Draft CMMC Assessment Process is Released, Providing Insights but Attracting Industry Criticism

Miles & Stockbridge P.C.
Contact

The challenge posed to Department of Defense (DOD) contractors of complying with ever-shifting cybersecurity regulations and guidance continues unabated. On July 26, 2022, the Cyber Accreditation Body (Cyber AB) published a highly anticipated “Pre-Decisional Draft V1.0” of the Cybersecurity Maturity Model Certification (CMMC) Assessment Process (Draft CAP), which provides the procedures and guidance for CMMC Third-Party Assessment Organizations (C3PAOs) conducting official CMMC third-party assessments of organizations seeking certification (OSCs). The Cyber AB, formerly known as the CMMC Accreditation Body, is the non-governmental partner of the DOD that has been charged with authorizing and accrediting the CMMC Third-Party Assessment Organizations (C3PAOs) that conduct CMMC Assessments of companies within the Defense Industrial Base (DIB). As outlined in DOD’s Notice of Proposed Rulemaking, under CMMC version 2.0, the requirement to obtain third party certification will apply to “prioritized acquisitions” that require CMMC Level 2 certification.

The Draft CAP has provoked widespread criticism in both the trade press and in formal comments regarding the complexity and rigidity of the draft assessment process (and attendant costs to contractors), the Draft CAP’s treatment of cloud service providers, its failure to address issues of significance for companies such as practice inheritance, as well as the timing of its release.

This criticism underscores the DIB community’s frustration with the slow rollout and lingering cloud of uncertainty regarding the implementation. The twists and turns along the long road to CMMC implementation – from the initial announcement of CMMC in July 2019, to the issuance of CMMC 1.0 in January 2020, the publication of an Interim Rule in October 2020, further implementation delays and radio silence from DOD throughout most of 2020 and 2021, and the substantial revisions to the framework with the issuance of CMMC 2.0 in November 2021 – are summarized in an earlier blog post regarding CMMC 2.0.

The Cyber AB Publishes the Draft CAP

As noted above, the Cyber AB published a Draft CAP on July 26, 2022, which describes the procedures that C3PAOs could conceivably be required to follow in conducting official CMMC Level 2 Assessments and provides guidance about them. However, it bears mentioning that DOD has not endorsed or made any official comment about the Draft CAP. Whereas the DOD Level 2 Scoping Guidance and Guide establish the objectives and criteria for CMMC Level 2 Certification, the Draft CAP “is the CMMC doctrine providing the overarching procedures and guidance for CMMC Third-Party Assessment Organizations (C3PAOs) conducting official CMMC Assessments of organizations seeking CMMC Certification.” The CAP is organized across four phases and describes the required activities to ensure that CMMC Assessments are conducted consistently across the DIB.

  • Phase 1 - Plan and Prepare the Assessment is very detailed and spans over 15 pages. This phase begins when the OSC engages an accredited C3PAO. Next, the OSC and C3PAO establish roles and responsibilities for each party (including points of contact and responsible parties on each side). Then the terms of the assessment are memorialized in a contract, and the OSC and C3PAO plan out the details of the assessment. Among other things, the OSC must provide the C3PAO the results of the most recent self-assessment, a preliminary list of anticipated evidence, a copy of the company’s SSP and other relevant documentation, and a list of all OSC personnel who play a role in the procedures that are in scope. Next, the C3PAO’s Lead Assessor reviews the adequacy and sufficiency of the information and documentation provided by the OSC and reviews the OSC’s self-assessment. The OSC and C3PAO finalize and sets the schedule for the assessment plan. Finally, the Lead Assessor completes a preliminary assessment and makes a recommendation regarding the practicality of proceeding to the next phase.
  • Phase 2 - Conduct the Assessment describes an initial assessment kickoff meeting and provides details on the collection and examination of evidence. The Lead Assessor reviews documentation provided by the company, conducts interviews, observes tests, determines whether the company’s external service providers meet the requisite security requirements, and identifies evidence gaps. Next, the Lead Assessor produces a preliminary assessment findingof satisfied (“MET”) or other than satisfied (“NOT MET”). The Assessment Team then scores the company’s practices and validates the preliminary results and records a final recommended score. If the overall score is less than 80% (88/110 practices “MET”), then the OSC will receive a finding of “Not Achieved”. If the overall score is greater than 80%, the OSC must correct deficiencies within five business days from the Final Findings Briefing or by an alternative date set by the Lead Assessor. Although CMMC 2.0 allows for limited use of a Plan of Action and Milestones (POA&M) to remediate practices not satisfied at the time of the assessment, the Draft CAP states that the highest-weighted CMMC requirements are not eligible on POA&Ms at the time of the certification assessment and the OSC must meet 88 of the 110 practices to receive a Level 2 conditional certification.
  • Phase 3 - Report Recommended Assessment Results includes various procedures and requirements on the submission and uploading information about the assessment into the DoD Enterprise Mission Assurance Support Service (eMASS), as well as the archiving and destruction of assessment documentation.
  • Phase 4 - Close-Out POA&Ms and Assessment states that the OSC will have 180 days from the Assessment Final Recommended Findings Briefing to select a C3PAO to conduct the POA&M Close-Out Assessment, and provides that certification will be withdrawn if any practices on the POA&M fail to result in a score of MET. The consequences of such a “withdrawal” are unclear—for instance, would a company lose a contract that requires CMMC 2.0 third party certification?

Industry Criticism of the Draft CAP

The Draft CAP outlines an intricate process with multiple assessments at various phases (e.g., including separate preliminary assessments in both Phase 1 and Phase 2). In certain regards, it includes a lot of detail; in others, it provides little information. The Cyber AB left the Draft CAP open to formal comments for 30 days, until August 25, 2022.

