We received many questions during the January 17th webinar on the proposed CMMC rule. Our speakers answered the questions below. Please let us know if you have any additional questions regarding the rule or require assistance with your CMMC compliance strategy.
Can you speak to how there are only about 50 C3PAO assessing companies, but tens of thousands organizations that will needed a level 2 certification? – D. Le
Stuart Itkin: The CyberAB is facing a chicken and the egg challenge with respect to building the C3PAO community. There will not be a revenue stream for C3PAOs until the CMMC rule goes into effect. Potential C3PAOs are on the sideline waiting. That said, there are still over 100 C3PAO candidates in queue to go through a DIBCAC High Assessment in order to be authorized. Phase 1 recognizes the limited number of available C3PAOs once CMMC is enacted and only requires self-assessments until the start of Phase 2.
If your level 2, does 800-171a still apply? – R. Ni
James Goepel: Yes, 800-171a is the assessment guide for 800-171, so it definitely applies in CMMC.
Can a DIB org ask for an extension? – A. Co
James Goepel: Not really. A PM can determine that CMMC requirements should be waived for a particular procurement, but individual contractors don’t have a way to ask for a waiver as part of their proposal. During contract performance, there MAY be more wiggle room if you have a conditional assessment and it takes you more than 180 days, but that’s not something I’d count on.
If level 3, is a company required to have level 2 outside assessment prior to gov’t assessment? – R. Tr
James Goepel: Yes. DIBCAC’s assessment will focus on the requirements from NIST SP 800-172. You must first have a CMMC Level 2 certification that covers the scope of the Level 3 environment.
Are the 221,286 estimated DOD contractors just prime contractors or does that include 1st tier and lower tier subcontractors? – H. Ru
James Goepel: I believe DoD only has visibility into primes and 1st tier subcontractors. So, I suspect the number is much larger than DoD can “see”.
What is C3PAO – R. Ni
James Goepel: A Certified 3rd Party Assessment Organization, i.e. an organization accredited by the Cyber AB to conduct CMMC assessments and issue CMMC certifications to government contractors.
How/What determines whether an organization will require a Level 2 assessment by a C3PAO vs. only needing a Level 2 Self-Assessment? – N. Ta
Stuart Itkin: It’s expected that only 2% of organizations handling CUI will be be allowed to self-assess. The DoD hasn’t shared what will be considered “less sensitive” CUI that will only require a self assessment.
Is the C3PAO certification at implementation of CMMC 2.0 or after the initial 3 year certification? – J. Fe
Stuart Itkin: A C3PAO Conditional Certification (minimum score of 88/100) will be required as a condition of contract award during Phase 2. A C3PAO Certification will be required as a condition of contract award during Phase 3 and 4. If you receive an award during Phase 1 and have self-assessed, you will need to have a C3PAO certification before the end of year 3.
Does the 221,286 number for DoD contractors account for the entire DIB? – L. De
James Goepel: Most likely, no. I believe DoD only has visibility into primes and 1st tier subcontractors. So, the number is probably much larger.
What is the self-assessment tool/document that you mentioned that had 300+ questions/areas? – M. Id
James Goepel: There are free spreadsheets (e.g., the CMMC Information Institute’s spreadsheet), but there are also tools like FutureFeed (https://FutureFeed.co) that can help you build a comprehensive program.
The 3rd party evaluators are supposed to be paid for by the contractors. Do you think that the “fisheries” case regarding the fishers must pay for the observers will affect who will have to pay for the 3rd party assessors? – J. Re
James Goepel: Not really. I suspect that, if the Fisheries case overturns Chevron deference, someone will try. But the reality is that, in the Fisheries case, the federal agency decided on its own to require contractors to pay for government officials (or contractors acting in their place) to be on board their boats and to actively monitor the catch of particular species of fish. That’s a significant cost and burden to the fishermen, and the agency’s actions are several levels removed from its Congressional authority (or at least that’s what the fishermen are claiming).
With CMMC, DOD is requiring certification of a Contractor’s compliance with existing, government-wide regulations (i.e., 32 CFR 2002). They are doing so at discrete points in time (rather than continuous monitoring, as in the fisheries case), and are imposing the requirement prior to contract award. The scenarios are very different, and even if the concept of Chevron deference is completely overturned, in this case DoD’s actions are within the scope of its authority.
Can you go in to CSP that are FedRAMP Moderate Impact Level 4 certified, what is in reciprocity with inherit controls ?
Stuart Itkin: A Cloud Service used to store, process, or transmit CUI that has a FedRAMP Moderate IL4 ATO should satisfy the requirement for FedRAMP Moderate Equivalency.
Also, funny that you noted contractors are not falling in line and complying… when is the government going to start marking documents like the DoD-provided CUI training stipulates should be done? – M. Id
James Goepel: I feel your pain. DoD is starting to roll out better training for their staff, but with (literally) millions of people, the process of educating and implementing these requirements will take a LONG time.
Are you responsible if your subs or vendors are not compliant with CMMC? – R. Ni
James Goepel: You are. You choose the subs/vendors, so the buck stops with you.
What is “highly sensitive CUI”? I know we have CUI and some CUI Specificized including: export control, ITAR and Nuclear. – J. Fe
Stuart Itkin: CUI falls into two broad categories: CUI Basic and CUI Specified. There are several categories of each (see https://www.archives.gov/cui/registry/category-list). “Highly Sensitive” is not a category. The distribution restrictions, handling and marking requirements for different categories of CUI are relative to the sensitivity of information within that category. For CMMC Level 3, 32 CFR 170.5 (as proposed) states that “In general, the Department will identify a CMMC Level 3 requirements for solicitations supporting its most critical programs and technologies.” This is the “highly sensitive CUI” that was referenced in the webinar. Unfortunately, at this time we do not have a more concrete definition of what constitutes a “most critical program” or technology.
