C3 has merged with Ingalls Read Press Release >>

CMMC Proposed Rule Basics: What You Need to Know

On February 21, 2024 C3's Bill Wootton covered the details of the CMMC rule and explained what it means for your company and compliance efforts. Watch the webinar recording here.

On February 21, C3’s Chief Revenue Officer Bill Wootton walked through the basics of the CMMC rule and provided a primer for deeper analysis about what it all means – and what it means for your business. The webinar included these subjects and more:

– FCI and CUI
– CMMC rulemaking processes
– Levels of CMMC and types of assessments
– Timelines
– Conditional Assessments & POA&Ms
– Cost analysis

Watch the webinar recording via the link above.

Additional Q&A from the Webinar

Are Chinese cameras for video monitoring allowed now?  Can I use Chinese cameras for purposes other than monitoring IT system?

Section 889 is the appropriate reference for Chinese firms that are prohibited for use.

Do you know if SBIR/STTRs will be Level 1 or Level 2?  How can truly small companies afford all this?

Our understanding is that Level 2 initiates the DFARS requirements which would include the CMMC program requirements.

What are the CMMC requirements / expectations for a prime vendors CSP; 4th party to DoD?

Any information systems that store process or transit CUI are subject to CMMC requirements regardless of where they are in the supply chain.

Who in the organization is qualified to affirm?

CMMC only discusses a “senior official” from the contractor.

Video Transcript

Karen:

Good afternoon, everybody. Thanks so much for joining us. You are at the webinar from C3 “Proposed CMMC Rule Basics: What You Need to Know.” My name is Karen Vasquez. I’m the marketing director here at C3. We’ll be joined in just a second by Bill Wootton our Chief Revenue Officer and he will provide some introductions himself. Before we get started, however, just wanted to go over a couple of housekeeping items.

First and foremost will be making this presentation recording available to you all after the conclusion of the webinar. So no need to take furious notes. You’ll be able to get a copy of the full recording and will distribute that via email when we’re finished. 

Second item is questions. As you all see, you are have joined with your cameras off and muted as well. If you do have any questions throughout the course of the webinar, if you look in your panel there should be on the right-hand side, there is a a menu that indicates questions. Please feel free to send whatever questions that you have. If they are of the housekeeping nature, I will be sure to be able to answer them as we go along.

If there are questions for Bill, we will hold those to the end and have a few minutes for Q&A. Anything that Bill doesn’t get to during the course of that Q&A session will be sure to compile and answer offline. So, I think those are the only two items that we really need to cover. I will. Let’s get started.

So I’m going to kick things over to Bill. He’s going to pop on camera here in just a second and introduce himself. Hi, Bill. 

Bill:

Good afternoon, everyone. My name is Bill Wootton. I’m Chief Revenue Officer of C3 Integrated Solutions. As an organization, we’ve been working with CMMC and prior to that DFARS 7012, for about seven years now, we have literally hundreds of clients that we work with in the defense industrial base.

And thank you for taking a little bit of time out of your day to do spend with me and spend with us and learn a little bit about CMMC and the rules that we go through. Next slide and let’s go one more. So today’s topic and the purpose today is, is to talk about CMMC, the proposed rule, the CFR 32 that just got released and this is really intended to be a basics on CMMC for the majority of the conversation and it’s really intended for folks that the get that foundation and understanding in reference point in terms of what CMMC is all about, we will talk a little bit about the implementation of CMMC for with respect to the timelines, the costs that are presented in the proposed rule and then we’re going to spend a little bit of time on the public discussion of public comments. What the DOD did is when they issued CMMC 1.0, they had over 750 public comments. They took the time in this role to address many of those and really provide some interesting clarity on a bunch of items that were kind of open questions.

And we’re going to walk through those in some detail as well to kind of provide some guidance on that. So let’s get started. Let’s get into the next slide. In addition to today’s webinar, we have a ton of other resources on our website. In particular, I want to point out one that we just did a little less than a month ago, about three weeks ago, that was “CMMC is Live:

Learn What it Means for You.” It’s really, actually in a lot of ways, a companion webinar to this one, this one is going to explain CMMC and what the basic sort of program is. That webinar which was was, was run by Ryan Heidorn, our CTO, Bob Metzger, a well-respected individual in the community and a board member of C3, as well as Amira Armond, who’s also very respected in the community.

And a C3PAO that conversation is going to take this one and bring it into more of some of some of the commentary and some of the response and reaction to the rule itself. In addition to that, we have a couple more things that we’re planning along the way. Next week we’re going to talk about our Steel Root compliance program.

That is our approach to solving the challenge of CMMC, how we approach it with a prescribed approach that takes you from implementation to management all the way through into compliance. In early March, we’re going to have a webinar dedicated to our comments on the rule itself. Again, kind of building on the content that we’re talking through today.

