The CMMC Academy recently held its final webinar of the year, CMMC 2021 Highlights and Preview of 2022. Celerium’s COO, Chris Gundel, and Celerium’s Director of SMB Solutions provided information regarding CMMC 2.0 and its impact on small and medium-sized businesses.
During the webinar, our executives answered several questions from viewers. Here is a recap of key questions from the webinar.
What are the major changes to the overall CMMC model?
Answer from Chris Gundel, COO of Celerium and the lead on our CMMC initiatives:
Basically, CMMC 2.0 streamlines the certification process and reverts back to NIST (National Institute of Standards and Technology), which was a standard that came out in 2017. As you can see from the diagram, we've moved from five levels to three. Level 1 is 17 practices or controls. Level 2 is now 110 controls instead of 130. And Level 3 basically relies on NIST 800-172.
Annual self-attestation is back for Level 1 companies and Level 2 organizations that deal with CUI (controlled unclassified information) that's termed non-prioritized. For Level 2 organizations that deal with prioritized CUI, which is defined as CUI that is vital to national security, those organizations still need to go through an assessment and receive certification from a third-party assessment organization called a C3PAO. And at Level 3 only, the DoD’s DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) is the certifying organization.
What has specifically changed in CMMC 2.0?
Answer from Chris Gundel:
Level 1 is basically the same with 17 controls. When we get to Level 2, there are 110 controls that are from NIST 800-171. Then at Level 3, there are advanced controls that are based on NIST 800-172, but this level is still under development.
The 20 unique CMMC practices that were in Level 3, called delta practices, were removed. All the maturity processes were removed, at least from the assessment requirements. That's the documentation of processes, procedures, policies and plans. However, that doesn't mean you don't need to have documentation. NIST 800-171 Appendix E specifies you still need an SSP, a system security plan. You need policies. You need to follow the standard. You definitely need to document your procedures.
For a CMMC 2.0 Level 2 organization, what are the benefits of getting a C3PAO accreditation performed versus performing and reporting a self-assessment?
Answer from Chris Gundel:
There's a lot of benefit. First, the DoD announced they're going to provide incentives for those companies that raise their hand and say, “we're voluntarily going to get externally assessed by a C3PAO.” In a recent town hall from the CMMC Accreditation Body, they had a representative from their defense industrial base advisory council to speak to what kind of incentives they would like. And the first incentive they were suggesting to the DoD is to pay for those assessments for those companies that volunteer to be externally assessed.
Second, the jury's out still on whether the prime contractors are going to require their subcontractors to be externally assessed, particularly if they're handling CUI. But with the flow-down clause and with the enforcement of the Department of Justice’s Civil Cyber Fraud Initiative and the False Claims Act, it's a really good idea to plan to be externally assessed.”
How do you score your NIST assessment in SPRS?
Answer from Chris Gundel:
The first thing I suggest you do is download our NIST 800-171 tool that has the whole scoring built in. But in order to really learn what's going on behind the scenes, I would urge you to download the 800-171 assessment methodology version 1.02 that came out in June of 2020.
Since self-certification is now being allowed at CMMC Level 1 and some CMMC Level 2 organizations, and we know the entire program originated because under DFARS (Defense Federal Acquisition Regulation Supplement), self-certification was meaningless, isn't this a step backward?
Answer from Chris Gundel:
With the Civil-Cyber Fraud Initiative from the DoJ, there's an increased risk of financial penalties. And there is a requirement for company leadership to affirm these controls are in place as part of the self-attestation process.
And, combined with the Cyber Incident Reporting Act, this puts a lot more teeth in self-attestation than previously existed.
So, there’s pretty heavy financial burdens and reputations at risk here with affidavits from corporate leadership.
My company does not have an on-premises network. All is cloud-based. It gets very confusing when the control questions ask you about the security profile of something located in the cloud and not at the facility. We have a small land that houses our physical security and internet connections. This is the only thing I can think of to refer to as an on-prem network. Am I overthinking the relationships?
From Chris Opp:
This is a great question because a lot of companies are in the same boat.
The first thing to consider is the three standards for networking. You have on premises, which is all the stuff you can reach out and touch. Maybe you have servers on premises. Your workstations actually count, because they could have CUI on them. So even though you're only plugged into a switch to get to the internet or the Wi-Fi, your workstation is still part of that information system.
Secondarily, you have purely cloud. So that would be where you have a system set up that is online. Your files are stored online and any time you use them they are downloaded to your workstation. These are services such as Office 365 or AWS (Amazon Web Services). These systems still need to be secured at whatever level of CUI (Controlled Unclassified information), CDI (Covered Defense Information) or CTI (controlled technical information) that they contain on that system.
Finally, you have hybrid. This is something a lot of companies have, where your active directory may be part of your Azure and syncs out on the cloud. And so when everybody authenticates centrally, they authenticate out to the cloud, but that also means that any controls based on authentication are going to apply to both the cloud and the on-prem systems, along with any controls that apply to the data both if it’s on the cloud and on-premise.
What I suggest in this case is to think about the scoping. Where that data is physically or logically at is where you need to think about doing these controls for that data. So, for example, if all the data is out on Office 365, then you need to make sure Office 365 is up to snuff. If you have the data on one computer that doesn't have internet access, but it happens to be physically in your office, then only that one computer needs to have the controls applied to it -- with multifactor authentication and all those different things.
Is the expectation that a company will submit a single-score summary in SPRS (supplier performance risk system)? How should a company handle situations where they are completely separate business units within a corporation?
Answer from Chris Gundel:
Scoping is going to be important. My take on this is they're probably going to need a separate score for each of the business units, depending on how unique they are. But scoping is critical. And that is without knowing details, they've got to do that.
What do you think is critical nation defense information? This is key to determine whether a third-party assessment is needed.
From Chris Opp:
Critical national defense information, if you break it apart and think about it, it's stuff that would impact our national defense. The thing is – we have enemies and competitors around the world that want our information or to stop us from doing business or fighting wars. Some types of information could be how these fighting systems work, statistics on how well our satellites are working or where they are, or whatever things we need to defend our nation or keep from our adversaries’ having advantage are important. Other things could be critical technology – like some new thing a company has invented that would give us a leg up, not only from a military perspective, but even from an economic standpoint (Some wars are fought through money!) – and that could easily become part of that critical information.
With that in mind, a rule of thumb is to think of it from the perspective of the bad guy. Is this something the bad guy could use to gain an advantage against the U.S. and all the people within it? Even the war fighter, how can this affect them and their ability to defend the nation?
Is an SSP (system security plan) necessary now for Level 1?
From Chris Gundel:
It’s a good idea, but it's not necessary. Basically, the Level 1 in CMMC 2.0 is similar to Level 1 in CMMC 1.0, which means those controls need to be performed. So, is it a good practice to have an SSP? Yes. But is it going to be required? I am not sure.
From Chris Opp:
I lean towards if the company has CUI, they should have an SSP to maintain it.
Watch the full webinar on-demand here.
Join the CMMC Academy free today for access to our free resources and on-demand video library.