Do contractors who have received a high assessment from the DCMA automatically get a CMMC certification? – S. Ma
James Goepel: That’s what the regulation currently says. BUT, the certification is effective as of the date of the high assessment. So, if it was 2 years ago, you’ll need a CMMC certification in the next year (since CMMC certifications are only valid for 3 years).
Mr. Goepel mentioned MSP getting “certified.” Please expand on this. Is this engineers with certifications and if so, please identify. If the company has to be “certified” what are those certifications (C3PA0?)? – D. Po
Stuart Itkin: MSPs will have to complete the same C3PAO assessment as an OSA/OSC and receive a CMMC Certification. The MSP’s assessment boundary or scope will include all information systems, people, and facilities that would be considered either CUI Assets or Security Protection Assets in a client’s SSP.
So for L1 there is no need to comply at the objective levels of the L1 controls anymore? – A. Co
James Goepel: That is incorrect. Just to split hairs, the requirements in the FAR specify what you’re expected to do, and that is the point I was trying to make. HOWEVER, from an assessment perspective, since there isn’t a government-wide approach to assessing these requirements, DoD published their own. DoD’s assessment guide for Level 1 draws its objectives directly from NIST SP 800-171.
James mentioned that PII and PHI can be CUI. I have seen indication this is only the case if your contract specifically involves storing and handling government provided PII and PHI data as part of that contract. Are there other conditions you are aware of? – M. De
James Goepel: To be CUI, the information must be created or possessed by or on behalf of the government under a contract. So, for example, a company’s employees’ social security numbers are not CUI, but social security numbers that the company receives from DoD under a contract ARE CUI.
Where can we find the tools again? – T. Co
James Goepel: Free spreadsheet: CMMC Information Institute and others; Other tools: FutureFeed.co
Can you name a tool or service for businesses to help track and report compliance and self assessments for CMMC? Or do you have a tool to share with people? – A. Va
Stuart Itkin: There are several such GRC-like tools available. FutureFeed, a sponsor of the webinar, offers such a tool.
What is the latest on organizations who have foreign ownership. There was a point where this was an issue. – R. Fr
Stuart Itkin: Organizations that have foreign ownership will need to be FOCI mitigated.
Did you say that NIST has other helpful guides/documents to review besides their CMMC Assessment Guide? – R. Ni
James Goepel: NIST’s 800-171 and 800-171A are good, but can still be confusing. DoD’s CMMC Assessment Guides have some great explanatory information. NIST did publish a document, Handbook 162, that had some good stuff in it, too. But they have withdrawn that document because it hasn’t been maintained. It’s still useful, but…
Any guidance on affirmation and who can affirm? – A. Se
James Goepel: The regulation refers to a “senior official” as the one who has to file the affirmation. As a practical matter, that’s likely to be the CEO/President and maybe their direct reports. Someone who is 4 or 6 levels down on the org chart probably won’t qualify as a “senior” official.
PoAMs are an ongoing part of NIST standard approaches. It is for identifying vulnerabilities, rating the risk of each, and then scheduling remediation or accepting that level of risk. – M. Id
Stuart Itkin: CMMC requires that all POA&M items are remediated and re-tested by a C3PAO. To receive a CMMC Certification, all 110 NIST 800-171 must be scored as “MET” – no POA&M.
If DIBCAC says we are going to assess you and after that assessment we score above an 88 or better, will this get us a L2 once rule becomes final? – J. Le
Stuart Itkin: According to the Proposed Rule, an organization will need to have passed a DIBCAC High Assessment (all 110 controls “MET”) for reciprocity.
Our company sells only COTS items. Is there an exemption for COTS items or would that be automatically level1? – B. Mi
Stuart Itkin: COTS items are exempt but COTS resellers may not be. There are cases where a COTS reseller receives CUI (such as installation location information) or creates CUI (such as configuration information). A COTS reseller should look at their contracts and look at the information they receive and that they create to determine whether or not that store, process, or transmit CUI and would therefore be subject to L2.
What happens if you are unable to close out POA&M in 180 days? – A. Se
Stuart Itkin: While not clearly stated, you could receive a negative CPARS, your contract could be terminated, extensions/option years may not be exercises, and in extreme cases, you could be subject to prosecution under the False Claims Act.
So if we receive certification for L2 CMMC from a C3PAO we still have to submit annual affirmations? – J. Ca
Stuart Itkin: Yes, triennial C3PAO certification, annual self-assessment and affirmation other years.
Has reciprocity been documented by the DoD that they will officially accept JSVA? I’ve heard it often but have yet to see it in writing. – D. De
James Goepel: Yes. It is in the new proposed regulations.
If a POAM is not closed out in 180 days what happens? – D. Br
Stuart Itkin: While not clearly stated, you could receive a negative CPARS, your contract could be terminated, extensions/option years may not be exercises, and in extreme cases, you could be subject to prosecution under the False Claims Act.
Is the L2 self attestation submitted to SPRS? – E. Ro
James Goepel: Yes
If you have a DIBCAC High audit, but no C3PAO involvement, is there a way to turn that into a Joint Surveillance – J. Ba
James Goepel: The regulation only calls out a DIBCAC High audit; it doesn’t say a C3PAO is required. So, you should be able to turn that into a CMMC certification.
What happens regarding your ability to handle CUI if you fail a Joint Surveillance Voluntary Assessment? – B. Hy
Stuart Itkin: The current requirement under the 7019 clause is that you have submitted a current score into SPRS. If you fail a JVSA, then your updated score should be entered into SPRS. Otherwise, until CMMC becomes effective, your ability to handle CUI should not be affected. The only way to “fail” a JSVA is if DIBCAC assesses your organization and comes to the conclusion that your score is lower than the score you reported to SPRS under DFARS 252.204-7019. If the deviations are minor, DoD is allowing companies to correct the issues. Where the deviations are significant, if the contractor appears to have committed fraud, etc., then the DoD is taking other actions, including possible contract termination, claims under the False Claims Act, and more.