And then as we move into March and April, we’re going to have a couple more pieces of content that are around scoping and the cost of CMMC helping folks kind of get started and understand what the challenges for them and get their hands around the whole thing. So, all right, so let’s get moving. Next slide. I’m going to start with a slide.

It just kind of sets the tone and reminds us while we’re all here, I am shamelessly stealing this slide from our CTO, Ryan Heidorn. That just kind of reminds us we are literally hemorrhaging critical information. There’s a reason that we’re doing all this. There’s a reason for all this pain, that information. Our adversaries are taking our technology and are using it against us.

And what we’re really here to prevent is, is we hit the next button. We’re trying to prevent this situation here where our adversaries start putting out we’re fighting material that looks like our stuff and is has similar capabilities on that. So just kind of setting the tone on that. Moving into the next slide, let’s talk a little bit about how we got here.

CMMC or at least CUI. The concept of CUI has been around for well over a decade now. The program was established in 2010 and DFARS has really been around for almost a decade itself. It was established first in 2013, went into effect in 2017 and I think we all know how that went. In July of 2019, the Inspector General basically came out with a report that said We are failing miserably in ability to implement NIST 800-171.

We’re still hemorrhaging information and as a result, this is how we got CMMC 1.0, which was established in January of 2020. There was a cycle. It got revised 2.0, was notionally announced in November of 2021, and now here we are finally at the end of the rulemaking process, or at least an important milestone of it where CFR 32 has been proposed.

So, next slide. So to understand the rule and understand everything about it, we first need to kind of just talk for a minute about contractor rulemaking. When we look at the Code of Federal Regulations, which kind of sets everything up from a governing contractor relationship. Title 32 is designed to provide the permanent regulations that are established by agencies in executive departments.

So what that means is this rule, the Title 32 rule covers the operation and the administration of the CMMC program. This is different than the Title 48 rule, which we’re expecting next month. That actually puts CMMC in contracts. Title 48 is where the FAR and DFARS lives. It’s where the various clauses that we’re all going to reference and talk about when we start getting into implementation live.

And again, as I mentioned, that’s due out next month and that’s going to really kind of be the bookend to the 32 rule that we’re going to talk about today. So next up, so Title 32 is here and you know, just to kind of set the tone, it is designed to protect CUI on contractor networks. There are three levels of it as we click through on this slide itself.

Level one is about protecting federal contractor information. Level two is about protecting CUI, and then level three is about defending against Advanced Persistent Threats. And we’ll talk about what that means in a second as well. So every DOD contractor, which is ranges, you know, I’ve heard 220,000 all the way up to 300 plus every DOD contractor will face some form of CMMC requirements as a condition of contract award, whether you are a prime or whether you are a subcontractor in somewhere down the supply chain.

So next up. So, as we look around the three levels of CMMC and we’re going to use this table to kind of set the tone, we’re going to walk through every component of it and then we’ll come back to it as well. You can see going horizontally, there is a level one, there’s two types of level two, there’s a self-certification and there’s going to be a third party and then there’s level three, which is really the new requirement within CMMC that is kind of new for contractors themselves.

At each stage. There’s a different type of data protection, a contractual reference, a technical reference, and then that type of assessment. And now we’ll walk through these all individually. I guess the first thing we should really talk about is federal, what the data is that we’re protecting. There’s Federal Contract Information, which is information that is not intended for public release.

It’s either provided or generated by the government to either develop or deliver a product or service to the government. This is effectively data that is in the contract itself. CUI has a much wider range of possible information. It can be classified by CUI, but it’s kind of notionally defined as information to government creates or possesses or that an entity creates or possess on behalf of the government that some form of a law or regulation or policy permits that government agency to put dissemination controls in.

It does not include classified information. So as we look at the graphical in the next slide, we can see that we have public information and the CUI and FCI is separate is not intended for public release. And there are different you know, up until today there are different measuring sticks on it. There’s FAR clause 52.204-21 which we’ll talk about for a while.

There’s also NIST 800-171 as well. So next up, so let’s define the levels of CMMC. Level one is all about protecting that federal contract information, that first layer. That information is in the contract itself. Now contractors are already required to implement the requirements of FAR 52.204.21, which is essentially what level one is. The new requirement here the contractors are going to be required to verify through a self-assessment and they’re going to have to report that the results of that assessment in the SPRS system within a high ranking official of that contractor will need to do that attestation. With level two, we’re protecting CUI data. Now contractors are already required to protect CUI data through DFARS 252.204-7012. What’s new here is CMMC adds in either a self-assessment or a third-party assessment based on the contract type. Now don’t get excited about the self-assessment. They’re projecting it to be somewhere around 5 to 8% of total contracts that are going to need level two.

So chances are if you’re going to deal with CUI, there’s a 90-plus percent chance you’re going to have a contract that is going to require that third-party assessment. Now, there is an allowable POAM or Plans of Actions and Milestones. We’ll talk about that in a couple of slides that there are certain times where you may have some leeway and a little bit of a grace period in order to get things done.

