CMMC Level 2 Bifurcation Rule

The release of the Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0), in late 2021, saw many changes to the original CMMC 1.0 program. The drawn-out process of releasing CMMC in a provisional phase seemed laborsome and at times, like the program would never start. Specific changes to the CMMC model caused some controversy but made sense in the larger picture of Cybersecurity, such as the model scaled down from five levels to three, and CMMC Level 1 focusing on Federal Contract Information (FCI) and allowing those organizations to self-attest to their cybersecurity posture, just to name a couple.

One of the most controversial changes was the bifurcation of CMMC Level 2 and those organizations that deal directly with Controlled Unclassified Information (CUI). The concept was for CUI data to be split into CUI that was deemed critical to National Security, and CUI data that was not. For those organizations dealing with non-critical CUI data, they could self-attest to their cybersecurity posture, while the others would require a CMMC Level 2 assessment from a Certified Third-Party Assessment Organization (C3PAO). Needless to say, there was much push back from industry and a lot of confusion from the Defense Industrial Base (DIB) contractors. Many in the cybersecurity industry could not understand how those dealing with CUI data could self-attest, something that has been in place for years, and found to be ineffective. Meanwhile, for the DIB contractors, the bifurcation caused confusion, as many were not sure which category would apply.

Since moving control of CMMC to the Department of Defense Chief Information Office (DoD CIO) in late 2021, the program is meeting timeline objectives and is gaining confidence across the DIB that the CMMC program will begin very soon. The other positive of this move, is that the DoD CIO understands cybersecurity and what it means to protect CUI data, so they are not afraid to address/adjust certain aspects of the CMMC 2.0 model to ensure the program will meet its intentions. One of the latest announcements, concerning this topic, was announced in a town hall on February 10, 2022. According to an article by Justin Doubleday at the Federal News Network, David McKeown, Deputy DoD CIO commented that, “Further analysis has shown all 80,000 OSCs will require third-party assessments.” He went on to say, “Unfortunately, it looks like pretty much everybody falls into the category of either being a clear defense contractor or having some critical industry tie.”

So, what does this mean in the grand scheme? Well, a few things…

• The guess work is removed. Organizations Seeking Certification (OSCs), for a CMMC Level 2 assessment, will have to go through one of the, currently, six authorized C3PAOs
• The DoD CIO is gaining confidence in the C3PAOs that they can handle the capacity to conduct CMMC Level 2 certifications
• The DoD trusts that the Cyber-AB training and the Licensed Training Providers (LTPs) can produce enough assessors to fill the eco system to handle the capacity

Although the CMMC program is in the “rulemaking” phase, meaning updates are required to the FAR regulations before CMMC language can be added to new DoD contracts, the DoD CIO is not slowing down the pace to get CMMC going. Currently, OSCs are encouraged to reach out to C3PAOs to get their CMMC Level 2 certification assessments completed now. This “voluntary” phase allows OSCs to be postured for DoD contracts when the “rulemaking” phase is complete, and it also mitigates the backlog the DoD fears will happen when the “rulemaking” phase is complete.

There is other “moving pieces” taking place in the background to ensure capacity requirements are achieved.

• The Defense Contract Management Agency (DMCA) has re-started the certification process of candidate C3PAOs using the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) team, to fill the eco system with more C3PAOs
• The CMMC-Accreditation Body (CMMC-AB) is working diligently with the current C3PAOs to ensure they are postured with enough CMMC Assessors to handle the capacity
• The CMMC-AB is working closely with the Licensed Training Providers (LTPs) to update the CMMC training courses to provide the eco system with qualified individuals

The time to wait on booking your assessment is over. CMMC is gaining ground and the CMMC requirements are not going away. It is said that “The early bird gets the worm.” OSCs shouldn’t wait, but rather should work diligently to become an early bird. The other option is to wait and stand in line while others are certifying before you.

Redspin was the first authorized C3PAO to hit the eco system and offers innate knowledge of what it takes to understand the CMMC requirements, put the requirements into practice, and ensure the practices continue to meet the requirements under CMMC. OSCs will gain valuable experience and knowledge from Redspin’s CMMC PA, Dr. Thomas Graham, who was the chief architect for Redspin and played a vital role for Redspin becoming the first Authorized C3PAO. Whether you need help getting ready for a CMMC Level 2 assessment, or feel you are ready now, Let Redspin assist you.

References:
Justin Doubleday, Federal News Network, 12 Feb 22.
David McKeown, Deputy DoD CIO, CIO Town Hall – 10 Feb 22

How Redspin can help >>

If you have questions on any related aspects of CMMC compliance or if you would like to have a more detailed conversation with a CMMC assessor on third-party providers, readiness, documentation, or training, contact us.