The draft documents for the Cybersecurity Maturity Model Certification (CMMC) 2.1 were released by accident in July 2023. They were quickly removed, as they were not officially released by the Department of Defense (DoD) Chief Information Officer (CIO) office. These documents were released to Office of Information and Regulatory Affairs (OIRA) as part of the rule-making process for implementing CMMC into the 32 Code of Federal Regulations (CFR) but shouldn’t have been made public.
That said, the industry got a sneak peek at what could be made a final rule, once CMMC 2.1 is released. What this means to the Defense Industrial Base (DIB) is that the DoD is likely taking feedback from the DIB, the CyberAB, and the rest of the CMMC ecosystem in order to make changes to the model, definitions, and processes to provide clarity and fill in identified gaps. History has shown that the public comment period brings out some great feedback and solution ideas for any concerns. What we haven’t seen is the large impact of those comments making it into the final rule documents. Regardless, these leaked documents are proof that CMMC is progressing forward, and the government still has intentions/desires to get CMMC into place.
Based on what was (briefly) released, here are some possible changes to pay attention to from 2.0 to 2.1
One main observation has been the clarification of the External Service Provider (ESP). An ESP would be a Managed Services Provider (MSP), Managed Security Services Provider (MSSP), or other organization that has CUI or Security Protected Data for the Organization Seeking Certification (OSC). It looks like all of this will be defined in 32 CFR 170 as part of the final rule-making, which can assist with properly scoping your environment. Prior to this, it was very unclear what an ESP really was in the context of CMMC, and what would bring that ESP into scope.
It also states that ESPs would need to be certified themselves to the level of CMMC, which the OSCs they support are also seeking to achieve. This has a lot of industry members scratching their heads, as most ESPs (as well as CSPs) are not Government contractors themselves and, therefore, are not required to comply with Defense Federal Acquisition Regulations (DFARS) 252.204-7012. So, in order to meet such a requirement, will ESPs need to demonstrate their own National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 compliance program? Perhaps. As mentioned above, it’s always been important to understand your scope, specific to the providers and resources you rely on and inherit responsibility from.
What should an OSC do?
Again, not much has changed on what’s already required today. DFARS 252.204-7012 and NIST SP 800-171 revision 2 is still the requirement. That will not change anytime soon, and it serves as the baseline for CMMC. CMMC, at the end of the day, is a requirement that makes having an authorized third-party assessment validate your implementation of NIST SP 800-171.
What should the CMMC Ecosystem be prepared for?
There may be some changes to education for those certified under the CyberAB Cybersecurity Assessors and Instructors Certification Organization (CAICO). If we look back at the transition from CMMC 1.0 to 2.0, the Licensed Training Partners and Licensed PPs had to update the training materials and send them off for update review and approval; the CyberAB offered delta training for the differences between the two models. We didn’t have the Certified CMMC Professional (CCP) or the Certified CMMC Assessor (CCA) certifications then, but now CAICO will need to update the exams.
We can also expect the CMMC model and documentation to change over time, so it can adjust to the evolving threats. If it stays static, then compliance programs will not evolve with emerging technologies/solutions or threats to sensitive information. We are already seeing more Executive Orders coming out of the White House focused on cybersecurity, periodic updates to the NIST publications, and now updates to CMMC. There will always be developing requirements for the DIB to implement.
View the Unified Agendas with the rule for CMMC https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=&RIN=0790-AL49