Annual affirmation of compliance occurs in SPRS for senior officials, correct? – D. Hi
Stuart Itkin: Correct
Are there references available for where there is indication that a self-assessment will satisfy contract requirements in Phase 1 due to the lack of C3PAO availability? – M. De
Stuart Itkin: See § 170.3 Applicability in the Proposed Rule:
(1) Phase 1. Begins on the effective date of the CMMC revision to DFARS
252.204–7021. DoD intends to include CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment for all applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, include CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment for applicable DoD solicitations and contracts as a condition to exercise an option period on a contract awarded prior to the effective date. DoD may also, at its discretion, include CMMC Level 2 Certification Assessment in place of CMMC Level 2 Self-Assessment for applicable DoD solicitations and contracts.
Is there a specific list of the POAMs that are “must have”? – C. Wa
Stuart Itkin: Section § 170.21 Plan of Action and Milestones requirements. of the Proposed Rule states:
(2) CMMC Level 2 Self-Assessment and CMMC Level 2 Certification Assessment. An OSA is only permitted to have a POA&M for CMMC Level 2 if all the following conditions are met:
(i) The assessment score divided by the total number of security requirements is greater than or equal to 0.8;
(ii) None of the security requirements included in the POA&M have a point value of greater than 1 as specified in the CMMC Scoring Methodology set forth in § 170.24, except SC.L2–3.13.11 CUI Encryption may be included on a POA&M if it has a value of 1 or 3; and
(iii) None of the following security requirements are included in the POA&M:
(A) AC.L2–3.1.20 External Connections (CUI Data).
(B) AC.L2–3.1.22 Control Public Information (CUI Data).
(C) PE.L2–3.10.3 Escort Visitors (CUI Data).
(D) PE.L2–3.10.4 Physical Access Logs (CUI Data).
(E) PE.L2–3.10.5 Manage Physical Access (CUI Data).
Is it a minimum self-assessment score of 80 or 88? Didn’t quite catch that. – B. La
James Goepel: The minimum score is 88. It is defined in the regulation as “80% of the total possible score” (just to make things confusing).
Given that contractors cannot view the SPRS scores of other contractors, how will a CMMC self-assessment differ from the current reported score for 252.204-7019/7020 – other than needing to be 88+? Primes still won’t be able to “see” the results entered by their subs. – J. Be
Stuart Itkin: Primes can request that a subcontractor provide and attest to the current score entered into SPRS.
Typical 3rd party assessment cycles are based on a 3 year time frame (full audit in year 1, surveillance audits in years 2 and 3), starting over after these 3 years. – R. Fr
Stuart Itkin: Yes, C3PAO CMMC Certification Year 1, self-assessment/affirmation years 2 and 3, rinse and repeat.
Can you clarify if CMMC 2.0 will require only US Citizens to access the DOD customer information? Or is it only if the DOD states so. International Companies have employees off-shore managing internal processing like quotes, invoicing, credits/collections, etc. – L. St
James Goepel: In general, CUI does not impose limitations on the nationalities of the persons permitted to handle the information. There are, of course, exceptions to this rule, including export controlled information (i.e., information subject to the International Traffic in Arms Regulations (“ITAR”), Export Administration Regulations (“EAR”), sanctions, regulations, etc.) and information subject to Limited Dissemination Controls (“LDCs”) where those LDCs limit the dissemination to US citizens only (e.g., information designated with a “NOFOR” LDC).
I spoke to Noel about this and if I remember correctly, a good start or a good path to take is JSVA into CMMC? – W. Q
Stuart Itkin: Yes
If a contractor has a current assessment score of 110 entered into SPRS for DFARS 252.204-7019/7020 when CMMC goes live, will it count as an L2 self-assessment? – J. Be
James Goepel: That is not clear at this time. It currently seems like the CMMC self assessments will be a separate process from the submission of scores to SPRS.
I was asking if it is possible to ask for more time if DIBCAC contacts an organization for the audit. Can the organization ask for more time to prepare? – A. Co
Stuart Itkin: The intent of a DIBCAC 5-Day audit is to verify the information and score your have submitted. Don’t anticipate being granted an extension.
If a company that has self attested is breached, will the breach trigger an audit by the DIBCAC? If that audit then determine that the companies self attestation was false, will that trigger any action? – J. Le
James Goepel: The safe assumption is that a breach will trigger some form of response from DoD, such as a threat assessment to better understand what information the adversaries have obtained, who may have obtained it, and how it was obtained. Whether the breach will also trigger a DIBCAC audit of the contractor’s cybersecurity program will likely be a decision made by the investigators as they are reviewing the adversaries’ actions.
Any audit by DIBCAC or another agency, and any whistleblower claims, can trigger the government to take action against a contractor if the contractor fails to meet contractually-mandated requirements. This is true not only of cybersecurity requirements, but also accounting and other requirements.
How will companies know the possibility of what Contract Award phase from DoD they would be in? – J. Ca
Stuart Itkin: An award is generally the result of responding to an RFP or solicitation. You should be aware of the procurements your company has bid on and when they are scheduled to be awarded. Similarly, a company should be aware when existing contract terms expire and would be eligible for renewal.
I heard the JSVA needs a perfect 110 score to be valid for CMMC certification later on. Is this true? – S. Ou
Stuart Itkin: Yes
If someone have ISO 27001:2022 they still need to have CMMC. – A. Kh
Stuart Itkin: YES, there is no reciprocity between ISO and CMMC
What is a cost estimate for implementation work for an L2 not including software, hardware or tools? Basically what should a rough estimate of cost should I expect to see in an implementation proposal? – A. Co
Stuart Itkin: This is a hard question to respond to without having more information about the size and complexity of the organization, the specific business applications in the environment, your tech stack, etc. I would be happy to speak with you about this off-line. You can contact me at Stuart.Itkin@NeoSystemsCorp.com
Is the main roll out at march 1st a early time frame or is it the latest it could possible? I am in a level 2 cert. – T. An
Stuart Itkin: It is unlikely for Phase 1 to begin much earlier than March 1, 2025. Depending on the time DoD needs to adjudicate comments and the time OMB takes to review the draft rule, it is possible for it to be later, but its hard to predict how much later.
