[title Latest Developments in
CMMC Certification – May, 2020

Amid the national and global crisis of COVID-19 (Coronavirus), the demand and focus on cyber security remains constant. Government institutes are continuously working towards take security defensive measures against the increasing cybercrimes against defensive supply chains. In this article, we will talk about the latest advancements in cyber security sector.

Cybersecurity Maturity Model Certification (CMMC)

On March 18, 2020 the department of defense (DoD) released a version 1.02 that was updated and corrected version of the CMMC Model. According to the updated version of CMMC model the DoD contractors and their supply chains must implement all the systems and procedures that are required for a certification. The level of cybersecurity requirements and the data that DoD contracts and subcontracts can handle depend on the level of certification.

Recently, DoD Acquisition Council opened a regulatory case to establish a clause for the addition of CMMC certification requirements in the council’s acquisitions. In order to measure a company’s maturity and institutionalization of cybersecurity practices and processes. An establishment rule was provided by DAR Case 2019-D041. This rule enables the DoD institute to assess the security requirements implemented by DoD contractors for the compliance of NIST SP 800-171.

Office of Information and Regulatory Affairs (OIRA), is currently reviewing the proposed rule of DFARS at the Office of Management and Budget. Before issuance in the Federal Register, OIRA will carefully assess the rule and rulemaking process to find any problems and concerns, so that they can be addressed properly before the issuance of the rule. If major problems or concerns do not arise in the rulemaking process, then this rule may be issued as a proposed rule. However, issuance of this rule can remain uncertain because it has to go through proper rulemaking and comment procedures.

Following is the published schedule CMMC roll-out:

January 2020: Establishment of CMMC-Accreditation Body (CMMC-AB).

June 2020: Training of certifiers and issuance of ten pilot requests for information.

September 2020: Issuance of pilot Requests for Proposals (RFPs).

Afterwards: Awarding contracts containing CMMC provisions.

These pilot awards require specific levels of CMMC certifications for the contractors who want to receive these pilot awards. These contracts along with their supply chains will also have to ensure that their performance include Controlled Unclassified Information (CUI) with the proper level of certifications to receive pilot awards. However, as the uncertainty grows due to the COVID-19 crisis, the implementation and schedule of certifications and awards may suffer.

CMMC-Accreditation Body (CMMC-AB)

For certification purposes CMMC-AB which will establish the standards, training, and processes for government audit contractors because of the Memorandum of Understanding (MOU) of CMMC-AB with the Department of Defense (DoD). CMMC-AB will know establish the vetting process, any certifier body will have to go through this process and after the successful completion of the process eligible certifying bodies will be granted the title of CMMC Third Party Assessment Organizations (C3PAOs).

Despite of the fact that there are no official C3PAOs programs released by CMMC-AB yet, a couple of certifying bodies or companies are now claiming to be C3PAOs. According to their claim they can provide the CMMC certification needed to contract with the DoD in coming months. Since there is no official program or training released by CMMC-AB, the claims are these companies are questionable. A more sophisticated approach will be to wait for the proper CMMC marketplace launched by CMMC-AB that will list all the officially certified C3PAOs.

It is best to stay clear of such companies that are claiming to be already certified, these companies may be able to assist in general compliance and security areas but it is not realistic that they will successfully provide any CMMC level of certification. As for cybersecurity reasons, it is believable that such unofficial companies may gain access to sensitive information or systems of the company for their own malicious personal agendas.

For a regular monitoring solution CMMC-AB published a RFP On April 22, 2020 that was called for responses by May 1, 2020 and anticipated selection of a solution by May 8, 2020. This monitoring solution released by CMMC-AB was not recognized by the CMMC for a number of reasons. Because this monitoring solutions upon implementation caused many security issues on multiple levels including government, contractors, sub-contractors and supply chains. CMMC did not identify this solution because it posed privacy, security and un-authorized access risks to both government and contractor bodies.

Defense Contract Management Agency (DCMA) Cybersecurity Audits Continue

Based on the cybersecurity clause DFARS 252.204-7012 until the implementation of the CMMC is complete DCMA will continue to conduct its cybersecurity audits of the Defense Industrial Base (DIB) including the followings:

  • Safeguarding Covered Defense Information
  • Cyber Incident Reporting
  • DCMA Contractor Purchasing System Review Guidebook
  • Appendix 24
  • National Institute of Standards and Technology (NIST)
  • Special Publications of a revised 2 NIST 800-171 issued in February 2020 that focus on protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

Controlled Unclassified Information (CUI)

In 2017, to address agency policies for designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI the Federal Acquisition Regulatory (FAR) established a case FAR Case 2017-016. According to this FAR case, the Civilian Agency Acquisition Council is currently awaiting concurrence as rule proposed by FAR has been drafted.

As CUI triggers the application of the cybersecurity standards, it has been years since the contractors are waiting for the rule. To understand what type of cyber security is required in different situations proper knowledge and implementation of CUI is required. Proper implementation of CUI can provide valuable information to contractor regarding the affected systems and required levels of information security.

All the elements of security we discussed in this article, when combined will work together to enhance the cybersecurity defensive measures of DoD. All these security measures are specifically designed to enhance the security of both government and contractor bodies when implemented correctly.

InterSec offers CMMC Audit Readiness Services

• Ground up CMMC compliance

• Maturing from one CMMC level to the next

• Gap analysis

• Validated Assessment

• Advisory Services

• Professional Services

• Audit ready artifacts

• Audit Support

• Managed Security Services for ongoing CMMC compliance

Time is running out on CMMC compliance. We can help you jumpstart your CMMC journey. Please get in touch with us today at inquiries

Mohammad K.

Security Blogger at InterSec,Inc.


compliance, cmmc