DOD Issues “Draft Version 0.7” of Its Cybersecurity Maturity Model Certification (CMMC), Leaving Many Questions Unanswered

Cameron Hamrick
Miles & Stockbridge P.C.
Contact
LinkedIn
Facebook
X
Send
Embed

On December 13, 2019, DOD issued “Draft Version 0.7” of its Cybersecurity Maturity Model Certification (CMMC) to the public.  Version 0.7 is a 190-page document, compared to the 90-page Version 0.6 issued in November of this year.  Most of the increased length of Version 0.7 is attributable to two new appendices providing “Discussion and Clarification” for CMMC Levels 2 and 3.  The new information in Version 0.7 does not, however, address many fundamental questions associated with the CMMC initiative.

Background

As discussed in a prior blog, DOD has relied on contractor self-attestation of compliance with the cybersecurity clause at DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.”  However, DOD has concluded that steps taken to date are not enough and that the level of contractor compliance is unsatisfactory.  As such, DOD launched the CMMC initiative this year, which includes the goal of using CMMC third-party assessment organizations (C3PAOs) to audit the entire DOD supply chain based on five maturity levels ranging from basic to advanced cyber hygiene.  The level required for each procurement will (at some point) be specified in RFIs and RFPs.  Unless a higher level is specified, all contractors must meet CMMC Level 1.  DOD also is working to establish a non-profit “Accreditation Body” that will grant accreditations to the C3PAOs.  

Draft Version 0.6

DOD issued Draft CMMC Version 0.6 in November 2019.  As with Version 0.4 (issued on September 5, 2019), Version 0.6 used a CMMC Model framework that categorized cybersecurity best practices within “Domains,” which were segmented by a set of “Capabilities,” which in turn were further broken down into “Practices” and “Processes.”  Practices measure the technical activities required to achieve compliance with a given capability requirement, while processes measure the maturity of a company’s processes.  Version 0.6 significantly reduced the Model size, modified the Practices and Processes, and provided clarifications and examples for CMMC Level 1.  Version 0.6 noted that updates to Levels 4 and 5 would be provided later because DOD was still addressing public comments it received in response to Version 0.4.

Version 0.7

Version 0.7 includes 17 Domains and 43 Capabilities.  Appendix A of both Versions 0.6 and 0.7 consists of a chart showing, for each Domain and Capability, the Practices associated with Levels 1 through 3.  However, the chart for Version 0.7 – unlike the chart for Version 0.6 – lists Practices for Levels 4 and 5 as well.  Version 0.7 includes a total of 173 Practices for all five levels.  As noted in CMMC slides recently produced by DOD, Version 0.7 reduced the number of Practices for Levels 4 and 5 by 52% by removing 46 Practices.  Version 0.7 lists 9 Processes for Levels 2 through 5 (0 Processes for Level 1).  Versions 0.6 and 0.7 both include an Appendix B covering “CMMC Level 1 Discussion and Clarification.”  However, Version 0.7 adds new Appendices C and D covering Discussion and Clarification for Levels 2 and 3, respectively.  Version 0.7 also includes a new Appendix E, “CMMC Maturity Process Discussion and Clarification,” discussing the 9 Processes.  The new Appendices C through E account for the increase in length from Version 0.6 (90 pages) to Version 0.7 (190 pages), with Appendix C (73 pages) accounting for most of the added length.  DOD’s recent slides include a summary of changes from Versions 0.4 through Version 0.7.  

The CMMC Schedule

Version 0.7 states that DOD is planning to release CMMC Version 1.0 at the end of January 2020.  DOD’s recent CMMC slides include a chart entitled “Draft CMMC Development Schedule” setting forth other key dates, including the establishment of the Accreditation Body, and a Memorandum of Understanding between that Body and DOD, in January 2020; the start of accreditations of C3PAOs in March 2020; and the start of assessments by C3PAOs in June 2020.  Previously, the schedule in Version 0.4 stated that “CMMC Rev.1” would be included in RFPs in the Fall of 2020.  It is difficult to see how DOD can meet that deadline.  Even assuming that C3PAOs are able to begin conducting assessments of contractors in June 2020 – which is questionable – they will not be able to complete assessments of all 300,000 organizations in the Defense supply chain by the Fall of 2020.  

Open Questions

Version 0.7 leaves open the following questions raised in the prior Blog:

  • How will DOD determine specific Levels for each procurement?
  • How long will it take to become certified at each Level, and what will those processes entail?
  • How long will a certification Level assigned to a contractor remain valid?
  • What rights will contractors have to disagree with/appeal from assessments by certifiers?
  • Will CMMC apply to grants and cooperative agreements?


Conclusion

As with Version 0.6, DOD is not going through the formal rulemaking notice and comment process in the Federal Register for Version 0.7.  However, DOD has opened a new DFARS Case, No. 2019-D041, entitled “Strategic Assessment and Certification Cyber Security Requirements.”  The synopsis states:  “Implements a standard DoD-wide methodology for assessing DoD contractor compliance with all security requirements in the [NIST SP] 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”  Although this information does not specifically mention CMMC, DOD has indicated that CMMC will be addressed as part of the DFARS Case.  While we wait for DOD to issue a proposed rule for public comment, the Department is plowing ahead with the CMMC initiative and all its moving parts.  Stay tuned for further developments.  

Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.

[View source.]

Written by:

Miles & Stockbridge P.C.
Miles & Stockbridge P.C.
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Miles & Stockbridge P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide