The Department of Defense (DoD) released key documentation relating to Cybersecurity Maturity Model Certification (CMMC) 2.0 over the past several weeks, including (1) a CMMC 2.0 Model Overview document, (2) CMMC Self-Assessment Scopes for Level 1 and 2 assessments/certifications, (3) CMMC Assessment Guides for Level 1 and 2 attestations/certifications, and (4) the CMMC Artifact Hashing Tool User Guide.
DoD has stated that CMMC 2.0 will not be a contractual requirement until the Department completes the rulemaking needed to implement the program. Although that rulemaking process is estimated by DoD at 9 to 24 months, these documents are highly relevant to any contractors selling to DoD. Once CMMC 2.0 is implemented, it will be mandatory where sensitive DoD information is provided to a contractor or generated, processed, stored, or transmitted in support of performance of a DoD contract. Moreover, those contractors who can implement CMMC practices more quickly likely will have a competitive advantage over contractors who wait to address CMMC until right before the clauses appear in individual procurements. Key aspects of each of these documents are discussed below.
CMMC 2.0 Overview Document
As we discussed in more detail in prior posts, CMMC 2.0 is markedly different than CMMC 1.0 in certain ways. Principal differences include the fact that CMMC 2.0 has only three maturity levels — Foundational (Level 1), Advanced (Level 2), and Expert (Level 3) — relative to CMMC 1.0, which had five levels. Under CMMC 2.0, a Level 1 self-assessment is required where Federal Contract Information (FCI) is involved, a Level 2 self-assessment/attestation or third-party certification is required where Controlled Unclassified Information (CUI) is involved, and a Level 3 certification is required where DoD determines that a contractor must implement additional practices to reduce the risk associated with Advanced Persistent Threats.
The newly released overview document outlines the general requirements that contractors must implement to achieve each CMMC level. As set forth in the document, Level 1 of CMMC 2.0 is equivalent to all of the safeguarding requirements from FAR Clause 52.204-21 and Level 2 is equivalent to all of the security requirements in NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” (Rev. 2). The overview document indicates that Level 3 certification requirements will be a subset of the requirements in NIST SP 800-172, “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171”, but it does not specify which requirements will apply, and only notes that details for Level 3 certifications will be released at a later date. In each case, the levels build on one another, i.e., a contractor must implement all of the practices at Levels 1 and 2 plus additional Level 3 requirements in order to achieve a Level 3 certification.
As Level 2 tracks with the requirements set forth under NIST SP 800-171 Rev. 2, the document references the “[d]evelop[ment] and implement[ion of] plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems,” but provide no further specifics. Nonetheless, DoD has indicated elsewhere, including in a recent Federal Register Notice (previously rescinded but now republished with certain changes), that a Plan of Action and Milestone (POA&M) may be used in certain contexts.
CMMC Self-Assessment Scopes for Levels 1 and 2
The CMMC Self-Assessment Scope for Level 1 and Level 2 is used to define those assets within the contractor’s environment that will be in scope of the assessment and self-attestation/third-party certification. Specifically, this document relates to the description of the environment that will store, process, or transmit FCI (Level 1) or CUI (Level 2), which are considered to be “in-scope assets.”
Each of these documents makes clear that there are no documentation requirements for out of scope assets and that such assets should not be part of the assessment. Notably, each document addresses “Specialized Assets,” which includes Government Property, Internet of Things or Industrial Internet of Things, Operational Technology, Restricted Information Systems, and Test Equipment. Specialized Assets are not part of the assessment scope under Level 1 and are therefore not assessed against CMMC practices. Specialized Assets are part of the CMMC assessment scope under Level 2, however, and contractors are required to document these assets in the System Security Plan (SSP) and detail how they are managed using the contractor’s risk-based information security policy, procedures, and practices.
CMMC Assessment Guides for Levels 1 and 2
The Level 1 Assessment Guide and Level 2 Assessment Guide are intended to provide certified assessors, contractors, and IT and cybersecurity professionals with guidance to help prepare for a CMMC assessment (including self-assessments). The two guides are similarly organized, and each provides: (1) an overview of the CMMC assessment and certification process, (2) information about assessment criteria and methodology, (3) clarification of the intent and scope of various terms of the CMMC, and (4) assessment requirements and specifics for each CMMC practice. Specific information in the guides includes the type of documentation to be assessed, documentation of assessment findings, and examples of implemented technical practices, among other things. The Level 2 Assessment Guide also indicates that it leverages information included in NIST SP 800-171A, “Assessing Security Requirements for Controlled Unclassified Information,” that NIST published in 2018.
CMMC Artifact Hashing Tool User Guide
This hashing guide is used for the very specific purpose of overviewing the CMMC’s Artifact Hashing Tool, which is used to create a unique digital fingerprint (i.e. SHA-256 hash) for each document, file, or other artifact used as proof of compliance with CMMC. The document explains that assessors do not take copies of artifacts of evidence with them after an assessment because these articles are proprietary to the contractor. Instead, the assessor generates unique fingerprints of each file using the tool and follows the instructions set forth in the guide so that the assessor can document the exact artifacts, and the contractor could produce those artifacts in the future, if needed.