Although the Cyber AB has not published the comments it has received at this time, several large contractor trade groups, including the National Defense Industrial Association (NDIA) and the Coalition for Government Procurement (CGP) (see here), have published the comments they submitted online. The C3PAO Stakeholder Forum, which represents the interests of C3PAOs, also submitted its own comment (available here). Several criticisms feature prominently:

  • Frontloading of C3PAO Effort in Phase 1 of the Assessment Process: Phase 1 of the Draft CAP is extraordinarily detailed, includes a preliminary assessment, and appears to represent one-third or more of total assessment activities. NDIA expressed concern that this may result in OSCs needing to purchase significant “pre-work” services from a C3PAO before the scope and subsequent cost of the assessment can be determined. Phase 1 activities, as drafted, effectively require the formalities of an assessment before the formal assessment. This may result in complex billing arrangements between C3PAOs and OSCs and increase the total cost of assessment. The CGP Comment similarly describes the CAP as “extraordinarily laborious, establishing process and procedure with density of detail that necessarily will make CMMC assessments more expensive, for assessors and assessed companies alike, and longer to accomplish.”
  • Conflation of Managed Service Providers (MSPs) and Cloud Service Providers (CSPs): The NDIA, CGP, and C3PAO Stakeholder Forum all criticize the Draft CAP for lumping together two very different kinds of External System Service Providers (ESSPs): MSPs, which help OSCs design, build, configure, and manage IT systems and security solutions; and CSPs, which provide clients virtual servers to store, process, and transmit information. The DFARS Cyber rule requires contractors that use CSPs to store, process, or transmit any CUI must use CSPs that meet security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline. See DFARS 252.204-7012(b)(2)(ii)(D). But most MSPs do not store, process, and transmit CUI and are not FedRAMP certified. Requiring MSPs to obtain the equivalent of the FEDRAMP Moderate baseline would drive many MSPs out of the market. This would result in higher costs and fewer options for contractors, particularly small businesses, which rely heavily on services from MSPs. The comments opine that compliance with NIST SP 800-152 should be sufficient for most MSPs and would provide the Government an appropriate level of protection.
  • Insufficient Information about Practice Inheritance: As noted above, contractors across the DIB rely heavily on MSPs and CSPs to provide network infrastructure and security services. Accordingly, the ability of OSCs to benefit, or “inherit,” the certifications of the MSPs and CSPs they use is critical to the CMMC assessment process. However, as noted in the NDIA and CGP comments, the Draft CAP provides highly generalized treatment of practice inheritance in Section 1.5.8 and does not provide a methodology for assessing practice inheritance.
  • Post-Assessment Treatment of Documentation: Section 1.5.4 of the Draft CAP states that “It is a violation of the CMMC Code of Professional Conduct (and of the CMMC Assessment Process) for a C3PAO to retain OSC proprietary information past the conclusion of the C3PAO-OSC engagement.” Section 3.2.4 outlines additional requirements for archiving and destruction of OSC information. Both the CGP and the C3PAO Stakeholder Forum comments criticize the Draft CAP’s implementation of these requirements. The CGP notes that retention of information is required in case an assessment is appealed and that the destruction requirement, and that the CAP’s three-year retention period is “incongruent with existing international cybersecurity standards,” such as AS9100, which specifies a ten-year retention period. The C3PAO Stakeholder Forum comments that “without the ability to archive and maintain all the OSCs assessment data, the effort necessary for C3PAOs to document and capture everything necessary to address our liability will drive the cost of an assessment up, and risk C3PAOs inability to defend our assessments.”
  • Publication of Draft CAP Premature: The CGP comment states, more broadly, that given the fact DOD is unlikely to publish an Interim rule until at least March 2023, the publication of a Draft CAP is premature and should be rescinded. “It would be misleading to companies and a potential waste of their funds, and of the efforts of a C3PAO, to do assessments against (i) future standards, which (ii) may change before the CMMC 2.0 regulations are final, using (iii) a CAP that, by its own terms, is ‘pre-decisional’ and beset with errors and omissions.”

Conclusion

Based on current estimates, an Interim Rule implementing CMMC 2.0 will not be effective until at least July 2023, and if recent history is a guide, additional delays are likely. Although the Draft CAP includes potentially useful information for planning purposes — for instance, sections 2.3.2.1 and 2.4.1.1 reveal that certain practices are “ineligible” for deficiency correction and cannot be subject to a POAM — the Cyber AB will likely make additional and substantial changes based on industry and DOD feedback.

Notwithstanding the lingering uncertainty regarding CMMC implementation, DOD contractors that handle CUI should prepare by doing what they’re already required to do under the Cybersecurity Interim Rule — establish a SSP, upload self-assessment scores, and close out POAMs. As DOD continues to point out, cybersecurity threats are escalating and present a persistent threat to contractors. Additionally, as noted in a recent DOD memorandum, “[f]ailure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements.” The memo (published 16 June 2022) signals DOD’s increased willingness to exercise contractual remedies, which include “withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole.” Additionally, following the Department of Justice’s launch of a cyber-fraud initiative in October 2021, contractors now face a heightened risk of liability under the False Claims Act.

Please contact a member of the Miles & Stockbridge government contracts team for additional information on complying with the Government’s ever-evolving cybersecurity requirements.

Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Miles & Stockbridge P.C. | Attorney Advertising

Written by:

Miles & Stockbridge P.C.
Contact
more
less

Miles & Stockbridge P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide