Amira Armond’s Post

𝐓𝐡𝐞 𝐂𝐨𝐧𝐭𝐫𝐚𝐜𝐭𝐨𝐫 𝐬𝐡𝐚𝐥𝐥 - - (these quotes from the proposed 48CFR Rule that is releasing tomorrow) "Have a current CMMC certificate or current CMMC self-assessment at the following CMMC level, or higher: ____________ [Contracting Officer to fill in the required CMMC level];" "Only process, store, or transmit data on information systems that have a CMMC certificate or CMMC self-assessment at the CMMC level required by the contract, or higher;" "Notify the Contracting Officer within 72 hours when there are any lapses in information security or changes in the status of CMMC certificate or CMMC self-assessment levels during performance of the contract; " "Ensure all subcontractors and suppliers complete and maintain on an annual basis, or when changes occur in CMMC compliance status (see 32 CFR part 170), an affirmation of continuous compliance with the security requirements associated with the CMMC level required for the subcontract or other contractual instrument for each of the contractor information systems that process, store, or transmit FCI or CUI and that are used in performance of the contract. " "Prior to awarding a subcontract or other contractual instrument, ensure that the subcontractor has a current CMMC certificate or current CMMC self-assessment at the CMMC level that is appropriate for the information that is being flowed down to the subcontractor." Also introduces unique IDs for assessed information systems, to prevent gaming the system. "(2) Contracting officers shall require the apparently successful offeror to provide the DoD UID(s) applicable to each of the contractor information systems that will process, store, or transmit FCI or CUI and that will be used in performance of the contract.”   “DoD unique identifier means an alpha-numeric string of ten characters assigned within the Supplier Performance Risk System to each contractor assessment, with the first two characters indicating the confidence level of the assessment.” Link to text: https://lnkd.in/dnpwiStQ #CMMC

Good info here on the 48CFR rule that drops tomorrow and is then followed by a 60-day comment period. There are changes to DFARS parts 204, 212, 217, and 252 - including changes to 252.204-7021 for contractor compliance with the requisite CMMC Level requirements. Of note, clause 252.204-7012 appears unchanged. https://lnkd.in/gabgWQzh

"(b) Requirements. The Contractor shall— (1)(i) Have a current CMMC certificate or current CMMC self-assessment at the following 𝐂𝐌𝐌𝐂 𝐥𝐞𝐯𝐞𝐥, 𝐨𝐫 𝐡𝐢𝐠𝐡𝐞𝐫: __________ [Contracting Officer to fill in the required CMMC level]; and ... (2) Maintain the CMMC level required by this contract for the duration of the contract for all information systems, used in performance of the contract, that process, store, or transmit 𝐅𝐞𝐝𝐞𝐫𝐚𝐥 𝐜𝐨𝐧𝐭𝐫𝐚𝐜𝐭 𝐢𝐧𝐟𝐨𝐫𝐦𝐚𝐭𝐢𝐨𝐧 (𝐅𝐂𝐈) 𝐨𝐫 𝐜𝐨𝐧𝐭𝐫𝐨𝐥𝐥𝐞𝐝 𝐮𝐧𝐜𝐥𝐚𝐬𝐬𝐢𝐟𝐢𝐞𝐝 𝐢𝐧𝐟𝐨𝐫𝐦𝐚𝐭𝐢𝐨𝐧 (𝐂𝐔𝐈); (3) Only process, store, or transmit data on information systems that have a CMMC certificate or CMMC self-assessment 𝐚𝐭 𝐭𝐡𝐞 𝐂𝐌𝐌𝐂 𝐥𝐞𝐯𝐞𝐥 𝐫𝐞𝐪𝐮𝐢𝐫𝐞𝐝 𝐛𝐲 𝐭𝐡𝐞 𝐜𝐨𝐧𝐭𝐫𝐚𝐜𝐭, 𝐨𝐫 𝐡𝐢𝐠𝐡𝐞𝐫;" ----------- This is from the proposed 48CFR #CMMC Rule. The text above would be placed into contracts as CMMC rolls out (unless modified in response to comments). Do you see the problem with the wording? If the contracting officer fills in "Have a current CMMC certificate or current CMMC self-assessment at the following CMMC Level, or higher: 𝐂𝐌𝐌𝐂 𝐋𝐞𝐯𝐞𝐥 2"... then (2) and (3) essentially say that the contractor will keep 𝐚𝐥𝐥 𝐝𝐚𝐭𝐚 related to the contract (𝐢𝐧𝐜𝐥𝐮𝐝𝐢𝐧𝐠 𝐅𝐂𝐈) on a CMMC Level 2 system. Is it a mistake? I hope so. The language goes against all verbal explanations given so far by the DoD. Remember, all this time, they've been saying that a CMMC Level 1 system is for FCI, and a CMMC Level 2+ system is for CUI. I would have expected language like "will maintain CMMC Level 1 on all systems that store, process, or transmit FCI, and will maintain CMMC Level ___(2 or 3)__ on all systems that store, process, or transmit CUI for this contract." If the DoD does plan to go forward with that language, it poses a major problem for companies that plan to build a VDI enclave to handle CUI while keeping FCI on their main corporate system (with a Level 1 self-assessment). I don't see any instruction to C3PAOs to verify the location of FCI during CMMC Level 2 assessments however. So dishonest companies would be able to self-attest that all of the FCI related to the contract is kept in the CMMC Level 2 system without worrying about a private sector assessor snooping around. Credit to Vincent Scott for pointing out this problem a few days ago. Want to read the rule yourself? It is published in the Federal Register here: https://lnkd.in/eUbKc8BH The DoD is accepting comments until 10/15/2024. ------ Kieri Solutions - Authorized C3PAO offers CMMC Level 2 assessments and preparation services.

