In this series of articles, we explore the different certification requirements of CMMC Level 1, 2 and 3, the impact on contractors and external service providers, and proposed next steps. Read our initial summary here.

On December 26, 2023, the US Department of Defense (DoD) published its long-awaited proposed rule codifying the Cybersecurity Maturity Model Certification (CMMC) 2.0 Program (CMMC Rule).

Proposed 32 CFR 170.14 et seq. establishes CMMC Level 1 security requirements, assessment scope and assessment requirements. CMMC Level 1 applies to DoD contractors and subcontractors that will process, store or transmit Federal Contract Information (FCI). Pursuant to Federal Acquisition Regulation (FAR) 4.1901, FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.” DoD estimates that 63% of the contractors impacted by the proposed CMMC rule will only be subject to CMMC Level 1; as such, understanding the CMMC Level 1 requirements will be important for most contractors and subcontractors looking to prepare for the future.

IN DEPTH

The applicable security requirements under CMMC Level 1 remain unchanged from those announced in 2021, and Federal contractors should already have familiarity with these requirements. The proposed CMMC Rule now establishes (1) the scope of CMMC Level 1 self-assessments and (2) the requirements for the assessment itself. Level 1 Certification is part of Phase 1, which is expected to begin as soon as Defense FAR Supplement (DFARS) 252.204-7021 is effective.

SECURITY REQUIREMENTS

The 15 security controls on which Level 1 assessments will be based are those found in FAR 52.204-21 “Basic Safeguarding of Covered Contractor Information Systems” (FAR Safeguarding Requirements). Proposed 32 CFR 170.14(c)(2) incorporates these 15 security controls verbatim. As described in more detail below, the proposed CMMC rule departs somewhat from the initial 2021 CMMC 2.0 publication, which described the FAR Safeguarding Requirements as 17 separate controls (dividing FAR 52.204-21(b)(1)(ix) into three separate controls).

The FAR Safeguarding Requirements are derived from the National Institute of Standards and Technology (NIST) Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, which establishes a control catalog of more than 300 security and privacy controls. NIST 800-53 was designed to meet security and privacy requirements across the Federal ecosystem. Many of the Federal safeguarding standards that exist currently, including the FAR Safeguarding Requirements, the Federal Risk and Authorization Management Program and the NIST 800-171 controls, are derived from NIST 800-53. As the FAR applies broadly across Federal agencies and applies to a wide variety of contracts, the 15 FAR Safeguarding Requirements are the minimum-security controls deemed necessary to protect contractor information systems.

The FAR Safeguarding Requirements, as incorporated into the proposed CMMC Rule, are as follows:

• Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems);
• Limit information system access to the types of transactions and functions that authorized users are permitted to execute;
• Verify and control/limit connections to and use of external information systems;
• Control information posted or processed on publicly accessible information systems;
• Identify information system users, processes acting on behalf of users or devices;
• Authenticate (or verify) the identities of those users, processes or devices as a prerequisite to allowing access to organizational information systems;
• Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse;
• Limit physical access to organizational information systems, equipment and the respective operating environments to authorized individuals;
• Escort visitors and monitor visitor activity, maintain audit logs of physical access, and control and manage physical access devices;
• Monitor, control and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems;
• Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks;
• Identify, report, and correct information and information system flaws in a timely manner;
• Provide protection from malicious code at appropriate locations within organizational information systems;
• Update malicious code protection mechanisms when new releases are available; and
• Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened or executed.

SCOPE OF ASSESSMENT

Before beginning the Level 1 assessment, contractors must identify the appropriate scope of the assessment, based on the proposed rule Section 170.19. The assessment scope for CMMC Level 1 will include information systems that process, store or transmit FCI and will also “consider” people, technology, facilities and External Service Providers (ESP) within the contractor’s environment that process, store or transmit FCI.[1] The CMMC Level 1 Scoping Guide provides some guidance on how to identify these components, but it does not address how contractors should analyze each component’s interactions with FCI. FCI can range from information related to the proposal phase of the contracting process, to notes taken during meetings with the DoD, to contract information to emails exchanged with the DoD. Given the broad definition of FCI, it may be challenging for many contractors to accurately capture the assessment scope without further guidance. Contractors will need to rely on both their contract management and compliance capabilities, in addition to inventories of technology assets, to establish an accurate scope for assessment. It will be very important to ensure that all systems used in any way for the performance of Federal contracts are evaluated.

