Insights from Bob Metzger: The Accidental Rule Drop
In this short video, Bob Metzger, a well-respected authority on government security laws and regulations related to the Defense Industrial Base and CMMC, speaks with Bill Wootton, chief revenue officer at C3 Integrated Solutions, about August's accidental drop of the portions of the CMMC rule and what it means for defense contractors
The information provided in this video does not, and is not intended to, constitute legal advice; instead, all information, content, and opinions expressed in this video should be considered discussion for the purposes of public interest only.
Bill Wootton: Hi, I’m Bill Wootton, Chief Revenue Officer of C3 Integrated Solutions. Recently, I had the pleasure of sitting down with the legendary Bob Metzger, a well respected authority on government security laws and regulations related to the Defense Industrial Base as well as CMMC. As a member of C3’s Board of Directors, Bob’s already provided us a tremendous amount of value for our strategy and direction, and we thought it’d be great to give him the opportunity to do the same for you.
Let’s listen in on what Bob had to say about the accidental release of information that was related to CMMC back in August.
So Bob, back in early August, there was a, there was a brief release of some additional information beyond what we’ve previously known about some of the rulemaking and some of the content around that. Can you talk a little bit about that and describe what was released and what the importance was?
Bob Metzger: Well, it was really interesting to see that. You know, I’ve been studying rule-making and administrative law for a fraction of my career over a longer period than I’m willing to admit, and I have to say that when that turned up, I was a bit surprised because I had never seen guidance documents accompanying a future rule.
Published before the rule itself was completed, and I also thought it was interesting that several of the documents were in Word versions as though they were ready to be edited by one and all. This is not normally how it’s done. I don’t know exactly how it happened, but I knew more or less at the moment it happened, that it was unauthorized and like so many things would not last.
However, there were some interesting things to see in there and to learn. So what we saw was essentially an update in the existing CMMC guidance documents that they were marked as version 2.1. And the update included the Level 1 and Level 2 assessment guide, as well as the scoping guidance for Levels 1 and 2.
There was an overall description of the CMMC program. I think there was a hashing guide for how one submits reports to CMMC. And there was also a draft of the Incident Collection Request [corrected], which was to justify the paperwork that is expected by the new rule. Lots to read. My overall reaction was this: There were many small changes. Overall, I did not see much difference in the strategy or architecture. I saw lots of things to cause future questions. In many instances, there were mysterious references to sections of a future 32 Code of Federal Regulations, section 170.
There are all kinds of definitions of things that we would care about that were referenced at 32 CFR. Well, that does not yet exist. Only after the new CMMC 2.0 rule is final will we know what is in the Code of Federal Register for those new sections, and not until the proposed rule is published will we really be able to understand how the guidance documents relate to new features of the proposed rule.
Bill Wootton: That’s great. It’s a little bit of a treasure trove of information that was kind of a little bit unanticipated. One of the things we also saw in that release of documents was the first insight on how they’re going to handle CMMC Level 3. What did we learn there?
Bob Metzger: Well, what I thought was most interesting about Level 3 was information contained in that ICR document.
That was the document that showed us the rollout plans for CMMC, and also it showed how many companies in the DIB would be likely to find themselves at level 1 or level 2 or level 3. Only a fairly small percentage of the DIB was expected to be subject to level 3. I’ll make a couple of observations about that.
Level 3 is much more difficult and generally perceived to be more expensive for defense contractors. It is intended to be more successful against nation state or advanced persistent threats. It is an important standard if you can afford to do it because it actually will make it less likely that a sophisticated attack from China, for example, will succeed in exfiltrating data.
But I think DOD has recognized that Level 3 is a bridge too hard and too far for all but a small fraction of the DIB. We may see more companies subject to Level 3 over time, just as we might see a progression in the expectations for a Level 2. But for the time being, only a very small fraction, just offhand, I’d say about 5% of the DIB is likely to find that they are required to satisfy level 3.
Bill Wootton: I think one of the things that will be interesting is that small subset that are required, how many companies decide that they want to go past what they’re required to do and go pursue Level 3 on their own? We’ve seen that with clients who technically probably could get away with Level 1. But have gone and pursued achieving Level 2 in anticipation of future work or in anticipation of other contracts that they may be pursuing.
So with this content, it kind of came out. It got pulled back. Is there anything actionable from a contractor perspective with this content? What should they be doing? How should they react?
Bob Metzger: Well, first I advise companies of different sizes and levels of sophistication in the marketplace. And I’ve worked with several who are now subject only to Level 2, but who actually are pursuing Level 3.
Because they think it will be a competitive discriminator to be better, to have higher security than Level 2. I also have worked with some companies who do work of a sensitivity to DoD or the intelligence community, who need to have controls at the level of Level 3 in order to better protect the information and performance that their customers require.
All things being equal, I would urge any company in the DIB to try to advance its security beyond the minimums. And in that respect, we know that SP 800 171 Revision 2 is the baseline. That baseline has been around for a few years, as you know, Bill. In some respect, it’s been outpaced by APTs, as well as by ransomware threats.
Yet, it’s a good baseline, and we have to start somewhere. And if we can achieve industry-wide satisfaction with 171 Rev 2, well, that gives us a solid foundation to do better against evolving threats. Now, going to the other element of your question, what should companies do? Well, there is information value in the 2.1 release, even though it was only briefly available publicly. Companies should read it. They should especially read, I think, the Scoping Guidance for Level 2, and they might want to take a run through the Level 2 Assessment Guide. This is just to be better informed before the proposed rule is published.
We’re only going to have 60 days after publication to put together comments. It’s really important that the comments be thoughtful, constructive, and it’s ideal to include with comments any suggestions or recommendations how to How to improve upon the proposed language. Well, you know, if you look at the key issues that emerged from these 2.1 documents, you’re going to see some things that are worth studying now. And one of those areas, especially is the treatment of external service providers, which I find variously encouraging, slightly confusing, largely, and very worrisome, partially. This will matter considering the huge percentage of the DIB that uses managed service, managed security as a service and external service providers.