In this episode of Cherry Bekaert’s GovCon podcast, Neal Beggan is joined by cybersecurity professionals Steven Ursillo and Brian Kirk for a comprehensive deep dive into the current state of Cybersecurity Maturity Model Certification (CMMC) compliance.
They discuss how 48 CFR will reshape the enforcement of cybersecurity requirements in government contracts. This episode breaks down what the 48 CFR rule means, how it connects to DFARS and 32 CFR, and what contractors should be doing now to stay ahead of the rollout.
Listen to learn more about:
- The definition of CMMC and why it matters
- An overview of CFR 48
- CFR 48 timeline and rollout
- Potential readiness and compliance challenges and how to overcome them
- Action items to prepare for CFR 48
The conversation includes:
- 0:37 – Introduction to CMMC: What It Is and Why It Matters
- 4:32 – Finalization of the 48 CFR Rule
- 12:50 – Challenges, Obstacles & Pain Points in Readiness and Certification
- 27:16 – Operational Challenges, GRC Tools and Assessment Readiness Tips
- 32:19 – Ecosystem Growth & Capacity
- 35:22 – Key Takeaways & Action Items
- 37:42 – Upcoming Events & Learning Opportunities
Related Insights:
- Article : DoD CMMC Requirements: A Guide for Defense Contractors
- Article : Cybersecurity Maturity Model Certification (CMMC): Compliance Process & FAQs
View All Government Contracting Podcasts
NEAL BEGGAN: Hello and welcome to the Cherry Bekaert GovCon podcast, where we discuss current government contracting trends, compliance matters, and best practices to guide federal contractors forward.
My name is NEAL BEGGAN. I am a partner and the DC market leader with Cherry Bekaert.
Joining me today are Steve Villo and Brian Kirk, leaders in Cherry Bekaert’s Digital Advisory and Cybersecurity group, who are heavily focused on meeting the needs of our government contracting clients.
Today we are going to continue to talk about CMMC, which had a recent update earlier this month. Before we get to that, let me first thank Steve and Brian for joining me.
Steve, I am going to start with you. I am assuming if people haven't been living under a rock, they know what CMMC is.
For purposes of this podcast, what is it and why does it matter?
STEVE VILLO: Thanks, NEAL, and welcome everybody. The Cybersecurity Maturity Model Certification (CMMC) has been gaining traction over the past few years and has continued to evolve.
It is on the radar for many folks within the defense industrial base. The CMMC certification originated from the need for the evolution and maturity of validation regarding DFARS 252.204-7012 requirements for protecting Controlled Unclassified Information (CUI).
It was developed by the Department of Defense (DoD) to ensure that contractors and subcontractors within the defense industrial base are properly controlling and securing CUI.
DFARS 7012 has been around since approximately 2017. It has taken a bit of a form over time that requires organizations to self-assess against the NIST SP 800-171 requirements.
Over time, these self-assessments were formalized into the Supplier Performance Risk System (SPRS) so the DoD could get adequate scores that provided transparency on where contractors were in meeting those requirements.
With CMMC, the DoD recognized a need for consistency and further validation from organizations applying a consistent standard against the NIST SP 800-171 criteria.
Through a timeline we will discuss further, they are expecting organizations to adhere to different levels of certification. Because the threat landscape is evolving, any threat to CUI would have a material effect on our national defense.
It would impact our technological advantage and military capabilities. There is an increased need to ensure we defend that within the supply chain.
This expectation will cascade from primes down to subcontractors. It is necessary to ensure security and mitigate the latest threats.
This is applicable to prime and subcontractors, as well as the cloud service providers and managed service providers they use. We are expecting much more traction on this.
The framework itself is based on three levels. Level 1 focuses on basic safeguarding of Federal Contract Information (FCI) and is typically done through a self-assessment.
Level 2 involves the protection of CUI and requires full adherence to NIST SP 800-171. This will be bifurcated into either a self-assessment or a third-party certification.
We expect to see very little, if any, of those self-assessments for Level 2. While organizations will receive a certification once every three years, they will still be required to self-assess annually.