We note that specialized assets are considered out of scope for Level 1 assessments. Specialized assets are systems which cannot be fully secured but can process FCI, including Internet of Things (IoT) devices, Industrial IoT (IIoT) devices, Operational Technology, Government Furnished Equipment, Restricted Information Systems and Test Equipment. Examples of IoT devices and IIoT devices (a subset of IoT devices used in industrial settings) include equipment, machinery, infrastructure and other devices that have embedded sensors and network connectivity, such as networked security cameras and shipping trackers. It is important to keep in mind that these assets come into scope for CMMC Levels 2 and 3, first as required components of Level 2 System Security Plans and then fully assessed at Level 3. These assets should not be disregarded in determining a contractor’s Level 1 assessment scope. Instead, contractors should ensure that they have an accurate and complete understanding of their systems to define in-scope and out-of-scope assets for Level 1.

SELF-ASSESSMENT METHODOLOGY

Although Federal contractors have been subject to the FAR Safeguarding Requirements since the introduction of the clause in 2016, there has not been any established methodology for a contractor to assess and evaluate its implementation of the 15 controls. The proposed CMMC Rule now introduces a self-assessment methodology applicable to all Level 1 contractors.

Proposed 32 CFR Section 170(i) establishes that NIST Special Publication 800-171A, Assessing Security Requirements for Controlled Unclassified Information, will apply to Level 1 self-assessment. NIST SP 800-171A is intended for use in assessing systems that handle Controlled Unclassified Information (CUI) by providing a methodology for the assessment of the 110 security controls in NIST SP 800-171.

Although NIST SP 800-171 is itself derived from NIST 800-53, and the 15 FAR Safeguarding Requirements align with a number of control objectives in NIST 800-171A, that alignment is far from ideal. FCI and CUI are different categories of information that require different standards of care. NIST designed SP 800-171A with the specific needs and sensitivities of CUI in mind; FCI is less sensitive information that does not fit well with these standards. Instead of developing an FCI-focused methodology, the DoD incorporates specific NIST SP 800-171A assessment objectives relevant to each of the 15 FAR Safeguarding Requirements. The total number of assessment objectives is 17, as the security control described in FAR(b)(1)(ix) aligns with three separate control objectives.

Although the CMMC Level 1 Assessment Guide describes the assessment objectives for Level 1 as “existing criteria in NIST SP 800-171A modified for FCI rather than CUI,” the sole “modification” made in the proposed CMMC Rule is that “in any case where an objective addresses CUI, FCI should be substituted for CUI in the objective.” Proposed 32 CFR 170.15(c)(1)(i)

The CMMC Level 1 Assessment Guide adopts the identified NIST SP 800-171A assessment objectives and associated assessment methods. For each assessment objective, the guide also provides discussion from the relevant NIST SP 800-171 control. As noted above, NIST 800-171 is designed for information systems that process CUI, and the discussion for each control objective is pitched at a fairly high level of sophistication and complexity. The Level 1 Assessment Guide does provide a “further discussion” section for each control. This “further discussion” is written in much more accessible language and appears to be better suited to a level of sophistication appropriate for FCI. However, the guide is clear that the 800-171A criteria, which incorporate by reference the more complex 800-171 control discussion, are “authoritative.”

For example, consider FAR Safeguarding Requirement (b)(1)(xiii), which requires the implementation of controls designed to “[p]rovide protection from malicious code at appropriate locations within organizational information systems.” The proposed CMMC Rule identifies NIST-800-171A § 3.14.2 as the assessment objective for this control. That assessment objective calls for (1) designated locations for malicious code protection to be identified and (2) protection from malicious code at designated locations be provided.

Taken at face value this seems simple enough, and many contractors will have implemented antivirus/anti-malware software, network and email scanning, and other tools designed to prevent the spread of malicious code. However, the 800-171 discussion criteria provided for this assessment objective uses terminology that is far more complex, such as the statement that “[p]ervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code.” Compare this language to the “Further Discussion” provided in the guide: “Consider use anti-malware tools to stop or lessen the impact of malicious code.”

Many contractors seeking Level 1 Self-Assessment will be in the position of having to interpret objectives designed to assess more sophisticated systems, and the disparity between the “authoritative” criteria and the “further discussion” provided may further complicate this effort. Self-assessment should not be done solely by technology team members, who may not have the necessary experience in audit methods and interpretation. Instead, Federal contractors should leverage personnel with legal, compliance and audit experience to coordinate with information security teams in performing these self-assessments. This complexity also undermines the DoD’s stated goal of “self-assessment” because it will require many small and less sophisticated entities to engage experts to perform or guide the assessment.

