to identify the required CMMC level in RFP sections L and M and use it as a "go / no go decision."

In its final form, the CMMC intended to combine various cybersecurity control standards such as NIST SP 800-171 (Rev 1 and Rev 2) (Rev. 1 & Rev. 2), NIST SP 800-53, and AIA NAS9933s into one unified standard for cybersecurity. After a lot of pushback from the contractor community, they limited CMMC to just controls in 800-171.

They say they plan to enhance NIST SP 800-171 to bring back some of the controls that were in CMMC 1.0 and are not currently in CMMC 2.0. They are doing this by creating a version 3 of 800-171, which will likely be released in 2023.

The Difference between NIST SP 800-171 and CMMC

To be clear, the DoD does not control what is in 800-171. That is the responsibility of the Department of Commerce. If you don’t like what is in 800-171, talk to Commerce; DoD can’t change it.

CMMC is a program to make sure that contractors who say they are complying with 800-171 really are complying. That is ALL CMMC is. CMMC does not have any of its own requirements any longer.

What the CMMC Means for DoD Contractors

The DoD has built upon existing DFARS 252.204-7012 regulation and developed the CMMC as a "verification component" with respect to cybersecurity requirements. The DoD has entrusted DoD contractors to achieve compliance and (with continued pressure) to ensure 100% adoption of cybersecurity controls--as the DoD is updating its policies. This is a "trust but verify" process.

The DoD is putting a lot of pressure on the big primes to get their subs in line. Of course, the primes don’t have their own houses in order yet. The prime contractors are required to flow down the appropriate CMMC requirement to sub-contractors and the subs must flow down these requirements to their subs.

Don’t Forget About Your Sub-Contractors and Vendors

If you have a vendor that has access to your systems such as an IT services provider or you have a vendor that you give either system access or data, any of those third parties may need to be certified at the same level as you are or above. The current DFARS -7012 and -7019 are MANDATORY flow down clauses with no changes other than you can insert your company’s name. Since almost all companies use vendors or service providers, this is going to be a big one. When CMMC is fully rolled out, any subs or vendors used on the contract will need to be certified at the appropriate level before the contract can be awarded.

Current CMMC Certification Status

The DoD still plans on maintaining a database that contracting officers will review prior to awarding contracts. What this looks like is still undefined. It will probably look something like SPRS plus other systems.

Important Dates and Milestones for ALL DoD Contractors, Subcontractors and Suppliers

  1. Now: Evaluate your current NIST SP 800-171 compliance status and implement a plan of action with milestones to remediate any non-compliance issues.
  2. January 2020 - DoD released the CMMC 1.0 standard.
  3. An update to the spec was released in March 2020.
  4. CMMC 2.0 concepts were released in November 2021
  5. CMMC 2.0 rules are expected to be released between late 2022 and some time in 2023.
  6. How long contractors will have to get compliant after that is unknown, but realistically, it has to be several years.

Ultimately, DoD contractors will not be allowed to bid on RFPs unless they are certified at the required level. This is different than what has been the norm historically. Historically, contractors get certified after the fact. The plan has changed. Now you will have to be certified in advance.

Whoops – That Didn’t Work, The Dates Have Been Revised – Again

The current plan is that the new regulations will be released around March of 2023. *IF* the rulemaking authority allows the DoD to create what is called an interim final rule, DoD could start putting certification requirements in SOME RFPs 60 days later. If they are not allowed to create an interim final rule, then we won’t see this in RFPs until May 2024. We anticipate they will allow it.

BUT, and this is a big one, DoD will roll this out slowly because they know that if that roll it out too fast, no one will be able to bid on contracts. If it costs too much then people will opt out of bidding.

Becoming Certified

DoD Contractors will need either to self-certify or coordinate directly with an accredited, independent, commercial certification organization to request and schedule a CMMC assessment. If they need to get to CMMC 2.0 Level 3, they will also need to coordinate with the DoD after they have their third-party certification

How to Prepare for a CMMC Audit

Option 1: Do it Yourself and Meet Requirements In-House

DoD contractors or suppliers who have the skill, resources and IT staff available, can meet the appropriate CMMC level of cybersecurity in-house. Internal IT departments can use the "Self Assessment Handbook - NIST Handbook 16" provided by the National Institute of Standards and Technology (NIST). This handbook was created by NIST with the intention of assisting U.S. DoD contractors who provide products and services for the Department of Defense. Unfortunately, this handbook only covers NIST SP 800-171 Rev. 1 (A good starting point for certifications up to CMMC Level 2) and there is currently not a Self Assessment Handbook for NIST SP 800-171 Rev. 2. However, a copy of the Rev. 2 itself can be found HERE. Note that this will not get you certified. If you are required to get certified. then you will need to engage an approved third party (like us) and if that process is successful, you will be awarded a certification at the appropriate level.

Option 2: Work with a CMMC Consultant

For many DoD contractors, the most effective way to meet the CMMC cybersecurity requirements is to outsource the task to a consulting partner that has the appropriate expertise and can work with you to become compliant. Remember that DoD contractors remain ultimately responsible for ensuring that their company meets the appropriate cybersecurity requirements, so it is essential to choose a provider that is reputable. Again, you will have to engage a third party for the actual certification process.

CyberCecurity, LLC and Turnkey Cybersecurity and Privacy Solutions, LLC are two such cybersecurity consulting companies.

The Risk Assessment or Gap Analysis

The first step towards compliance is to determine what CUI information you have, how it is used and who needs access to it. Then you should conduct a gap assessment to determine how close the contractor is to compliance. This process is called the risk assessment or gap analysis. Gap analyses are designed to discover areas where the company is not fully compliant with the regulations.

The results of the gap analysis may reveal issues related to:

  • What third parties (such as MSPs, subcontractors or vendors) have access to systems and data
  • How access to information systems is controlled
  • How managers and information system administrators are trained
  • How data records are stored
  • How security controls and measures are implemented
  • How incident response plans are developed and implemented
  • And much more

Without a gap analysis, it's impossible to know what changes an organization needs to make before it meets the required CMMC Level. The gap analysis provides a roadmap to becoming compliant.

Ongoing Cyber Security Monitoring and Reporting

Certification is a point-in-time event. Even if it covers some historical period like an AICPA SOC Type 1 audits do, it doesn't mean that you will be compliant in the future.

The DFARS also require almost instant notification (within 72 hours) of a security event to your prime contractor or to the government. Part of being compliant is being able to respond to these incidents in a time frame and with the required data to the appropriate party.

The Importance of Passing the First CMMC Audit

For many companies, DoD contracts make up a substantial percentage of their revenue and because NIST SP 800-171 is a requirement in many cases for bidding on contracts (check with your contracting officer), it's extremely important that contractors are complying with 800-171. If a contractor lies about being 800-171 compliant, they can be fined and debarred.

CMMC Audit Preparation & Assessment Services

CyberCecurity, LLC and Turnkey Cybersecurity and Privacy Solutions, LLC are full-service cybersecurity companies that offers a wide range of cybersecurity and privacy services, including various certification services. More information about our certification services, please give us a call (info below).

We currently offer:

  • CMMC pre-assessments.
  • Development of a SSP and POA&M
  • Implementation of the NIST 800-171 and anticipated CMMC requirements

Accomplishing the above items will facilitate becoming compliant with the CURRENT, EXISTING, ONGOING DFARS.

Have more questions?

Please call me for more information:
Mitch Tanenbaum, CISO, CyberCecurity, LLC
mitch@cybercecurity.com
720-891-1663