Level 3 is a more advanced level that includes everything within Levels 1 and 2, as the requirements are cumulative. It focuses on protection against advanced persistent threats.
This level will be handled by the DoD directly as part of an enhanced assessment.
NEAL BEGGAN: That is excellent, Steve. I appreciate that. You covered what CMMC is, the framework, why it was created, and who needs it.
I alluded to some big news that came out earlier this month regarding the 48 CFR rule. Brian, I want to go to you to unpack that a little bit.
I will warn the audience that there are a lot of numbers and letters to get through. Brian, could you talk about the finalization of the 48 CFR rule we learned about earlier this month?
BRIAN KIRK: Yeah, thanks, and it is great to be with you. The 48 CFR is essentially known as the acquisition rule.
This gives contracting officers the authority to enforce CMMC requirements in solicitations and contracts. 48 CFR integrates CMMC into the DFARS specifically through clause 252.204-7021.
It works in conjunction with another rule that was published to the Federal Register in October of last year, 32 CFR Part 170. That rule went into effect in December.
The 48 CFR is the acquisition rule that complements the 32 CFR rule that stands up the CMMC program. It allows contracting officers to enforce CMMC requirements through contracts.
32 CFR Part 170 defines an implementation phase that contracting officers will follow as they designate CMMC levels into contracts. Within the contracts themselves, the contracting officer will specify the CMMC level required for the award.
Those levels are based on the attributes of the information that will be processed, stored, and transmitted on covered contractor information systems.
A DoD memorandum issued in January of this year provided additional clarification around the CMMC levels, the phased implementation process, and the waiver process.
It includes important information that will help organizations identify what level they might expect. For example, it states that the minimum assessment requirement will be a third-party assessment if the contract requires the contractor to process, store, or transmit CUI categorized under the National Archives CUI Registry.
If you go to the NARA CUI archives, there is a specific category for defense that includes certain CUI types. This includes controlled technical information, DoD critical infrastructure security information, and naval nuclear propulsion information.
Controlled technical information is the most common type. As Steve mentioned, Level 2 self-assessments are expected to be rare because much of the information involved in DoD contracts is controlled technical information.
Regarding the timeline, the DoD submitted the final rule to OIRA for review on July 22nd. OIRA completed this review and cleared 48 CFR on August 25th.
Currently, the rule is being prepared for publication to the Federal Register. The unknown is what the effective date will be.
If we look at 32 CFR, that rule had a 60-day waiting period. It is expected that the 48 CFR rule will go into effect quickly, likely between one and 60 days after publication.
Everyone is in a wait-and-see mode right now. Once 48 CFR goes into effect, it will start the phased rollout process where contracting officers can insert CMMC requirements into contracts.
There are four phases in the rollout process that will span four years. Phase 1 begins when 48 CFR goes into effect and involves Level 1 and Level 2 self-assessments.
The DoD has the discretion in Phase 1 to include Level 2 third-party assessments in contracts, though we expect most to be self-assessments.
Phase 2 begins one year after Phase 1. This is when Level 2 third-party assessments become mandatory for new contracts or renewals.
Phase 3 begins two years after 48 CFR goes into effect. This is when the DoD will start to roll out Level 3 assessment requirements.
To get a Level 3 assessment from the government, you must first have a Level 2 certification assessment from a C3PAO. You then take that certificate to the government for the Level 3 assessment.
Phase 4, which begins three years after Phase 1, is essentially the full implementation across all applicable DoD contracts.
The big implication for contractors is that they must have the appropriate CMMC level in place before a contract award.
Next, prime contractors are responsible for ensuring their supply chain is compliant. For subcontractors, this is a big impact that may make the phased rollout by the DoD moot.
Prime contractors have a responsibility to make sure their supply chain is secure. We have already seen primes starting to require subcontractors to obtain a CMMC Level 2 certification by a specific date.
They want to ensure their supply chain is compliant when they eventually receive those requirements in their own contracts.
