Level 1 – More Problematic than You may Think
As we rapidly conclude 2022, that would indicate that 2023 is about to commence. So what is so special about 2023? If you take a walk with me back to late 2021, when the Cybersecurity Maturity Model Certification (CMMC) 2.0 came out, the information provided by the U.S. Government supported that a final rule on CMMC related matters would be ready for codification between 9-24 months. Seemed like forever and as we have seen in the government contracting community (GovCons), an attitude of “Meh, its years away if it ever even happens” took over. Information as early as Spring of 2022 telegraphed the ruling is expected in March of 2023; that is now just three months away.
So, have the majority of GovCons prepared themselves for CMMC? Of course not, but why? There are several reasons; some are legitimate, but most are egregious violations of contract provisions between the GovCon and the Department of Defense. So, what are some of the “legitimate” reasons?
1) When GovCons speak with their Government contracting officials on CUI related matters, they are usually ill-equipped to respond, which doesn’t provide a lot of confidence to the GovCon.
2) According to remarks made by the DoD CISO, about 80,000 companies will need to be independently certified and about 120,000 will be able to self-certify at Level 1, which is designed for Federal Contract Information (FCI) only.
What’s Even Needed for Level 1?
So, lets focus on the companies that “believe” they are at Level 1. What is even necessary at Level 1 since it is self-attested?
1) Conformance with 17 security controls derived from NIST SP:800-171 “Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations.”
Whoa?! I am at Level 1. I don’t even have CUI, so how is this applicable?
This is only the start of where public perception is disconnected with reality.
CMMC Level 1 clearly states the manner in which one demonstrates conformance with 17 of the 110 controls from NIST SP:800-171.
Isn’t there a NIST SP:800-171 “light” for FCI? The short answer is “no.”
2) Even at Level 1, Primes and some Government Acquisition personnel are requiring SPRS scores – which are a means of self-assessing your own organization against all 110 controls for Level 2.
3) Having a System Security Plan (SSP) is a Level 2 control, yet Level 1 organizations are still obligated to have it. Why? DoD self-assessment guidelines clearly stipulate that if you do not have an SSP you cannot effectively define your score.
Now let’s say you have an SSP and you score yourself against all 110 controls, but in the cases where the control clearly calls out CUI, is it okay to not deduct points because it is not applicable?
If you ask the DoD, they will say no. So once again, a Level 1 firm must show conformance with a Level 2 objective.
Putting a Target on Your Back
Level 1 firms will be allowed to self-attest but in so doing, they may open themselves up to a false claims act if they do not fully understand what they are attesting to. For example, CMMC 2.0 now allows for Plans of Action and Milestones (POAMs). Think of a “get well plan;” however, even at Level 1, there are some controls you cannot have a POAM for. So, if you attest you conform with Level 1 and have a POAM for a control that is not allowed to have a POAM in the first place, you are now willfully misrepresenting your compliance, which could likely constitute an unfair and deceptive practice to obtain a Government contract and therefore qualify under the false claims act.
To learn more how you can avoid these pitfalls and have a business justified and cost-effective approach towards CMMC conformance, contact SoundWay for a free consultation by emailing us at CMMC@soundwayconsuting.com.