Quick Take: Aug 10, 2023 CMMC Update (aka “The Accidental Drop”)

Hear from C3's Director of Compliance Services Scott Whitehouse and CRO Bill Wootton as they chat about what we can learn from last week's accidental drop of CMMC materials.

Hear from C3’s Director of Compliance Services Scott Whitehouse and CRO Bill Wootton as they chat about what we can learn from last week’s accidental drop of CMMC materials.

Transcript

Bill Wootton: Hi, everyone. My name is Bill Wootton, and I’m the Chief Revenue Officer here at C3 Integrated Solutions. And with me today is Scott Whitehouse, our Director of Compliance Services. Today, we’re going to talk a little bit about some documents that were released by the OMB last week, or well, at least, briefly released by the OMB last week, that really contains some new information around CMMC and how the whole program is going to be administered. We’re going to give a little bit of feedback and a little bit of a rapid response to what we saw and get some information over to you. So with that, Scott, thank you for taking a few minutes to join me and tell me what happened last week.

Scott Whitehouse: So last week we had what the might be the first false start of the football season where The DOD or OMB temporarily released their scoping guides for Levels 1, 2, and 3, their assessment guides for Levels 1, 2, and 3, as well as their hashing guides. They were up for about 24 hours given that little false start—five yard penalty—and now they’re back down.

Bill Wootton: Yeah, it looks like someone’s getting flagged for that. So tell me why was this unexpected?

Scott Whitehouse: Conventional wisdom says that when the documents are posted to the public they’re going to come up as a pdf. They’re going to be available well, relatively indefinitely. And they’re going to align with public comment, meaning that folks can download it, review it, and then provide comments back.

These documents came as Word documents. There may or may not have been some typos included in them. And they were only up for about 24 hours and public comment hasn’t started.

Bill Wootton: Wow.

Scott Whitehouse: Additionally, there’s a ton of references in there to CFR rules that are not available in ECFR. So it just doesn’t make sense.

Bill Wootton: So obviously a premature drafted that was released. But I think there was still some great information, some great insights on at least where things are going from a programmatic standpoint. Let’s talk about that Level 2 assessment guide. Tell me a little bit about what’s changed in there from the previous version we had access to.

Scott Whitehouse: They’ve been busy. In total, there are about 10,000 modifications to the document now. 3700 ish of these are formatting changes, so we’ll kind of set those to the side that’s using our tab button and bullets and that kind of fun stuff. Taking that away, there’s about 6300 modifications. Now, most of these are clerical, so let’s not get excited and say that they pulled controls out or that’s not the case. The meat and potatoes of the documents are remaining the same. It’s clerical changes. It’s terminology shifts. It’s things like that. It’s references to CFR codes that didn’t previously exist.

Bill Wootton: So this is really more of an evolution of the overall content taking things a little better, probably responding to some of the comments, but really not going to change in any way the burden positively or negatively on what a contractor is going to need to do to pass an assessment.

Scott Whitehouse: Yeah, that’s exactly it. If you’re planning on implementing NIST 800 171 in preparation for Level 2, If that was your goal and you’re working on it yesterday, continue working on it today and continue working on it tomorrow. Those requirements don’t appear to be changing.

Bill Wootton: Sounds great. Awesome. There’s a little bit of information around the way and how the DOD is sizing the Defense Industrial Base.

Can you talk a little bit about that?

Scott Whitehouse: I found this kind of interesting. When you look over the last couple of years of CMMC, the projections of the DIB have varied widely. I’ve seen projections as high as 700,000 organizations in the DIB, and it just seemed to be all over the place.

So it was nice to see, cut and dry, here’s their official stance on where they think the DIB is. They’re looking at 139,000 organizations that they think will need to be Level One. Of those, 103,000 or roughly 74% are in that small business category.

They have roughly 80,000 Level 2 organizations, of which 70% are small businesses. And that Level 3 is only intended for about 1,500 organizations, with about 86% of that being small businesses, so about 1,300 small businesses.

Bill Wootton: So it’s impressive when you hear those numbers there, like everyone, when you talk about the defense industrial base, there’s always the name brand companies, the ones everyone recognizes.