NEAL BEGGAN: I appreciate that, Brian. This is a flow-down clause with huge impacts for subcontractors, but also responsibilities for primes.
It will influence decisions when primes are looking at who to engage with on pursuits. You talked about the timeline and the phased rollout.
I will provide the answer I am sure you would give: this is not an excuse for someone to wait four years to start the CMMC path. We have seen many challenges over the last couple of years.
I want to touch on some of those challenges around scoping, identification of CUI, and the use of third parties. Steve, I am going to start with you regarding the pain points organizations are facing.
STEVE VILLO: The path to success varies depending on an organization's maturity. Some have more maturity in their cybersecurity and info-sec processes, making it a potentially easier lift.
The NIST SP 800-171 requirements are not new, and many folks have been performing self-assessments against them since 2017. However, there has been inconsistency.
Many organizations have self-assessed in a favorable fashion, but when you unpack CMMC requirements and the scoping guide, you learn there are nuanced elements that require a deeper dive.
We are seeing organizations that scored favorably on self-assessments have to revisit those scores during CMMC readiness. Those scores have been materially different from the original settings.
Additionally, we sit on both sides as a C3PAO and a readiness provider. We have found that many organizations seeking certification are not making it out of Phase 1.
Assessors find clear showstoppers in the documentation that require the organization to go back to the drawing board. This is here to stay, and people need to step in.
Regarding technical elements, many organizations try to isolate their CUI boundaries by having an enclave or a segregated environment to minimize scope.
This is a challenge for manufacturing plants where you must have hybrid environments. These systems and specialized equipment process CUI to facilitate contractual requirements.
Dealing with the boundaries and flow of CUI in hybrid environments is a significant challenge. The required asset classification with CMMC is also critical.
Whether an asset is a CUI asset, a security protection asset, a contractor risk-managed asset, or a specialized asset, there are prescriptive rules for each.
Requirements cascade down to the network and other elements of the environment based on those classifications.
We have also seen struggles with logical segregation between CUI and non-CUI environments. There are nuanced challenges in the rules regarding what logical segregation actually means.
Some organizations use Virtual Desktop Infrastructure (VDI) to isolate environments, but depending on the nuances, there could be challenges as to what gets brought into scope.
Endpoints accessing cloud enclaves are often thought to be out of scope, but if they are used to store, process, or transmit data without logical segregation, they are brought into scope.
Another consideration is External Service Providers (ESPs). This could be a Managed Service Provider (MSP) helping an organization manage cybersecurity.
The question is whether they store or handle CUI or just security protection data. These ESPs may need their own certification or, at a minimum, must participate in the CMMC assessment.
If you use a Cloud Service Provider (CSP) to store, process, or transmit CUI, they require FedRAMP certification or a FedRAMP Moderate equivalent assessment.
Brian, if you want to comment on identification, labeling, and System Security Plans (SSPs), that would be good.
BRIAN KIRK: CMMC requires robust documentation, specifically the System Security Plan. The SSP is the backbone of any CMMC certification assessment.
We have seen that some SSPs lack detail and fail to address the assessment objectives defined within NIST SP 800-171A and the CMMC Level 2 Assessment Guide.
Many contractors stopped at the 110 requirements of NIST SP 800-171 and did not look at the assessment objectives in 171A. They must ensure implementation details are described for each objective.
Key terms like "defined," "specified," and "identified" have explicit meanings. If you see those terms, it means something must be documented in a list, database, or inventory.
A common pitfall is identifying authorized users. Many contractors just refer to Active Directory. While that is a main source for access management, the assessment objective requires a separate listing.
The assessor will look at the list of identified users and then verify it against Active Directory.
Additionally, some data flow diagrams and network boundary diagrams lack the specific details for an assessor to understand how CUI data flows.
CUI identification and labeling is also a major challenge. Many contractors do not know what is CUI in their environment.
Ultimately, it is the DoD’s job to identify CUI. Information is only CUI if the DoD says it is.
If you receive data you suspect is CUI but is not labeled, you must ask the contracting officer. Once designated, the contractor is responsible for applying the correct markings.