Post Assessment. Level three is a completely new requirement. It’s about defending against what’s called advanced persistent threats. These are things that nation-state actors can perform where they have more sophisticated, more sophisticated, more robust capabilities and can be more persistent in the way they attack your environment. There are 24 controls that come out of NIST 800-172 that are part of this level three.

It is a completely new requirement. Level two is required is a prerequisite. And that assessment will actually be performed by the DOD. Now, talked a little bit about DFARS and FARS, a little bit just kind of going into that for a second. DFARS itself is a clause that’s been around since 2017 and it’s it’s slightly different than 7010.

7010 is about protecting data that is on a government system or operated on behalf of the government. 7012 is intended for contractor systems that are not operated on behalf of the government. It requires contractors to provide adequate security for all covered contractor information systems that store, process or transit CUI data. It mandates the implementation of NIST 800-171 and it requires cloud service providers to be FedRAMP Moderate or equivalent.

Additionally, there are what was called clauses (c) through (g) in 7012, which specifies certain cyber incident reporting as well as related requirements around capturing and understanding what data was taken or possibly compromised. The FAR requirement. 52.204.21 includes 15 basic security requirements that can can be mapped in NIST 800-171 but it’s just a subset of it.

But it does also apply to all federal contractors. Next slide. So, talked a little bit about the NIST references already. 800 Rev 2, 800-171 Rev 2 is a document provided by NIST that is essentially a tailored version of 800-53 So if you are a federal agency or you are operating a system on behalf of the government, NIST 800-53 which has 500 and some odd controls is the reference document you use from a cybersecurity standpoint.

NIST 800-171 was designed to be a tailored version of it, and it was built to be basically filtered and tailored so that it applied directly to private industry and not necessarily government agencies. And those 110 controls are kind of the standard for what we measure against. It includes everything from background checks to cyber training to how you manage the access to your environment, how you manage devices, patch management, incident response, monitoring.

All of those things are captured within 171. Now the interesting thing here is 171 Rev2 is hardcoded into the rule What that means is there’s no language around the latest version of 171 or the most updated or updated minus one. It’s hard coded. It is Rev2 within the rule. And for those who follow it that follow this kind of stuff along, we know that NIST is working towards Rev3 right now.

That may be done as early as this calendar year. So one of the things it’s kind of an open question right now is how is the DOD going to reconcile this potential conflict of two standards of 171 being out in the marketplace? It’s also important to talk a little bit about 171 A. So, we have 110 controls in 171. 171 A is actually the assessment guide.

It is the test, it’s literally the questions on the test. There will be 320 assessment objectives when you go for an assessment that are all mapped to 110. And while it sounds like three times as many or is not a good enough number, but it’s actually really healthy for you because 110 talks about things that need to be done. The 320 assessment objectives in 171 A they actually are more prescriptive and they generally run as a 3 to 1 ratio.

Have you documented what you’re going to do? Are you going to do it? Can you manage or monitor/approve what you’re doing? And that’s a very, very oversimplification of it. But that’s kind of why we have three times the number of assessment objectives as we do for controls. With respect to NIST 800-172, that’s kind of 171 plus is for enhanced security requirements for CUI, and it applies to systems that store process or transit CUI associated with a critical program or high value asset.

This tends to be kind of the more sensitive military technologies, things like that doesn’t quite make classified, but it is a little more sensitive and a little more value. It is targeted, as I mentioned earlier, to advanced persistent threats, and it’s based on 20 level three is based on 24 of the requirements within 800-172. So it’s not the full document, it’s only a subset of that.

Okay, next. So, talking a little bit about assessments and there are a couple of different types of assessments within the rule. Self-assessments apply to level one and a very small portion of the level two CMMC criteria. They are performed annually and they need to be affirmed by a senior official of the contractor themselves. And yes, writing your name down personally attesting to it is an official for the contractor.

There is a perception out there at least that that does provide risk. If you are not being truthful, you may have some false claims liability down the road with it. Scores are entered into the spurious system and they are required for contractor work. Certification assessments, on the other hand, are done by a third party. They’re performed every three years by a certified third party authorizing agent that is accredited by the Cyber AB for level two, and it’s performed directly by the DOD for level three.

These results were entered into a system called EMASS which auto populates the SVR system, and it must be supplemented by annual self-assessments. And again, all of these need to be affirmed by a senior official of the contractor themselves. Now, it is possible to go through an assessment and not necessarily have a final assessment and a final grade of final certification.

There are situations where you may have a conditional approval and what that require is as you go through the assessment, you get a minimum score threshold on the on the assessment itself and that any and all requirements set up a point value greater than one are satisfied. So if when you look at the controls, there is a point ranking system, some have a 1 to 3 or five to them, anything greater than a one has to be satisfied.

