The Department of Defense’s (DoD) new cybersecurity standard for contractors – Cybersecurity Maturity Model Certification (CMMC) – cleared two significant steps at the end of September 2020. It completed the interagency review process, and then the DoD published the interim version of the CMMC Defense Federal Acquisition Regulation Supplement (DFRARS) rule change, which initiated a 60-day comment period for the public. However, the latter of these two developments was met with some surprise and frustration by industry and those following the CMMC program.

Understanding the nuance between ‘interim final’ and ‘final’

Firstly, the DoD has published an interim final rule, which will come into effect at the end of November 2020 – following the comment period. Typically, rules are posted as a proposed draft and then published as a final rule only after the public comments are considered, which was not the case in this instance. As an interim final rule, the rule is in essence already in effect before – and thus regardless of – any comments from the public, and the final rule will likely be no different from what it is now. And once finalised, the rule can and will start appearing in RFPs/RFQs – though it’s expected that a CMMC clause will be included sparingly and strategically at first.

Interim, final, and with additional certification requirement

The second outcome from the publishing of the interim final rule is that it also introduces an additional certification requirement – defence industrial base (DIB) contractors will be required to certify compliance with NIST 800-171. Companies that are deemed ‘Basic’ can self-certify – this is the case right now expected to be the majority of the DIB – whilst assessments for those companies deemed ‘medium-’ and ‘high-risk’ contractors will be “completed by the government.” Self-attestation to NIST 800-171 is already a requirement for defence contractors, but now the government can inspect compliance with this set of controls more carefully.

CMMC responsibility becomes the ownership of Primes

One thing that has now been clarified through the interim final rule is where CMMC responsibility lies in the prime-subcontractor relationship. Primes will own responsibility for determining the CMMC level required by their subcontractors and ensuring that their subs are certified accordingly. Prior to awarding to a subcontractor, the contractor shall “ensure that the subcontractor has a current (i.e., not older than 3 years) CMMC certificate at the CMMC level that is appropriate for the information that is being flowed down to the subcontractor.”

What this means for Primes and subcontractors as they prepare for official CMMC assessments

Now a step closer to the full implementation of CMMC and with greater scrutiny on NIST 800-171 compliance, greater attention will now be focused on establishing baseline assessments of compliance with these frameworks and beginning to prepare for official assessments. At Titania, we continue to track developments related to CMMC and build partnerships with those organizations seeking to provide CMMC and NIST 800-171 services. Official CMMC Registered Provider Organizations (RPO) or internal network security teams can assess their network devices for compliance with 33 of the CMMC Network Device Security Practices across the following eight Domains:

• Access Controls (AC)

• Audit & Accountability (AU)

• Configuration Management (CM)

• Risk Management (RM)

• System & Communications Protection (SC)

• Asset Management (AM)

• Identification & Authentication (IA)

• Security Assessment (CA)

Taking just minutes to set up and generate accurate reports, Nipper automates the line-by-line analysis of your device configuration and operating system data, detecting precise security and compliance risks.

Already in service with all four arms of the DoD, Titania Nipper is trusted to automate the configuration assessments of core network devices against DISA STIG and CIS benchmarks to prove compliance with risk management frameworks such as NIST RMF, NIST CSF, NIST 800-53/800-171 and CMMC. Indeed, Nipper’s proven accuracy advantage is estimated to save the DoD up to 3 hours per device not investigating false positives reported by other compliance tools.

For more information on how Titania can automate CMMC compliance assessments for your organization or clients, and to download a mapping summary of those CMMC security practices that can be assessed using Nipper, visit our CMMC Solutions page.