We recommend against self-marking. Do not assume information is CUI and apply labels; instead, confirm with the contracting officer.
If a contractor expects information to be CUI, they cannot send it to anyone who is not an authorized holder.
If you do not hear back from the contracting officer within seven to ten business days after inquiring, you at least have some documented effort to confirm the status.
On the flip side, if you receive marked information that should not be CUI, you can push back and ask for clarification.
Contractors should receive a Security Classification Guide (SCG) that lays out what attributes make the information CUI. In many cases, an agency may realize information was mistakenly classified.
Finally, pay attention to limited dissemination controls, as these can restrict where you can send CUI data.
NEAL BEGGAN: That is a lot of information. Scoping issues, getting the SSP right, and CUI identification are huge components.
Steve, let's talk about operational challenges and some GRC tools that folks are finding useful. What are some tips for organizations preparing for these assessments?
STEVE VILLO: Any assessment starts with a sound readiness process. It is important to understand where you are in your journey and if your self-assessment follows the lines of the law.
Ensure scoping boundaries align with the guides and that you have proper network diagrams and asset inventories. Knowing the flow of CUI is vital so you can show the assessor the boundaries.
I strongly encourage mapping each requirement to the SSP so you know if anything is missing. It only takes one unmet sub-requirement to fail the entire requirement.
Many clients take advantage of a mock assessment after doing readiness. This helps them understand the types of questions and evidential matter an assessor will expect.
We also have clients where we help them with different types of workflow formalities, including Governance, Risk, and Compliance (GRC) tools.
These tools allow for day-to-day workflow management, making the program sustainable over several years. You don't want to do an audit and then not touch anything for three years.
Regarding GRC tools, they are not a requirement, but they can operationalize efficiencies and streamline communication.
However, be careful of over-reliance. You cannot just give the auditor access to the tool and expect them to click a few buttons.
The auditor must still validate that the evidential matter is accurate, complete, and comes from the raw source.
Brian, it is probably important to give folks an idea of the ecosystem and what is happening with delays in certification.
BRIAN KIRK: We are seeing bottlenecks in the ecosystem regarding certification assessments. Much of this is due to the early nature of CMMC.
The acquisition rule will go into effect soon, which starts the clock for the DoD rolling out requirements.
There are bottlenecks due to the number of authorized C3PAOs and certified assessors. Currently, there are 79 authorized C3PAOs.
While more are coming on board, it is a trickle rather than a fire hose. Becoming a C3PAO is a long process that requires a DIBCAC assessment against CMMC Level 2.
The DoD estimates that over 80,000 contractors will require a Level 2 third-party assessment. With only 79 authorized C3PAOs, you can see where the bottlenecks come from.
C3PAOs currently have about a three-to-six-month waiting list. As a contractor, you should reach out and plan for your assessment as soon as you possibly can.
NEAL BEGGAN: Steve, can you give us some key takeaways and action items to wrap things up?
STEVE VILLO: This has been a long process over the last four or five years. We are clearly moving in a direction where it is not a matter of "if," but "when."
I highly encourage folks to stay aggressive on their path toward certification. Engage with a readiness provider sooner rather than later to understand your scope and boundaries.
The overall foundation needs to be agreed upon so there are no challenges in the eleventh hour.
Engaging with a C3PAO early also has benefits. While they cannot provide advisory services due to independence requirements, getting on their schedule early will help you avoid the capacity constraints of the ecosystem.
NEAL BEGGAN: Brian, any upcoming events or learning opportunities for our audience?
BRIAN KIRK: Next month in October is the CS5 Summit at the National Harbor. Cherry Bekaert will have a team there, so please come by and say hi.
In November, we have a webinar scheduled for November 4th, which will count for CPE credit. I also recommend following updates from the Cyber AB and listening to their monthly town halls.
NEAL BEGGAN: I appreciate both of you for joining today. This was a highly technical podcast with valuable information.
Many people are still navigating the CMMC waters, and we encourage them to reach out to us at cbh.com.
Thank you to everyone for listening. We hope you join us again for our next podcast.