But if there’s some stuff that is still need to clean up, they will allow for a conditional assessment and to poem. That plan of action and milestones will only be on those selected requirements is about 105 of the 320 that are eligible for it, and it must be closed out within 180 days. Now there’s also a little bit of commentary around major changes within the rule itself.

It’s in the it’s in the public comment response section, but it talks about the fact that assessments are for a defined scope. You have a certain amount of systems, you define a box, you do talk about, this is how I’m going to build a box around my compliance area, how I’m going to protect it and manage the compliance.

But if that changes due to some sort of modification or expansion, let’s say, for example, you buy a company or there’s a merger and now all of a sudden you’ve got twice the footprint or maybe an on prem data center that you didn’t have before that could very well trigger trigger the need for a new assessment and restart that three year clock.

Okay. So a lot come back to the table here just to kind of wrap up the conversation around it and the definitions that we’ve talked about for each one of those. Now, you can kind of start to see how this all makes sense with level one, protecting FCI, the Farr reference with a self-assessment level two or the self-assessment being So see, you are still 7012, still 101 71 but a self-assessment is a very small percentage of the contracts and then most of them are going to go through that third party, everything being the same.

But the C3PO is going to be the one who conducts the assessment, the level three, which is going to be a very small percentage of contracts as well. I think it’s in that 5 to 10% range will also be protecting CPI, but stuff that is for more sensitive or high value programs and that will be performed by the DOD itself.

So let’s shift gears a little bit now. Talk a little bit about the implementation that was discussed within the proposed rule. Talk a little bit about timelines and a little bit about cost on there. And the first conversation. The first point that we want to talk about is how does CMMC actually get into a contract? Well, we have the Title 32 rule CFR 48, which is the one that we’re expecting next month, is the one that’s going to actually put it in contracts.

It’s going to more than likely we expect it to be a revision of 1718. It may have some commentary on 12 or 20 or 21, but certainly, 7918 is where CMMC 1.0 was. So we expect that to be there or my apologies, 7021 is where it was originally that could come out as an interim final rule or a proposed final rule.

The difference being how quickly it rolls in the contracts. There’s a lot of commentary, a lot of rumor, a lot of guessing, a lot of speculation on that. We won’t know for a couple of weeks now until it comes out, but it will start to set the clock really officially in terms of when we expect to see CMMC, the contracts themselves.

We’re presuming there’s a presumed alignment that CFR 32 and 48 will have some some alignment and make sense to be 2030 between their timing and approvals as they go through the process. But there is a fair amount of ambiguity now as to when are we going to see it in contracts. We know for certain it’s coming soon probably, and you’ll see in the next time next slide with the timeline.

But this is where a couple of spots in the area where that other webinar I talked about, the “CMMC is Live” webinar really has some great discussion around that and I’d really refer you to that area. One point that I would talk about though, if you’re trying to understand and trying to guess, when would you need CMMC, one place to look is your renewals.

If you have a contract, this may be a three-year contract with two option years for a renewal, start planning those out, mapping those out, and then with the timelines become more clear, you can overlay that with where are those option years or renewals or recaps come into play and start to kind of understand when you’re going to, you’re more than likely going to see it, at least in your existing contracts.

Obviously, new solicitation that’s going to come out when the solicitation comes out itself. So, this is a sample timeline and expect the timeline within the rule itself. They talk about a four-phase implementation, the first phase layering in self-assessments into applicable contracts. And based on kind of what we’re looking at, the expectation is there would be phase one, then phase two would bring in the certification, the, you know, the third party assessments into new solicitations.

And then when we get to phase three, it’ll start layering that in for option years and renewals and additions and new solicitations. We’ll start doing the assessments for level three as well. And then by the time we get to phase four, it’ll be full implementation of CMMC in all contracts. Now one of the only dates that’s in that in the proposed role is the October 26 date.

So if you kind of back up a one year expectation to expect the timeline from October 26 for phase two, an additional six months for phase one, now we’re talking about CMMC as early as March 2025 in terms of when the at least CFR 32 envisions it coming out. CFR 48 may change that timeline may actually accelerated in some scenarios.

So as you start to look through it and you recognize that my CMMC journey will more than likely be a nine plus, likely a 12 month more process, we’re already bumping up on the edge where you need to get started in order to be ready for phase one. Next slide. Great. Just want to talk a little bit about numbers.

There were some interesting numbers in the rule itself. Over 1.3 million contracts and orders are are issued per year that include FAS 7012, which gives you a pretty good indication of how many contracts and orders are probably going to have. CMMC level two language in CFR 7012 and CMMC level two are fairly close together. There are over 30,000 unique awardees, meaning prime contractors, and it did that then propagate out throughout the entire supply chain.