If my contract does not include DFARS 252.204-7020 can DIBCAC still come in for an assessment? – A. Co
James Goepel: The Defense Contract Management Agency (“DCMA”), DIBCAC’s parent agency, can audit contractor compliance with various contractual requirements at any time. The -7020 clause specifically allows DIBCAC to determine whether the score you submitted to SPRS is valid. But that does not preclude other audits.
If we use Preveil would we have an issue with being able to get the C3PAO eval with there being as Jim said a chicken to egg problem. – T. An
Stuart Itkin: PreVeil has had several customers complete the JSVA process and have not had issues with working with a C3PAO. PreVeil also works with many of the certified C3PAOs and we’d be happy to share that list of C3PAO partners who work with us regularly.
Where does 7012 C-G fit in? The rule states explicitly that it’s only using requirements in 171, but the draft CAP states that C-G apply. – B. Sa
Stuart Itkin: DFARS 252.204-7012 is where the requirement to satisfy NIST 800-171 exists. 7012 also has other requirements regarding reporting and flow downs. Some of these requirements are in paragraphs c-g. Remember, you need to satisfy DFARS 7012 which includes 800-171 and other requirements. The CAP is older and based on earlier visions for CMMC certifications. As published in the proposed rule, CMMC is a certification of compliance with NIST SP 800-171.
The proposed rule specifically calls out 800-171R2, with R3 looming in the background, do you thing the final rule will mention the specific revision or will/should it just mention 800-171, like 7012? – J. Ta
Stuart Itkin: We expect 800-171r2 to be the requirement initially and for some period of time. We expect DoD to create a transition plan for migrating from r2 to r3. For reference, the migration from 800-53r4 to r5 for FedRAMP started almost 3 years after the release of 800-53r5. Ideally, since the CUI program applies to the entire Executive Branch and a goal of the program is standardization of requirements across the government, CMMC should be tied to the same version of NIST SP 800-171 that is required in 32 CFR 2002 (the regulatory basis for the CUI program). This would require NARA to update 32 CFR 2002 to provide an explicit migration path to newer versions of NIST SP 800-171, but that is certainly within NARA’s role in the CUI program.
If we say we do not comply with 800-171 and someone still sends us FCI or CUI, who is at risk? – T. S
James Goepel: It is the government’s information (or information the government is obligated to protect), so ultimately, the government owns the risk. Digging a little deeper into your question, only CUI is subject to the NIST SP 800-171 requirements. If you explicitly tell the government that you cannot handle CUI (i.e., that you do not meet the NIST SP 800-171 requirements), the government should not be sending you CUI. The same is true for a prime contractor. As a practical matter, this means they will likely exclude you from the corresponding contract, to avoid even potentially sending you CUI.
Flow down to subcontractors? We have direct contracts with government, 7012 applies to our contracts. We also hire sub-contractors – at least one is not ‘computer savvy’….are we required to ensure the subs meet CMMC? Will they need a Level 2 certification? – J. We
Stuart Itkin: If you sub-contract other companies to perform work and those companies transmit, store, or process CUI, then the DFARS 7012 clause must be flowed down and they will require a CMMC L2 certification. If you hire individual subcontractors who perform work as if they are your employees (i.e., a 1099), then they would be included in your CMMC assessment as CUI assets.
How will MSPs be required to be assessed if they don’t have work with the government or the DFARs like we do? – S. Mi
Stuart Itkin: MSPs will have to complete the same C3PAO assessment as an OSA/OSC and receive a CMMC Certification. The MSP’s assessment boundary or scope will include all information systems, people, and facilities that would be considered either CUI Assets or Security Protection Assets in a client’s SSP. Unlike JSVA assessments, CMMC assessments are not limited to only DoD contractors. Any entity can contract with a C3PAO to obtain a CMMC certification. Only DoD contractors’ certifications can be stored in eMASS, but that does not prevent MSPs and others from obtaining CMMC certifications.
Contractually, should the Prime be ‘certified’ before its sub? – S. Ri
Stuart Itkin: The requirement is that they are all certified at the time of award.
Is there a directory of service providers that are acknowledged as proficient with CMMC or is there visibility of the CMMC certified organizations? – A. Ca
Stuart Itkin: Unfortunately, there is not a directory. I suggest you look at which service providers are making the effort to educate the DIB through webinars, blogs, social media. These are the providers who are knowledgeable and committed. When evaluating service providers, as questions: Have they passed an 800-171 assessment with a score of 110? If they’ve been assessed but didn’t achieve 110, when do they expect to? How may CCAs and CCPs work for them as W2s? You you choose matters.
What are NeoSystems’ plans to be CMMC level 2 certified? – D. Mi
Stuart Itkin: NeoSystems has completed an external C3PAO 800-171 assessment and will undergo a CMMC Certification Assessment at the earliest time after those assessments become available to MSPs.
It seems that, in the case of using an MSP to cover CMMC, an org would basically be non-compliant almost by default due to the timelines involved in achieving that certification. – M. Ha
Stuart Itkin: There are some timing issues that the government needs to work out. This is why there is a comment period. It provides an opportunity to identify issues like this and inform the government so they can address those issues.