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework, finalized by the U.S. Department of Defense (DoD) in October 2024, introduces specific requirements for defense contractors and their supply chains to enhance the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). In recent conversations with current clients and prospective clients there is still confusion on their part about whether they will be required to attain Level 1 or Level 2 CMMC compliance if they are merely a subcontractor in a DoD contract. The short answer is 'YES' due to Flow Down requirements. Supply Chain Flow down Requirements: CMMC requirements apply to prime contractors and subcontractors at all tiers that process, store, or transmit FCI or CUI. This ensures that cybersecurity standards are uniformly implemented throughout the supply chain. Prime Contractor Responsibilities: Prime contractors are responsible for ensuring that their subcontractors comply with the appropriate CMMC level. This involves assessing the type of information handled by subcontractors and verifying their certification status. For more information about CMMC Flow Down as implementation begins in early 2025, check out this article by Alex Major and Phillip Lee with McCarter & English (excerpt below): "As explained earlier, the CMMC Program applies to prime contractors and subcontractors at all tiers performing under a DoD contract that requires a contractor’s information system to process, store, or transmit FCI or CUI. Prime contractors must require subcontractors to comply with and flow down the applicable CMMC requirements, permeating all relevant tiers. The Final Rule provides that “when” in the performance of a subcontract: A subcontractor will only process, store, or transmit FCI (and not CUI), a CMMC Level 1 (self-assessment) Status is required. A subcontractor will process, store, or transmit CUI, a CMMC Level 2 (self-assessment) Status is a minimum requirement. A subcontractor will process, store, or transmit CUI and the prime contractor must hold a CMMC Level 2 (C3PAO) Status, the subcontractor must also hold a CMMC Level 2 (C3PAO) Status as a minimum requirement." https://lnkd.in/gZPdAfUw #CMMC #FCI #CUI #NIST #DOD

Heads up! The 48 CFR rule, which integrates CMMC requirements into defense contracts, is set to be published in the Federal Register tomorrow, August 15th, 2024, kicking off a 60-day public comment period. Summary of key points and timing: 1. Implementation of CMMC 2.0 Requirements: - The Department of Defense (DoD) is proposing amendments to the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate the Cybersecurity Maturity Model Certification (CMMC) 2.0 requirements. - CMMC 2.0 provides a framework for assessing and ensuring contractor compliance with cybersecurity requirements within the DoD supply chain. - The 32 CFR rule proposes phased implementation over three years, after which the requirements will apply to all DoD contracts involving the processing, storage, or transmission of Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). 2. Phased Rollout: - During the first three years, CMMC 2.0 requirements will be included in specific contracts as directed by the CMMC Program Office. - The CMMC requirements will be enforced in the DoD contractual vehicles by the provisions in 48 CFR concerning DFARS 7021 implementation. - After three years, the requirements will apply universally to all relevant DoD contracts. 3. Certification Timing: - The CMMC certification must be in place at the time of contract award, and contractors are required to maintain this certification throughout the life of the contract. - CMMC levels will be specified in solicitations and contracts, and contractors must have the required certification level posted in the Supplier Performance Risk System (SPRS) before a contract can be awarded or an option exercised. 4. Impact on Contractors: - The 32 CFR and 48 CFR rules will apply to a broad range of contracts, including those below the Simplified Acquisition Threshold (SAT) but above the micro-purchase threshold. - Small businesses will be affected, with specific estimates provided for the number of entities impacted in each phase of the rollout. 5. Public Comments and Final Rule: - The 48 CFR proposed rule will be published on August 15, 2024, with a 60-day period for public comments. The final rule will be developed based on feedback and further analysis. Timing: - August 15, 2024: The 48 CFR proposed rule will be published in the Federal Register. - 60-Day Comment Period: Stakeholders can submit comments and feedback during this period. - Three-Year Phased Implementation identified by 32 CFR: The rollout of the CMMC 2.0 requirements will occur over three years, with full implementation expected by 2027. You can view the upcoming publication here:(https://hubs.li/Q02LhGxF0).