And the concentration of small businesses is also really relevant here. 680,000 of the 1.3 million, roughly half of those awards are to small, small entities, 23,000 of those. Of those, 31,000 are also small, small businesses. Roughly two thirds are small businesses. Small businesses clearly drive the DOD and are going to have the biggest impact in terms of how CMMC is going to impact that.

The CMMC rule also put out a phased-in period at which table six within the rule to talk about the number of companies that are expected to require a certificate, whether it be self or or third party or even a level three across a seven year timeline. Now a seven year timeline is actually a little bit misleading because by the end of year four, they’re fully expecting that the industry to be fully implemented.

And then we kind of hit a plateau where the number of companies coming in that ecosystem is the same assumed to be effectively net zero. So that seven year window, really a four year window. And if you start looking at the other phases from the timeline, those things start to compress quickly. You’re going to see CMMC and contracts much faster than you probably realize.

If you’ve just been reading some of the highlights of top headlines around CMMC. There was a whole section, a lot of information, more than I’m gonna be able to cover today about the cost analysis itself and this was really in response to the fact that there were a lot of comments that said that the cost estimates at CMMC 1.0 were just frankly too low.

So what the DOD did is they took great pains to make some accommodations for that, to readjust the numbers that they used and in particular add some additional accommodations. That includes the allowance of costs for IT services, an increased amount of time to prepare for an assessment. An allowance for consulting firms that assist with that process to prepare and actually sit for an assessment.

And then finally updated labor rates. All of that meant that they kind of they reassessed and reset their numbers from a cost estimate standpoint of what it would actually cost for level one, two and three assessment cycles. Now, within the cost assumptions in the categories themselves, there were four categories. There was non-recurring engineering cost, which is basically hardware, software engineering, that the upfront things you need to do to deploy CMMC, there’s the recurring engineering cost, the annual fees, the annual labor to technology refresh refreshes to go along the way.

And then there’s the cost of the assessment itself, the Labor to prepare and participate in an assessment as well as the C3PAO cost. And then finally the affirmations, the administrative cost of submission in terms of the whole process. Now when we apply these categories into the levels, levels one and two only consider the cost of implementing only you only consider the cost of the assessment cost and the affirmations. Those non-recurring and recurring engineering costs are already assumed to be baked into your model.

DFARS has been around since 2017. You’ve had six years to implement everything that should be a sunk cost at this point and already considered. They’re only looking at what they perceive to be the new or incremental cost for CMMC. That includes the assessment as well as the affirmations. Level three, on the other hand, is a new requirement. So not only are the assessment and the affirmation costs included there, but also the non-recurring and recurring engineering costs are considered within that analysis as well.

All right, next up. So, what I thought was actually the most interesting piece, everything up until really probably the timelines was all stuff that was really well known and established. There weren’t really any surprises within that amount, but within that content, the timelines and the cost got to be some information that was somewhat new and somewhat interesting. But what was really interesting to me, it was in this Appendix A to the Part 170 that was a response to CMMC 1.0 comments.

And as you look at the next slide, what they did is they looked at they actually went through all 750 comments. Your comments do get read. They are read they are responded to and they came back and they said, here’s an opportunity that we can provide clarity in certain areas. They can address certain concerns. So certain questions around the CMMC rule itself and then also be used to kind of provide guidance in certain areas and in a couple of cases probably get out ahead of the anticipated pushback that they may expect from industry in certain certain segments of the market itself.

So what we’re going to do now is we’re walk through a bunch of those kind of talk through what each one of those means provide a little bit of a translation to the language and then kind of go from there. So first step is Internet service providers. Every once in a while we get folks who get really into this whole idea of the compliance scope and ask question of is my ISP, is my telecom, are they part of my compliance scope?

How do I factor that in? The short answer is you don’t have to if Internet service providers or telco folks unless they themselves are a defense contractor and potentially defense contracts don’t need to be part of your compliance scope. So the translation here is as long as you are encrypting, that CUI in transit, which you should be doing, you should be fine.

You don’t have to consider your ISP or your telco provider to be part of your scope. Next up, next slide please. Joint ventures. Another question we get pretty commonly teaming agreements. A lot of times a lead to a joint venture and the question comes up does my JV need to be CMMC compliant? How do I navigate that? Basically, what DOD has said is that is your if your joint venture has FCI or CUI in its information systems, then you will need to comply with CMMC.

However, if you can set your JV where you don’t put FCI or CUI information in that in that JV’s environment, then you can avoid that CMMC requirement. Next up. This is another one, it’s really interesting and Internet of Things as well as operational technology. What the DOD has said here is that IoT and OT systems located within either a level one or level two assessment scope are not assessed.

They get a pass. However, they do need to be documented within the SSP. Now if you’re doing a level two assessment and you and you’re doing it as a precursor to level three, then you do need to put those IoT and OT assets within the scope itself. And for level three, a company’s IoT or OT assets that are within scope are actually assessed within CMMC requirements.