Assessment findings are laid out in proposed 32 CFR 170.24. Assessment of each objective must result in one of three possible findings: 1) MET, 2) NOT MET or 3) NOT APPLICABLE. A finding of MET requires that all applicable objectives for the security requirement are satisfied based on evidence. NOT MET means one of the objects or requirements are not satisfied. NOT APPLICABLE means that the requirement or objective does not apply at the time of the assessment. Importantly, for CMMC Level 1, all security requirements must be fully implemented, such that the self-assessment itself results in an overall finding of MET. If any security requirements would result in a finding of NOT MET, the entirety of the self-assessment results in an overall finding of NOT MET. Level 1 does not use any scoring methodology and does not allow the use of a Plan of Action and Milestones (PoA&M) for unmet requirements. Effectively, a CMMC Level 1 assessment is now a pass-fail standard.

The results of the self-assessment must be entered into the Supplier Performance Risk System (SPRS). The SPRS input must include the CMMC level of the assessment, the assessment date, the assessment scope, all industry Commercial and Government Entity code(s) associated with the information system(s) addressed by the CMMC assessment scope and the compliance result (MET or NOT MET). Proposed 32 CFR 170.15(1)(i)

AFFIRMATION REQUIREMENTS

As part of the certification process, organizations seeking assessment (OSA) at all levels must now submit an affirmation of continuing compliance with the CMMC assessment. For Level 1, the affirmation must be submitted through SPRS by the senior official responsible for ensuring compliance with CMMC requirements upon completion of the Level 1 self-assessment and annually thereafter proposed 32 CFR 170.22(1). The content of the affirmation must include the name, title and contact information of the affirming official and a statement that the OSA has implemented and will maintain the appropriate level of CMMC security within the relevant assessment scope.

As we noted in our previous CMMC update, the CMMC assessment process, and specifically the affirmation requirement, introduces a heightened risk under the False Claims Act. Contractors must vet these affirmations carefully, as any potential inaccuracy or ambiguity could result in litigation risk under a variety of criminal and civil laws, including the False Claims Act.

IMPLEMENTATION AND CONSIDERATIONS FOR CONTRACTORS

The proposed CMMC rule will take a phased approach to implementation. CMMC Level 1 is intended to be included as part of all DoD solicitations as part of Phase 1, which is expected to begin as soon as DFARS 252.204-7021 is finalized (the clause currently exists based on an interim rule) and last six months. Although the phased implementation of CMMC is tied to a DFARS rulemaking for which there is no current expected publication date, the proposed CMMC rule indicates that DoD expects to include CMMC requirements for Levels 1, 2 and 3 in all solicitations issued on or after October 1, 2026.

Takeaways:

• Contractors who currently hold contracts or subcontracts which process, store or transmit FCI, or who anticipate seeking contracts or subcontracts process, store or transmit FCI in the next few years, should begin assessing their compliance with the FAR Safeguarding Requirements.
• Self-assessments, if not already, should be consistent with the CMMC Level 1 Assessment Guide, which incorporates the identified NIST SP 800-171A assessment objectives and associated assessment methods verbatim.
• The proposed rule does not allow the use of a PoA&M for unmet requirements for CMMC Level 1, effectively establishing CMMC Level 1 assessment as a pass-fail standard. Contractors currently utilizing PoA&M should review next steps to ensure implementation and compliance of all 15 FAR Safeguarding Requirements.
• Although CMMC Level 1 compliance primarily relies on IT technical and security expertise, senior executives, in-house counsel and compliance personnel all play a role in ensuring that a company’s affirmations regarding CMMC Level 1 compliance are current, accurate and complete. Even though non-IT personnel must necessarily defer to the expertise of IT personnel, senior leadership should have a working knowledge of CMMC and the processes used by the company to prepare and vet its self-assessments.

While we continue to keep an eye on DFARS rulemaking to understand when CMMC levels will be incorporated into contracts and subcontracts, the proposed rule makes clear that CMMC Level 1 will be a part of Phase 1. This means CMMC Level 1 will be included as a condition of contract award effective from the finalization of DFARS 252.204-7021 with little transition time for contractors and subcontractors. Contractors and subcontractors should begin review and self-assessment now to position themselves as compliant and award-ready when Phase 1 begins.

Stay tuned for our continuing analysis of the proposed CMMC Rule.

[View source.]