https://lnkd.in/g-ZdysY4 Lead CMMC Assessor Epic Tip of the Month - Sub-Contractor (SubK) Flowdowns - BLUF: As a Prime or SubK what does the Final Rule indicate? The vast, talented and handsome GSI research team put this together for a client, we figured others had the same question. It's a bit lengthy, so have a coffee or RedBull...Prime Contract Requires CMMC L2 with Attestation pre-award: Yes - We are required to include the CMMC Level flow down clause in all SubK contracts. Sample Flowdown Decision Diagram: SubK's process CUI: Yes - CMMC L2 flowdown required and SubK affirms compliance with CMMC L2 - The DoD expects that defense contractors will share information about CMMC status with other DIB members to facilitate effective teaming arrangements when bidding for DoD contracts. SubK doesn't process CUI: We/other SubK's should "refrain" from sharing CUI with them-marked CUI isn't shared-period; however other information required to perform the contract can be shared. First and foremost, our contract determines the level required. If we/subK handle CUI (FCI included under CUI as a lesser protected data set), we need to attain a CMMC L2 self-attestation or C3PAO affirmed attestation.  The Prime or Organization Seeking Assessment (OSA) determines the flowdown requirements of the subK's, which could be CUI (CMMC L2) or FCI (CMMC L1).  We have the responsibility, based on the contract, to assign the appropriate information safeguarding level.  The DoD expects the Prime to flowdown the least level burden possible to their SubK's. We can't validate a subK's SPRS status, DoD won't provide the means to do it. CMMC Final Rule: The 48 CFR part 204 CMMC Acquisition rule, when finalized, will allow DoD to require a specific CMMC level in a solicitation or contract. When CMMC requirements are applied to a solicitation, Contracting officers will not make award, exercise an option, or extend the period of performance on a contract, if the offeror or contractor does not have the passing results of a current certification assessment or self-assessment for the required CMMC level, and an affirmation of continuous compliance with the security requirements in the Supplier Performance Risk System (SPRS) for all information systems that process, store, or transmit FCI or CUI during contract performance. Furthermore, the appropriate CMMC certification requirements will flow down to subcontractors at all tiers when the subcontractor processes, stores, or transmits FCI or CUI. It should be noted the Department may include CMMC requirements on contracts awarded prior to 48 CFR part 204 CMMC Acquisition rule becoming effective, but doing so will require bilateral contract modification after negotiations.

Some analysis of the proposed CMMC rule that will be posted tomorrow, i.e., August the 15:th: - According to the proposed rule A contractor officer will not be allowed to award, exercise an option, or extend the period of performance on a contract, if the offeror or contractor does not have the results of a current certification or self-assessment for the required CMMC level when a CMMC level is included in the solicitation or contract. - After the phase-in period, CMMC will apply to all DoD solicitations except those exclusively for COTS items. That is a clarfification on that commercial products or commercial services will will also be in scope involving processing, storing, or transmitting FCI or CUI. - Note that the proposed CMMC rule does not stipulate any closeout period. This is stated in the 32 CFR proposed rule for CMMC Program: "Selected requirements are allowed to have a POA&M that must be closed out within 180 days of the l assessment (see § 170.21 for details on POA&M)." which stipulates 1) at least a score of 88, and 2) AC.L2-3.1.20, AC.L2-3.1.2, PE.L2-3.10.3, PE.L2-3.10.4, PE.L2-3.10.5 and SC.L2-3.13.11 (if it has a value of 1 or 3) is in the POA&M. - CMMC certification will require a DoD UID. "...in SPRS for each DoD UID applicable to each of the contractor information systems that will process, store, or transmit FCI or CUI and that will be used in performance of the contract...". One need to think twice and maybe good if DoD clarified it, because a DIB may not have the infrastructure processing and storing FCI and CUI at the same geographical site as the operation, e.g., if a DIB consumes CSP services or have on-prem solution but at a different site. - One part that is also well worth to notice is: "Require the contractor to notify the contracting officer of any changes in the contractor information systems that process, store, or transmit FCI or CUI during contract performance and to provide the corresponding DoD UIDs for those contractor information systems to the contracting officer.". So will DoD drown in notice that one have implemented security patches? Maybe good if they review "any changes". I can understand what they want to achieve, but would it not be better "any changes that affected compliance to NIST 800-171 controls"? Link to unpublished CMMC Proposed rule: https://lnkd.in/dSM7jT7N #CMMC #CUI #FCI #NIST #DFARS #DOD #NIST800171

Another good read for the holidays! Today the three #ESAs published the #RTS on #subcontracting under #DORA. Adeguate #ThirdPartyRiskManagement is one of the main pillars of DORA (and recent events confirm this…). Now the set of RTS and #ITS is complete, waiting for the adoption of the #EU, looking to the 17th of January when DORA will apply. #digitaloperationalresilience #cyber #cyberresilience #cyberrisk #TPRM #thirdparty #outsourcing #vendors #supplychain https://lnkd.in/dcqAVRhj

Acquisition policy, domestic preferences and critical materials, national security, industrial base and small business, and cyber security and AI matters are discussed in this article. https://smpl.is/a0al0

Based on the proposed rule (which may be revised before it becomes final), IT Managed Service Providers (MSP) will be required to pass an assessment at the same level as required by their defense contractor client, or the client will fail their assessment. #contractor #compliance #MSP