So as long as you’re not going through level three, you can exempt your IoT and OT systems and you need to document them. You do include them in your SSP, but they don’t need to be assessed. Next up. Great. Another question we get fairly regularly is about government-furnished equipment. For whatever reason, a contractor will be performing a contract that will be using GFE and for some reason, for some reason there won’t be the ability to configure that equipment to NIST 800-171 Rev 2 within that situation it’s GFE

It does not need to be that does not need to comply with Rev 2 But additional protections such as physical or logical isolation may be used for risk mitigation in accordance with those Specialized Assets. Next up. Fundamental research. And other one we get a lot of times in organization will get a grant and we doing some fundamental research. It may not apply to specific performance, but it’s really, truly research related.

As long as that research is basic and applied research and science and engineering and the results of which are ordinarily published and shared broadly within the scientific community, then that does not need to be part of the CUI scope. However, if your fundamental research is shared broadly, however, other research related information that is provided or handled through the contractors is part of the contract, maybe FCI or CUI it may trigger the application of CMMC requirements.

So if part of your raw data or part of your information that you are looking at in terms of performing your research, if that data is FCI or CUI, it can then trigger that requirement itself. Also, if the DOD determines the information handled by a contractor. Let’s go back one Karen. I wasn’t quite done. If the information handled by the contractor is or will become FCI or CUI then that information would be required to be processed or stored or transmitted on an information system that is compliant with CMMC.

So if you’re doing research and you sent applied metal technology or sensitive radar coatings, it’s still fundamental research, but it has a very specific military application that would be CUI you should treat it as CUI as early on in the process is possible. Next up, okay, foreign companies, foreign companies are required to comply with all terms and conditions that are contract.

That includes the terms and conditions related to cybersecurity protection and assessments. And this basically means whether you’re a prime or a subcontractor, if you are a foreign company, you will be expected to still apply, comply with CMMC regardless of your country of origin. Next step JSVA being grandfathered. So within the commentary they also talk about that the the NIST 800-171 Rev 2 assessment that are being done today that are known as the Joint Surveillance Voluntary Assessments.

The DOD very much intends to allow qualified standards acceptance of high confidence assessments using that 800-171 Rev 2 bar as. They’re going to allow that in. However, the program requirements propose in its rule re-implemented in the DFARS as needed, which may result in a change to current DOD solicitations and provisions. So basically they fully intend to honor the JSVA’s, but they’re leaving a little wiggle room as they put out Rule 48 to be able to kind of customize that and be more specific and prescriptive about it.

Next up. Okay, one of the comment, some a whole bunch of you know, we get so focused on C.F.R. 32, there was a bunch of additional content that was released. It really doesn’t get much attention yet at this point. There is a scoping and assessment guide for level one and two, as well as a scoping guide for level three.

There is also a hashing guide for CMMC. We’re Still digging through of it is a lot of information in there, but generally it is consistent with what was accidentally released back in August. There weren’t a ton of changes in there. There’s a great webinar on our site that talks about that accidental release and in general, most of that information is in alignment with what was released back in August briefly.

So, next up, great. So I’m going to transition over to next steps. The first and most important one read the rule. It’s 200 and some pages, which sounds like a lot. It’s actually not as bad a read as that sounds, despite it being a government rule and it being 200 pages, It’s there’s some good information in there that a lot of which will be highlighted and covered in here.

If you have intentions of commenting on the rule itself. We are in a public comment period. Those comments are due between now and February 26. The the the ask the plead, the begging is, you know, don’t just put a comment in the complaint. Don’t put a comment in and say this is stupid, be constructive, recommend solutions. There’s a lot of areas in this role where there’s still a lot of ambiguity.

Offer off options, offer recommendations. Hey, this would work better if we did X or Y or Z. That would be much more constructive to the process. There are things that are going to need to get adjusted as this gets through to finalize component Be, be, part of this solution. And then the last pieces get started. If you’ve not started CMMC, you need to understand this is more than likely a 12 month process for you.

Even our expedited deployments, we can get folks up and running and operational, but to get them assessment-ready, it’s going to be a 12-month cycle and that’s assumes that you’re invested and participating fully in that process itself. So it’s really important that if you haven’t done anything, get moving, start putting a plan in place, start putting a strategy in place.

We can certainly help you with that as well. Karen, I think that’s why the last real slide, I think our next one gets into… just re hitting the the resources again that learn CMMC is Live Webinar again takes this conversation takes it to the next step and allows a much more robust conversation about what some of the aspects of the rule means to individual contractors.

Also a lot of coverage in some areas that weren’t particularly clear in the rule. So I highly recommend you go look at that. And then of course we’ve got our upcoming webinars, our approach to solving the CMMC challenge is a Steel Root Compliance Program that’s going to be next week. It’s certainly a chance to register for that and then look for the content that’s coming on right behind that.