But clearly, when you look at the industry as a whole, the overwhelmingly large percentage of companies that are going to need to meet this requirement are small businesses.

One of the interesting things was that there’s a reference to OSAs as well as OSCs in this content: Tell me a little bit about that.

Scott Whitehouse: They changed some of the verbiage. So when we talk about these 6300 changes, this is one of them. So previously we’ve heard about OSCs quite a bit. They’ve added in OSAs. So these are organizations seeking assessment. Assessment being a self guided procedure, meaning it’s not a certified third party assessor.

It’s not an external partner or external party. This is the organization themselves doing their own evaluation of the related controls. And then they continue to carry that OSC, because that will be the bulk of your Level 2 folks.

They took about 5% of the overall Level 2 organizations or 4000 organizations and said they can do a self assessment. Now they’ve got references into who and what will constitute the ability to do a self assessment, but of course those references weren’t released last week.

So if you think you’re going to be Level 2, don’t, I wouldn’t get your hopes up on being a self assessed organization.

Bill Wootton: It’s like you get about a 5% chance to be in there. So you’re right. Everything around CMMC is kind of built around NIST 800-171. We know we’ve got kind of Rev 3 hanging out there as well as Rev 2. Does the content speak at all about whether we go with Rev 2 or Rev 3?

Scott Whitehouse: So let’s all take a big collective sigh of relief. They specifically call out 171 Rev 2 throughout Level 2. Someone over there was at least tangentially aware that 171 Rev 3 was released through a public draft and is targeting Q1 of 24 for release. And gave us all a little bit of breathing room and said, we’re specifically calling out 171 Rev 2, which is going to be great for all of us.

Bill Wootton: Absolutely. I don’t want to get too many things going on at one time. Hopefully locking it in doesn’t create a problem later on when we really do need to move the Rev 3. So this is also the first time we’ve ever seen anything about Level 3. It’s always been kind of more of a promise, but it’s been over the horizon somewhat.

What are your thoughts on the information that was involved in this around Level 3?

Scott Whitehouse: Finally, once again, we get a little bit more clarity. We’ve heard suggestions that Level 3 may be anything from 853, or perhaps a new tailored version of 853, perhaps the Delta 20 that came out of CMMC 1.0. Good news is they’ve finalized it. It will be 800 172. However, you have to have already had a third-party assessment against 800 171. So it really is an additional requirement. And for those organizations that think they may fall under that 171 or Level 2 requirement, still keep tracking for that. What they did not do is give us clarity in these particular documents who the scope is.

There’s references to codes in in CFR, but they’re not published yet So we don’t really know exactly what they’re calling out.

One thing I need to note that with with Level 3, that’s a DoD assessment So you’re not going back to your same assessor that did your Level 2 assessment. You’re going through DIBCAC in order to get assessed for Level 3.

Bill Wootton: That’s absolutely a great point to remember. And of course these documents are well, they were they were published they were pulled back. So they’re still somewhat tentative you know this I guess reflects the current state of thinking what’s going on but when they finally get officially released who knows what will shift or change though?

So what’s next other than someone’s in trouble for for posting these things? What else is going to happen?

Scott Whitehouse: I would imagine there’s a couple bottles of Advil floating around DOD and OMB this week. It’s a great question. There’s been radio silence on their end. There’s been no confirmation or guidance on the authenticity while they were posted to dot.gov websites.

Nobody’s come back and said, yeah, they’re pretty accurate, or, this is still a work in progress. It’s been completely radio silent, so, if you have a copy of it, read it. It’s a great little piece of information. I’m personally reading through ’em with a fine toothed comb, but also take it with a grain of salt because these are not finalized.

They are tagged as drafts. And so I would assess and assume that some things will probably modify between now and when they go public.

Bill Wootton: Yeah it’s great insight to at least the way they think and hopefully the way they’re thinking and where things are going and that’s probably a couple of bottles of Mylanta in addition to the Advil going around the office there. That’s it for us. Stay tuned to the C3 Integrated Solutions website, c3isit.com, as well as our various social media channels for any additional updates. And as we dig a little deeper into here, I’m sure we’ll have a little more content and a little more analysis coming out soon. So thank you everyone. See you soon.