As a 3rd party, when using other vendors must mean they also comply with CMMC, would this not put a lot of different companies out? Essentially killing response time for manufacturing as a whole, which in turn means the Government/Military would also receive much less in a “reasonable” time? – B. Ri
Stuart Itkin: The DoD and Primes recognize the importance of those in their supply chains, especially SMBs, that is why they have been pressuring companies who are in the defense supply chain to begin paying attention to these cybersecurity requirements since at least 2017. The government has identified resources to help these companies satisfy DFARS requirements. It is also likely that the government will have financial subsidies to help these companies. [I’m not sure about the subsidies. DoD has argued that doing so would unfairly benefit those who have procrastinated.]
Is there any clear definition of what an ESP/CSP is or is not? i.e. – if a SaaS provider is providing remote access to your endpoints, would they need certification as well? Is there any idea on what sort of metadata may or may not qualify as needing protection? – J. Bo
Stuart Itkin: A cloud computing is defined within DFARS 7010 as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This includes other commercial terms, such as on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. It also includes commercial offerings for software-as-a-service, infrastructure-as-a-service, and platform-as-a-service.”
Does “MSP Verify certification” count toward a CMMC certification for an MSP? – D. Po
Stuart Itkin: There is no reciprocity between a Verify certification and a CMMC certification.
We use an MSP to provide personnel to work on our systems. We own everything, the MSP personnel brings in expertise but no outside equipment. Emails and information is retained on our systems. Does this MSP need to be certified at Level 2? – J. Jo
Stuart Itkin: The proposed rule refers to External Service Providers as “external people, technology, or facilities that the OSA uses, including cloud service providers, managed service providers, managed security service providers, or cybersecurity-as-a-service providers” and states that they can either be CUI or Security Protection Assets. It elaborates that security protection assets include consultants that provide cybersecurity service, managed service provider personnel who perform maintenance, and enterprise network administrators. An MSP is in scope according to the Proposed Rule and will need to be CMMC Certified.
ESP vs CSP is confusing. Can you go into more detail on this? Most of these ESPs seem to be CSPs. – D. Le
Stuart Itkin: An ESP (External Service Provider) can be a Cloud Service Provider like PreVeil, a Managed Service Provider like NeoSystems, or a Managed Security Service Provider. An MSP will generally provide IT operations, system maintenance, and system monitoring support, among other services, and these services are generally delivered by people. Cloud Services refer to a wide range of services delivered on demand to companies and customers over the Internet.
If an ESP doesn’t process, store, or transmit CUI is it out of scope for Level 2 assessment? Same question for Level 1 self-assessment if ESP doesn’t process, store, or transmit FCI. – A. We
Stuart Itkin: If an ESP doesn’t store, process, or transmit CUI (is not a CUI Asset), and is not a Security Protection Asset, then it is out of scope. A cloud service that is a Security Protection Asset and not a CUI Asset is not required to meet the FedRAMP Moderate equivalency requirement.
Are tools/services like RMMs and SOCs considered CSPs? I have differing opinions on this. – D. Le
Noel Vestal : This depends on their role within your CUI scoping boundary. If the SOC and RMM are used in support of the controls (meaning, used to address any of the controls) it would be considered in scope. These are likely not going to be considered CUI Assets, but could be considered a CSP. If it is considered a CSP, then they must be FedRAMP ATO or equivalent.
Once you reach 110 – how often should I expect to recertify? – J. Ca
Stuart Itkin: A C3PAO certification assessment is required every three years. A self-assessment and affirmation are required in years 2 and 3.
Government contracts that provide GFE or company laptops that access government VDI, should we expect that the CUI protection is on the government? and FCI would fall on the Company – J. Da
Stuart Itkin: More information about the use case would be helpful, but generally GFE and government VDI would not be your CUI assets. And depending on the situation, you may have responsibility for enforcing who is given access and for physical protection of the work environment.
For MSP’s, is there any minimum threshold they need to cross before they need to certify for CMMC? For example, would an MSP who doesn’t hold any unencrypted CUI be exempt? – E. Va
Stuart Itkin: An MSP would not be exempt. They are likely still a Security Protection Asset and will need to be certified at L2 (assuming you need to be L2 certified)
What is ESP? – J. We
Stuart Itkin: The proposed rule defines External Service Providers as: external people, technology, or facilities that an organization utilizes for provision and management of comprehensive IT and/or cybersecurity services on behalf of the organization.
An ESP can be “external people, technology, or facilities that the OSA uses, including cloud service providers, managed service providers, managed security service providers, or cybersecurity-as-a-service providers. An ESP is in scope if it is either a CUI Asset or a Security Protection Asset. Cloud Service Providers (CSPs), Managed Service Providers (MSPs), and Managed Security Service Providers (MSSPs) are all ESPs.
What if your subconsultants are individuals, 1099s. How would they comply? – L. Go
Stuart Itkin: If you hire individual subcontractors who perform work as if they are your employees (i.e., a 1099), then they would be included in your CMMC assessment as CUI assets.
When it comes to responsibility does it go towards the company or the individual who violates a certain ruling after they go effective? – T. An
Stuart Itkin: The company is the one that is responsible for seeing that DFARS requirements are satisfied.
If a CSP provides SaaS to CMMC L2 OSC/OSA as a MSP, do both FedRAMP Moderate (or Equivalence) and CMMC L2 apply to the CSP? – D. Li
Stuart Itkin: More information about the use case would be helpful. Strictly, if the SaaS stores, processes, or transmits CUI, it must meet the FedRAMP moderate equivalency requirement. If the same entity is providing managed services and qualifies as a CUI Assetor Security Protection Asset, it would need to be CMMC L2 certified.
MSSP’s will need to be 800-171, but will all vendors we choose to do business with? – D. Ro
Stuart Itkin: Only service providers that store, process or transit CUI (are CUI assets) or that are Security Protection Assets will require CMMC Certification.
Where can the memo be obtained from, or what is the actual subject title? – S. Da
Noel Vestal : The FedRAMP Equivalency Memo: https://dodcio.defense.gov/Portals/0/Documents/Library/FEDRAMP-EquivalencyCloudServiceProviders.pdf
What level is the MS 365 Government version at? – J. Re
Stuart Itkin: M365 GCC (government commercial cloud) can be used for categories of CUI that do not have CONUS data sovereignty requirements. For categories of CUI, like ITAR data, that have data sovereignty requirements, M365 GCC-High is required.