Our webinar around the comments that we’re submitting as well as the scoping and the cost of CMMC that we’ll see over the next 30 to 60 days or so. All right. 

Karen:

Great. Thanks, Bill. Just we do have a handful of questions and we do have a few minutes to go over those. Just real quick, a reminder, I did get a couple of questions from folks about whether the presentation will be made available after we conclude.

And yep, it will be. We’ll be sending out the recording as soon as it’s ready to go. Look for that in your email boxes. I would say if not later this afternoon, then first thing tomorrow morning. So you will have that in hand. Okay. So, Bill, we’ve got a couple of questions that came in during the during your discussion.

First, this is a good one, something that you didn’t cover. Are there any physical security requirements that that CMMC lays out? And if so, what are those requirements? I suspect you will not be able to name all of them, but maybe talk a little bit about the physical security requirements as well. 

Bill:

So there is an entire family within NIST 800-171 that is about physical security. That’s that is where the physical security requirements are in there. What they are going to be looking for in a very broad sense is the fact that the area where physical CUI may be present, that you have the ability to lock it down and protect it. And within a couple of assessments I’ve seen in, they’ve looked for evidence that you have video monitoring, you have guest logs, you have the ability to secure the space itself, those and you can prove all of those. So if there were a physical breach of your facility, you have the ability to determine what happened and what was what was captured.  

Karen:

Great. Okay. Thank you. Next question How does CMMC affect CSPs that are hosting CUI data? Do they need to be CMMC level two? 

Bill:

Yeah, so that is one of the areas that there’s definitely a low to little bit of conversation still going on. If you are absolutely a CSP and meet the definition of a CSP, NIST 800-171 requires you to be fedramp moderate or the equivalent of fedramp moderate. And that is in itself a little bit of a murky discussion point. DOD came out with a memo around Fedramp equivalency, which I’m probably not not smart enough to talk about at this point, but it is very much a conversation that it’s one of those areas that there’s still a little bit of confusion around that.

You know, the safest bet is always to get someone who’s already fedramp approved in terms of your vendors and your CSP standpoint. But there there still is trying to sort through exactly what Fedramp moderate equivalent means in the context of DFARS 7012, which is what’s referenced in the CMMC program. 

Karen:

Okay, great. Okay, Thank you. This one is on the four phases that you had mentioned for CMMC. And one of our viewers would like to hear your perspective on enforcement as it’s related to four phases. Those four phases on vendors both existing and new, to have their CMMC certification by a specific date. I think you mentioned a little bit and back on that slide and let me know if you need me to rewind, but maybe your perspective on enforcement, on vendors.

Bill:

So, it’s, we’re still not really sure. Like there is. They’ve outlined a timeline where they would like to see CMMC show up in contracts where they’re that with self-assessments and then on new solicitations and then on option years and renewals and they’re clearly signaling here’s a timeframe, here’s when you should be ready. There is a lot if you read through the rule, there’s a lot of ways to kind of I don’t say work the system, but make sure that you’re not sacrificing an award for the fact that the ecosystem is not ready to go through it.

But that still needs to be kind of sorted out. There is going to be a lot of work in that space in terms of how do we get to a point where maybe an award is done right, a conditional assessment, giving a contractor that 180-day window to get their act together. But this is moving along like there will be companies that probably, you know, at some point are going to have really hard conversations with them that are given conversations that are really hard to say.

We’ve you’ve had plenty of time to go do this. You’ve had two or three years and go do it. You should be ready to do it. It all depends on when it starts kicking in, the timelines and how much flexibility the DOD gives program managers to adjust their roles and the requirements as things roll out. It’s there’s a lot left to be figured out here, and that doesn’t even start to address the other half of the conversation was how can the ecosystem come up to speed fast enough to get everyone assessed in time for these contractual rollouts?

That’s really the big challenge is that bottleneck of getting through the assessment, getting it, getting the ecosystem up and operational at the rate and speed that it needs to have everyone ready. 

Karen:

Great. This is a little bit of a follow-up, just as it relates to another timing question. What about on NIST 800-171 Rev 3, When do you think vendors need to include that within their, in how they’re addressing CMMC?

Bill:

So it’s going to be interesting as we go through this process. I’ll back up a second on that Within Title 32, there’s the what we are right now, which is the draft public comments. They’re going to adjudicate that there’ll be a final revision. That then is another round of product with public comments and adjudication before it’s finalized. That’s typically the timeline and I expect to follow it.

There will need to be some accommodation for Rev 3 somewhere in all of this, but we’re not really sure what that answer is going to be. The challenge and what we what we’re concerned about as an industry is a contractor may have, let’s say, a civilian contractor, the Department of State or EPA or someone like that, that to asks for Rev 3 and a DOD contract that still works the Rev 2. 

