September 2020
The CMMC Interim Rule and the Assessment Process
As mentioned in the last few articles, the compliance requirement for businesses working with the DoD is the Cybersecurity Maturity Model Certification (CMMC). The CMMC framework is designed to protect Federal Contract Information (FCI) that is by default in all federal government contracts and controlled unclassified information (CUI), which is often technical information. Both classes of information consist of information that is not in the public domain; it is provided by the government or may be produced by the defense contractor. The framework consists of five levels, with each higher level incorporating increasing levels of security. These levels are based on practices that are grouped into 17 domains. At the basic level, there is Level 1 with 17 practices across six domains, at Level 5, there are 171 practices spread across all 17 domains. The goal is for all 300,000 companies in the defense supply chain to be audited and certified compliant to one of the CMMC levels by 2026. The CMMC compliance certification will be a baseline requirement; with the appropriate certification level, there will be access to DoD contracts; without certification, a company will be deemed unqualified.
The last several articles discussed the CMMC Level 1 practice requirements. As mentioned, Level 1 will be the most common level constituting of about 80%, or 240,000 companies, in the defense supply chain. This discussion will focus on Level 1 assessments. As described above, all contractors will be assessed, and all will have to be certified to the level that corresponds to their contract. It is possible that a contractor with multiple contracts may have different CMMC requirement Levels. In this case, the contractor will need to be certified at the lightest level, and by default, the contractor will meet the lower-level requirements.
On September 29, 2020, the DoD submitted the interim rule (Docket DARS–2020–0034) for Defense Federal Acquisition Regulation. The interim rule begins to put into place the CMMC framework requirements. This is another step toward CMMC requirement implementation. As mentioned, this is a slow rollout of the requirement, one that is referred to as crawl-walk-run. We are now in the crawl phase, with the CMMC requirement slowly moving into actual contract requirements. The organization that is managing this process is called the CMMC Accreditation Body (AB). The CMMC AB is a non-government organization, a non-profit entity that constructs and manages, with the DoD, what is called the CMMC ecosystem. This is the assessment standards and the standards for accessors, educational material, trainers, accredited consultants, etc. It is the government that sets practice requirements for each CMMC Level. It is then the CMMC AB, working with the government, that sets the standards for how these requirements are met. It is the CMMC AB that manages the assessment process through certified service provider organizations. These service providers provide individuals who are certified to perform training, consulting services, and on-site assessments. It is important to note that there is a prohibition for the same provider organization to assist with consulting and then conducting an assessment on the same company.
In terms of the assessment process, a company that needs an assessment for CMMC certification will contact a Certified 3rd Party Assessment Organization, which will then assign an assessment team for the assessment. Once the assessment is completed and passed, the Certified 3rd Party Assessment Organization will send the assessment results to the CMMC AB for review and the certification of the company. The CMMC AB will not conduct assessments; this is the domain of the assessment organizations. The CMMC AB will be responsible for managing and ensuring the integrity of the process.
The interim rule outlines a cost estimate for assessment preparation, the assessment itself, and sustainment to some degree. These are general cost estimates, based on very low labor rates and few labor hours. A premise of the DoD in this exercise is that companies are currently in compliance with many of the requirements. This is an assumption due to the fact that all companies working under federal contracts must be in compliance with current system security or cybersecurity requirements. Essentially in terms of recognizing the cost for compliance, if a company has not met these past requirements, they will not get credit for meeting them now. The bottom-line estimated cost for CMMC Level 1 to include preparation and assessment is estimated to be about $3,000. The assumption is that the organization is already performing at Level 1. Note too the labor rates are low; the hourly rate for a Level 1 accessor is at $83.32/hour; you cannot get someone to change a light bulb at that rate. The hours may be reasonable 14 hours in company support of the assessment and 19 hours for the assessment. In real life, the assessment cost will be more by about $1,000 (+). How to get ahead of these costs, start working on compliance now.