Does using M365 GCC-H as your CSP cover the majority of controls required in NIST 800-171? – J. Fe
Stuart Itkin: Microsoft has published the Shared Responsibility Matrix for GCC-H as a placement (https://www.microsoft.com/en-us/download/details.aspx?id=102536), and while it shows that GCC-H satisfied a number of requirements, it does so ONLY FOR GCC-H. Each cloud service will have its own SRM, and the OSA/OSC will likely have separate responsibility for a number of those controls.
Do you have general pricing information on suggested tools like future feed? (subscription vs. one time,) etc. – C. Br
James Goepel: FutureFeed is a subscription-based service. Pricing is available on the FutureFeed website (https://FutureFeed.co/pricing). You are welcome to schedule time with one of our team members if you would like more information on pricing or have other questions: https://Calendly.com/FutureFeed-Team
Can we get a good example of body of evidence on a control?
James Goepel: As your question implies, assessment teams can’t just accept a contractor’s assertion that they comply with a particular requirement; they need proof, or a body of evidence, to back up the claim. That proof falls into three broad categories: Examine, Interview, and Test. Although all three 3 types of evidence may not be required for every NIST SP 800-171 control/objective, having all 3 types of evidence available is a best practice.
Examine refers to documentary evidence, such as policies, procedures, plans, lists, screen captures of configuration settings, diagrams, and worksheets. The documentary evidence should not only describe how the company expects to meet a particular requirement (e.g., through policies and corresponding procedures/plans), but also include evidence that the company is meeting those requirements. For example, if a company expects to rely on its onboarding procedure as partial proof that it meets certain training requirements, the company should also have evidence which demonstrates that the procedure was followed (e.g., a worksheet, checklist, etc.) at appropriate times.
Assessment teams have the latitude to interview whomever they want as part of the assessment process, but as a practical matter, with certain limited exceptions, the assessment team will be most interested in interviewing those who are responsible and/or accountable for ensuring that a particular requirement is met. In the onboarding example above, the assessment team might want to interview the HR Director about the procedure and HR team’s actions.
Test refers to validating that the contractor can actually perform everything. That is, making sure that the evidence reviewed under Examine wasn’t fabricated. The assessment teams expect people to be able to follow the processes (i.e., the policies, procedures, etc.) pretty closely during the testing phase.
I would be happy to discuss this in more detail if you’d like to reach out directly: JGoepel@FutureFeed.co
Question |
Asked By: |
Answer |
| C. Br | ||
| Its important to know that a FedRAMP Equivalency still need CMMC, vs FedRAMP Certified ATO does not. | Noel Vestal : This is a common misunderstanding. The requirements for a CSP to be FedRAMP are far above the CMMC requirements, so no a CSP would not need to have a CMMC certification completed. They would need either an ATO or to follow the FedRAMP equivalency steps outlined in the FedRAMP equivalency memo: https://dodcio.defense.gov/Portals/0/Documents/Library/FEDRAMP-EquivalencyCloudServiceProviders.pdf | |
| Does a contractor who uses a Azure/M365 instance to P/T/S CUI in support of the DoD need to ensure their instance is FedRAMP Moderate Equivalent or just ensure the contractor is abiding by the Shared/Customer Responsibility Matrix? | Stuart Itkin: Microsoft has stated that M365 GCC is required if there are no data sovereignty requirements for the types of CUI being handled. If there are data sovereignty requirements, GCC-H is required. Both GCC and GCC-H are FedRAMP High Authorized. Under DFARS 252.204-7012, contractors must ensure that any cloud service provider that P/T/S CUI is FedRAMP Moderate or equivalent. Simply abiding by an SRM/CRM is not sufficient as the SRM/CRM does not guarantee FedRAMP equivalency. | |
| If a CSP stores CUI, such as Deltek, does it need to be FedRAMP moderate and CMMC? | Stuart Itkin: Any Cloud Service that stores, processes, or transmits CUI must satisfy the requirements of the FedRAMP moderate baseline | |
| It sounds like the FR equivalency is much heavier than a real FedRAMP ATO. So if we have a FR ATO, would we be able to have POAMs? | Stuart Itkin: A FedRAMP ATO can be issued if there are no High findings. Moderate and low finding are allowed and these items will be retested at the next annual assessment. | |
| If you are using a provider for just backing up your data in the cloud, is provider required to be Level 2? | Stuart Itkin: Is the “provider” a cloud service? If so and the backed up data includes CUI, then the provider would need to be FedRAMP Moderate equivalent. A Managed Service Provider performing backups will need to be CMMC L2 certified. | |
| I assume yes. But, does a SBIR count as a new contract award? | James Goepel: Yes. Furthermore, since most SBIR contracts awarded by DoD are for the creation of new products or services with commercial or space application, they are likely to involve the creation of CUI. | |
| We have a commercial ISP and email provider. Do we have to get a level 1 certification from them due to possible FCI being sent over email? Do commercial providers provide that? | James Goepel: The proposed 32 CFR 170.19 reads, in part: “(3) CMMC Level 1 Self-Assessment scoping considerations. To scope a CMMC Level 1 Self-Assessment, OSAs should consider the people, technology, facilities, and External Service Providers (ESP) within its environment that process, store, or transmit FCI.” Since the ISP’s job is to connect your environment to the Internet, in most cases they would not be considered “within [your] environment” and therefore they likely will not be part of the scope. By contrast, the E-mail provider is processing E-mails on your behalf. They would therefore be considered “within your environment”, and thus in scope, for the assessment, meaning that their system must meet the CMMC Level 1 requirements. Many major E-mail providers have already published descriptions of how their services meet not only CMMC Level 1 but also the requirements for CMMC Level 2 (see, e.g., Microsoft’s Product “Placemat” for CMMC, available at https://www.microsoft.com/en-us/download/details.aspx?id=102536). You should carefully review that information when choosing, or choosing to stay with, a provider. |