Now, at the end of the day, they’re there still it’s still the same goal. It’s the same challenge. But there is enough difference between Rev 2 and Rev 3 to make administering both of those at the same time a pretty significant challenge. It is an open question on how the DOD is going to address that and then how the ecosystem is going to ripple through with that as well.

Because remember, once Rev 3 goes into effect, you’ve got to update your assessment guide, your scoping guides, you’ve got to retrain your assessors to be ready for it, to be able to test the Rev 3 versus Rev 2. There’s a lot that goes into the implementation of that the DOD is my guess is still trying to figure out how to make that work.

Karen:

Okay. Thanks. This is a resource question here. Have you come across any resources to define what internally created data will be considered part of CUI that needs to be protected under 7012? 

Bill:

There is always a robust conversation around what is CUI who gets to mark CUI, when does get marked CUI. I’ll respectfully say that’s out of my pay grade.

There are folks that are there spend a lot of energy on that question, spent a lot of time working with both contractors and the contracting officers to help define and navigate what is and what isn’t CUI. If you catch us on the offline, we can we can probably refer to a couple of those folks that specialize in that space, but it’s it is it is an incredibly challenging question.

And it’s it’s probably not one that I feel comfortable answering because I don’t know if we have a real answer, at least not a consensus from an industry standpoint. Yeah, Yeah, that makes sense. This perhaps another question related to resources. Have you come across a level one assessment tool that can be used by small businesses? I’ve seen a couple out in the marketplace.

They’re like, level. I got to be honest with you. Level one. It’s really, really simplistic. There’s 15 things you need to do and it is literally only five or six of those 15 are IT-related. It starts with locking your lock in your building. I like physical security is one of them. Put locks on your building, put cameras, put his guess log in there.

I think you’ve just covered three of the 15 right there that any of the IT-related ones are really simplistic. Every system needs to have an individual password. There’s a monitoring requirement. It’s a little bit ambiguous in the way that it’s talked about, other than that level one is very, very simplistic in terms of what you’re required to do to get there.

They should be things that you’re doing in a space of crawl, walk and run. This is like rolling over on your belly. It’s very basic from a requirement standpoint. Okay, great. I think we’ve got time for a couple more here. First one, is there any new information certification requirements for COTS products? So COTS products would more than likely.

You know, it’s interesting. It’s a good point. I have not heard that talked about in the last…since the rule dropped. There is generally been an exception from this around COTS material. And I need to go back and take that offline and see if that’s still there. So if you’re buying something off the shelf and it’s not CDI, it’s not export controlled, it’s not, you know, some of the other things that could trigger it, does that qualify as CUI?

And I think, you know, taking an extreme example, if you buying, you know, buying soda for the base, you know, the contract might be FCI, but it’s not going to be CUI is off the shelf. I realize that’s a pretty bad example. But trying to come up with something quick. No, no, that makes sense. And we can we can dive into that a little bit deeper and answer it in a little bit more robustly after that, after the offline if we want.

Karen:

Okay. Last last question. This is a good one, too, I think. Can prime contract owners define the certification levels to their subs outside of the DOD requirements? Do primes have any ability to dictate what their what the requirements are for their subs? 

Bill:

So the best tool that a prime has in order to dictate what their flow-down requirements are is with the data that they share with them.

If you are only sharing FCI data, then there’s a reasonable expectation that you would only require a level one requirement from that contractor. If you are sharing CUI data, then you are in effect flowing down that CUI requirement to that subcontractor. So that’s the biggest tool that a prime has to be able to kind of manage who gets to see what type of information and therefore what level that those folks are going to need to attach to.

Karen:

Okay, great. Well, I think that’s about all of the time that we have for questions. Anything that we did not get to, we will make sure that we compile and answer offline. I have your names. They came in as part of your as part of the questions, and we’ll be able to get back in touch with you. Another just another reminder, next week, February 28th, will be hosting a follow on webinar to this and that will be discussing our Steel Root compliance program.

That’s our prescriptive solution for CMMC compliance and they will be hosting that one as well. When I send out my follow up email that will include the link to this presentation. I will also include a link to register for that one as well. So you’ll have both of those items right in your inbox. As I said before, if not today, then first thing tomorrow morning.

Bill, any last thoughts before we wrap? 

Bill:

I just want to again thank everyone for for spending the hour with us and listening in on CMMC for for being interested in the program itself. I certainly encourage you to if you’ve not get started. You know, start building that strategy, start building that that plan to work your way through compliance, it takes time to get there.

This is not a quick fix and there is some folks out there that might suggest that it is, it is not a quick fix. So you’re going to have to put some energy and time into it. It’s kind of getting late early, so once again, I thank everyone for joining us today. Great. Thank you, Bill. And thank you, everyone, for joining us.

Karen:

Hopefully, we’ll see some of you next week. Have a great afternoon. Bye bye.