The Defense Department has published a revised guide for level one of its Cybersecurity Maturity Model Certification program, detailing practices companies must achieve to reach compliance through conducting a self-assessment of their security measures.
The level one self-assessment guide reflects changes made to the program in CMMC 2.0. Under the revamp, the Pentagon eliminated the third-party assessment requirement for level one and will require companies to self-attest annually.
Level one is focused on the protection of federal contracting information and has 17 practice requirements across five domains: “Access Control”; “Identification and Authentication”; “Media Protection”; “Physical Protection”; “System and Communications Protection”; and “System and Information Integrity.”
The 17 practices are a subset of controls in NIST Special Publication 800-171, which details how contractors should protect controlled unclassified information, and the guide is largely based on the assessment security procedures outlined in NIST Special Publication 800-171A.
The self-assessment guide provides assessment objectives for each control, potential assessment methods and objects, and a further discussion to provide more details on “practice intent” and examples on applying the practices. It also provides questions for potential assessment considerations.
The publication describes how the self-assessment fits into the revamped CMMC 2.0:
An annual Level 1 self-assessment, with an accompanying senior company official affirmation of compliance in the Supplier Performance Risk System (SPRS), asserts that a contractor is meeting all the basic safeguarding requirements for FCI specified in FAR Clause 52.204-21. Contractors should use the self-assessment methods as defined in this guide. Once a contractor has self-assessed and finds they are in compliance with Level 1 practices, other entities, (e.g., government sponsors and prime contractors looking to hire subcontractors) have increased confidence that the contractor meets CMMC Level 1 practices.
A contractor can be in compliance with CMMC Level 1 practices for an entire enterprise network or for particular enclave(s), depending upon where the FCI is or will be processed, stored or transmitted.
Contractors can choose to perform the annual self-assessment internally or engage with a third-party to assist with evaluating their Level 1 compliance. Use of a third-party to assist is still considered a self-assessment and does not result in a certification.
DOD is expected to release an updated version of its level two assessment guide this month, which revises requirements previously in CMMC level three of the old model.
Reactions to scoping guidance
The level one self-assessment guide directs users to DOD’s CMMC scoping guidance publication to determine what “assets that process, store and transmit FCI are considered in-scope and should be assessed against CMMC Level 1 processes.” The Pentagon published scoping guides for levels one and two on Dec. 3.
Industry stakeholders surveyed by Inside Cybersecurity called the scoping guides “essential” to the ongoing development of the program, while also identifying areas where more clarity is needed.
“Companies are working right now to prepare for the future [Defense Federal Acquisition Regulation Supplement] requirements, so this type of information is critical to making the right decisions today. The scoping guide is very direct that it is subject to change because it is not policy. We shouldn’t count on the guide to remain completely unchanged, but even if the guides change over time, they are foundational enough to help companies move in the right direction,” said Leslie Weinstein, a specialist leader at Deloitte.
However, Caleb Leidy, a former assessor at DOD, said, “Neither guide provides much detail on ‘out-of-scope’ assets. I believe the definition they give for identifying out-of-scope assets is something that was already understood throughout the industry, and doesn’t provide a lot of ‘guidance’ to truly make the determination.” Leidy currently works as a consultant at Pivot Point Security.
CyberNINES president Scott Singer commented, “At Level 1 in the scoping guidance a comment is made that ‘because FCI is a broad category of information, the contractor will likely focus the self-assessment on their entire environment.’ This is broad guidance and I feel there should have been more focus on an FCI Enclave as DOD points to the Levels as being cumulative. What does cumulative mean in practice here when FCI is less sensitive than CUI?”
Singer continued, “At Level 2 I have a major concern with the category of ‘Specialized Assets.’ It is very unclear to me if a CNC is in scope or not in scope. ‘CUI Assets’ definition would say the CNC machine is in scope but under ‘Specialized Assets’ you could make the case that it is not in scope. This to me is a huge hole that needs clarification.”
Peak InfoSec CEO Matthew Titcombe also weighed in the asset categories: “I think [DOD] added massive confusion and interpretative confusion between the C3PAO, Assessor, and OSC. This area feels rushed and without walking through use cases.”
When it comes to future updates, Titcombe said he wants to see “uses cases that explain how to apply” the scoping guidance “against real world examples that are developed by those of us in the field with DOD.”