|
| Within the CMMC Proposed Rule, Security Protection Assets are defined (to include categories), but no specific examples are mentioned. For SPA Technologies, what are specific examples (ie: Firewalls, Authenticators, DLPs, etc.)? | Stuart Itkin: SPAs provide security functions or capabilities to the contractor’s CMMC Assessment Scope, irrespective of whether or not these assets process, store, or transmit CUI. Cloud services, hosted VPNs, SIEM solutions, firewalls are examples. | |
| I thought Joint Surveillance involved a coordinated audit approach between the DIBCAC team and a C3PAO | Stuart Itkin: That is correct. The C3PAO is working under the supervision of the DIBCAC. | |
| If a company receives documentation (A blueprint for instance) and it’s NOT labeled CUI, does all of this still apply? Even if it’s from a Prime Contractor? Does the receiving company need to deem it CUI even if it isn’t labeled? | Stuart Itkin: 32 CFR 2002 uses two terms, designate and mark, when referring to CUI. Designation is determining whether information falls within the scope of a corresponding law, regulation, or government-wide policy and thus should qualify (i.e., be “deemed”) CUI. Only federal agencies have the authority to designate information as CUI. When information is created that has been designated as CUI, the person creating that information is required to mark that information as CUI using the marking information provided by the agency. Although the CUI program has existed since 2008, many federal agencies have only begun rolling out their CUI programs in the past few years. Training the millions of federal personnel and contractors who handle CUI is a lengthy process. Thus, while there are marking requirements, there is much CUI that goes unmarked, unlabeled. If a company receives information they think might be CUI, the company does have a responsibility to treat it as CUI but is not authorized to designate or mark it as CUI. Instead, the company is expected to ask its prime contractor or the government to confirm whether the information has been designated as CUI and, if so, how it should be marked. Jim Goepel’s books CUI Fundamentals and CUI Informed have more information on this. | |
| we are supposed to work it into the budget….but DOD chooses least priced contractor….what can a small business to help with costs? | Stuart Itkin: The government has stated that CMMC will level the playing field for small businesses. Since all will need to satisfy the requirements to be eligible to receive an award, all should have a similar set of costs. | |
| any updates on fips validated cryptography? | James Goepel: Not at this time. The Final Public Draft of NIST SP 800-171 Rev.3 has removed the explicit FIPS 140-2 requirement that is in NIST SP 800-171 Rev.2, but it may creep back in through some agencies’ ODPs (see, e.g., 3.13.11). And to add another piece to this, there is a specific call out, at this time, in the CMMC proposed rule that states it will be based on Rev 2. |
|
| Can the costs be included as part of contract costs? | Stuart Itkin: The government has stated that CMMC related costs will be allowable costs, but specifics have not be provided. DoD has indicated that the cost of meeting the requirements defined in NIST SP 800-171 is expected to be included in a contractor’s G&A rates. At one time, DoD indicated that the cost of a CMMC certification might be directly allowable. However, you should consult with an attorney or accounting professional who is familiar with your particular situation because there are many subtleties to cost allowability. | |
| Is the 110 requirements and other things available somewhere? | Stuart Itkin: Yes. These are defined in NIST Special Publication 800-171 Rev.2, which can be downloaded from https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final. When you perform your self-assessment, be sure to not only assess your compliance with the 110 requirements, but also the corresponding “objectives” that are defined in NIST SP 800-171A (available from https://csrc.nist.gov/pubs/sp/800/171/a/final) for each requirement. | |
| Assuming the final ruling stays on track with the timeline, is it true that all contracts that currently include DFARS 7021, will then carry the new assessment requirement, or will the government contracting office need to specifically state that on contract renewals. And for all new contracts that carry DFARS 7021, must they adhere to the 3 phases? Or will there be a new DFARS number that will carry the new rules? | James Goepel: DoD was very careful to not include DFARS 252.204-7021 in contracts, even though that clause technically went through rulemaking and could have been included in contracts. We expect to see the -7021 clause appear in new contracts beginning on the effective date of the updates to the -7021 clause (which still have not been published in NPRM/IF form). In 32 CFR 170.3, DoD indicated that, as part of Phase 1 (i.e., beginning on the effective date of the revised -7021 clause), “DoD may, at its discretion, include CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment for applicable DoD solicitations and contracts as a condition to exercise an option period on a contract awarded prior to the effective date.” | |
| What are the major costs that can be recovered? | James Goepel: This is a complex question. Your best bet is to speak with an accountant or attorney who is familiar with government contracts. As a general rule, the cost of implementing the cybersecurity requirements can be folded into your G&A rates. DoD has previously stated that the cost of a CMMC 3rd party assessment may be directly allowable, but you’ll want to track how you allocate that expense to avoid double-billing DoD for the cost of the assessment (e.g., where you use the same IT system to safeguard information from multiple contracts).
You can find more information about allowability in FAR 31.201-2 (https://www.acquisition.gov/far/part-31#FAR_31_201_2) and from a variety of online sources. Again, due to the nuances of cost allowability, your best bet is to work with an attorney or accountant who can specifically advise you on this. |
|
| Cost = This happens every 3 years. As soon as you get certified, you better get started on the next certification because it’s not a “one and done” | Stuart Itkin: Yes, there are costs associated with achieving compliance and costs associated with maintaining compliance. | |
| Can anMSP partner with companies like Prevail? How could that work for MSP who may have clients that need CMMC status. | Stuart Itkin: Yes, an MSP could partner with a company like PreVeil. The MSP will need to be CMMC Certified at L2 if you are required to certify at L2. | |
| For a company under 25 people, when using an MSP, what are the average monthly maintenance costs for operations within CMMC compliance? | Stuart Itkin: I would need some additional information to provide a meaningful answer. For example, are there servers supporting other business applications that will need to be supported and maintained, are you using physical or virtual endpoints, what services will the MSP be providing. I would be happy to talk with you offline. Stuart.Itkin@NeoSystemsCorp.com | |
| The processes are easy, compared to the required annual training from the Center for Development of Security Excellence is so difficult for our hourly employees that it consumes a large amount of time. Impmlementing these items is very inefficient, considering that CMMC 1.0 never took off yet. How much more time do we have to waste before DoD gets their stuff figured out and in place? | Stuart Itkin: Public comments being accepted through February 26, 2024 is the means to raise such issues with the government. | |
| If i use Exostarr to manage my self assessment does that help me with not having to pay a C3PAO to assess my implementations? | Stuart Itkin: No, the use of Exostar or a GRC tool like FutureFeed does not eliminate the need to have a C3PAO CMMC Certification assessment. The use of such a tool, however, should help you in being prepared for an assessment. | |
| When is the US Government going to pony up for some of these COSTS!!!! I have yet to here anyone talk or advocate for this extremely important point as a small manufacture who is supporting the larger Primes and DOD Contractors | Stuart Itkin: No specifics yet. This is a topic of discussion for this year’s NDAA. Public comments being accepted through February 26, 2024 is a good means to raise such issues with the government. | |
| can we get an email referencing how to determine allowable cost from DoD? | James Goepel: This is a complex question. Your best bet is to speak with an accountant or attorney who is familiar with government contracts. As a general rule, the cost of implementing the cybersecurity requirements can be folded into your G&A rates. DoD has previously stated that the cost of a CMMC 3rd party assessment may be directly allowable, but you’ll want to track how you allocate that expense to avoid double-billing DoD for the cost of the assessment (e.g., where you use the same IT system to safeguard information from multiple contracts).
You can find more information about allowability in FAR 31.201-2 (https://www.acquisition.gov/far/part-31#FAR_31_201_2) and from a variety of online sources. Again, due to the nuances of cost allowability, your best bet is to work with an attorney or accountant who can specifically advise you on this. |
|
| The cost of Microsoft365 and GCC High is over well over 100k | Stuart Itkin: There are alternatives that can work for some contractors. For example, PreVeil, a sponsor of the webinar, offers a solution that can be more cost-effective than implementing GCC High throughout an organization. | |
| You mentioned CMMC est. Mar 2025. What is the reasoning for this date. Isn’t it possible the rule released the end of this year? | Stuart Itkin: It is possible that the final rule could be published before the end of 2024. No one’s crystal ball is that good, however, especially when it comes to the government. 333 is the average number of days adjudication periods have typically taken. We think March 2025 is a realistic estimate, but again the actual date will depend on how fast the government moves. | |
| How should OSC’s handle the MSP question in the meantime until there is clarification from DOD? | Stuart Itkin: I suggest making sure your MSP has had and passed an 800-171 assessment with a 110 score, and if less than 110 ask when they expect to achieve 110. Ask if they have client’s that have passed DIBCAC high assessments. Ask for documentation. | |
| We are having a DIBCAC High assessment – they notified us- not our choice, can this also be turned into a Joint Surveillance Assessment? | Stuart Itkin: DIBCAC High Assessments and Joint Voluntary Surveillance Assessments are originated by different parties. JVSAs involve an authorized C3PAO while DIBCAC High Assessments do not. The best path for you is to ask. 32 CFR 170.20 indicates that “…OSCs that, prior to the effective date of the rule, have achieved a perfect score on a DCMA DIBCAC High Assessment with the same scope as a Level 2 CMMC Assessment Scope are eligible for a CMMC Level 2 Certification Assessment” (i.e., a CMMC certification). | |
| I am a one man LLC working a DoD contract; the Army gave me a GFE laptop for CUI and I use DoD Safe and PreVeil for traffic that needs to be encrypted. My company email is Google Suite based. I assume level 1 is enough? | Stuart Itkin: It could be. If all CUI resides on government systems and only accessible through your GFE, then the answer is likely yes. If you receive CUI via Gmail, you may want to consider PreVeil. And check your contract. If you are a sub to a prime with the DFARS 7012/7020 clause, you could be expected to be CMMC Level 2. |
|
| With relation to 800-171 companies can self assess for a basic assessment. But if CMMC certifications are required for Lvl 2 and are so costly. Is the DoD taking into consideration barriers to entrance for small new companies attempting to bid on contracts? | Stuart Itkin: The DoD and Primes recognize the importance of those in their supply chains, especially SMBs. The government has identified resources to help these companies satisfy DFARS requirements. It is also likely that the government will have financial subsidies to help these companies. | |
| Does NeoSystems assist its clients in recording their scores in SPRS? | Stuart Itkin: NeoSystems can guide a client through the process of submitting a score. | |
| Am I understanding the SPRS answer correctly, that we should have two attestation entire in SPRS, one for Level 1 and 1 for Level 2 if required for L2? | Stuart Itkin: It may be the case if the scope of your FCI boundary and CUI boundary are different that you will need a separate L1 assessment. For L1 there is no SPRS score; all items need to be scored as “MET”. | |
| As a subcontractor to a Prime that has flowed down the DFARS 7012 clause, what is the subcontractor expected to provide to the Prime when the Prime wants to validate compliance? Are we required to provide the SSP, process documents, etc.? Doing so would create a risk to the subcontractor since the data would be outside of their control. What is the minimum documentation or such that is needed to meet the Prime’s request? | Stuart Itkin: Different Primes ask their subs for different information. Personally, I would never share my SSP. Primes can request that a subcontractor provide and attest to the current score entered into SPRS. |
For questions related to this webinar content, please contact Don Carnevale, Marketing Director (571-748-3809).
