Cybersecurity and Compliance: The truth about CMMC 2.0 and NIST SP 800–171r2
Over the past several months, I’ve received several calls and emails from vendors about CMMC 2.0, which will ultimately replace the NIST SP 800–171r2 and NIST SP 800–172 (discussed later in this article). The issue: Some vendors are taking advantage of the confusing governmental rules and the related cybersecurity compliance work needed to protect the supply chain. I decided to write this article to share my perspective on the confusion surrounding the up-and-coming CMMC (Cybersecurity Maturity Model Certification) version 2.0 or CMMC 2.0, and the NIST (National Institute of Science and Technology) SP (Special Publication) 800–171r2, or NIST SP 800–171r2.
I’ve worked in the Cybersecurity field for a few decades. Yes, that dates me. Even more so, I started out in information and database security, which is now the old school terminology that has been replaced by the broader cybersecurity term.
I now work in the industry-related sector that uses the DFARS rules and regulations (e.g., the Defense Federal Acquisition Regulation Supplement), which are the rules surrounding many organizations that do business with the Federal Government. The DFARS rules and regulations are embodied in the NIST (National Institute of Science and Technology) Special Publication (SP) 800–171r2, which is NIST’s write up for the cybersecurity compliance rules stated in DFARS. Yes, this sounds confusing, and it takes time to figure out what the heck the government means and needs for both cybersecurity compliance (following the rules) and cybersecurity risk management (doing the work).
As some background, In September 2020, the DoD published an interim rule to the DFARS in the Federal Register (DFARS Case 2019-D041), which implemented the DoD’s initial vision for the CMMC program (“CMMC 1.0”) and outlined the basic features of the framework (tiered model, required assessments, and implementation through contracts). The interim rule became effective on November 30, 2020, establishing a five-year phase-in period. A few important facts about the CMMC 1.0 include:
• The basis of CMMC 1.0 was the NIST SP 800–171, which supported the DFARS regulations to protect “Controlled Unclassified Information (CUI)” and “Federal Contract Information (FCI)”
• Tier 3 of the original CMMC 1.0 5-tier model was roughly equivalent to SP 800–171 controls
- Tiers 4 and 5 incorporated additional controls from SP 800–172, ISO 27001 and CIS (Center for Internet Security) Controls.
History Lesson
History lesson! The CMMC 1.0 was modeled after Carnegie Mellon University’s (CMU) Software Engineering Institute’s (SEI) “Capability Maturity Model (CMM)”. This is a lot of acronyms, but the bottom line is that the CMM was designed as a way that organizations can transform software quality in the organization. This transformation is expressed in the 5-phase model. Organizations will assess where they are in terms of phases (like phase 1: Initial) and would work on processes to eventually move them upward on the software quality spectrum, with phase 5: Optimizing being the highest level of achievement. The CMM model by the Software Engineering Institute (at CMU) is noted below:
Carnegie Melon University, Johns Hopkins University, and several other partner universities worked with the Department of Defense to define the new CMMC model. Academics used the existing CMM model as a basis for the CMMC 1.0, which embodied the 110 controls expressed in the NIST SP 800–171r1 as well as another 40+ controls derived from other sources including the Center for Internet Security (CIS) Critical Security Controls. This caused quite a bit of confusion, mostly because DoD’s manufacturers and suppliers were just getting to understand the NIST SP 800–171r1 set of 110 controls.
Someone at DoD must have had a “Come to Jesus” moment and realized that the CMMC 1.0 was not workable, mostly due to ‘usability’ issues. In my opinion (take this with a grain of salt), the original CMMC 1.0 design was a wonderful academic experience and resulted in a robust cybersecurity compliance and risk mitigation model. BUT, the designers failed to wrap in the users of the model. So, the CMMC 1.0 model failed because of the lack of usability.
In dialing back the CMMC 1.0 model, DoD (again IMHO) realized that their focus was on the users (manufacturers and suppliers) and the real focus was on protecting Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). If you’re not familiar with CUI and FCI, that’s a longer conversation. Suffice it to say that generally CUI and FCI are ‘sensitive’ contract information that needs protection from prying eyes, including many nation state actors that would love to get their hands on DoD manufacturing and supply information.
DoD realized that the focus should be on the manufacturer’s needs to understand what and how data can be protected and how they can comply with DoD’s regulations (DFARS), in contrast to a fantastically ‘overbuilt’ security model as embodied in CMMC 1.0. The users were simply ignored.
So, in March 2021, the Department initiated an internal review of CMMC’s implementation, informed by more than 850 public comments in response to the interim DFARS rule. This comprehensive, programmatic assessment engaged cybersecurity and acquisition leaders within DoD to refine policy and program implementation. The bottom line is that DoD tacitly admitted their errors with CMMC 1.0.
To address this, DoD dialed back the CMMC 1.0 model and created an enhanced (yet ‘dialed back) CMMC 2.0 model. In essence:
• The 5 tier CMMC 1.0 model was too confusing to implement.
• Manufacturers and Suppliers to the DoD did not generally understand the transition from SP 800–171 and SP 800–172 to CMMC Level 3, and were additionally concerned about Tiers 4 & 5
• Implementation timetable was not clear and appeared to be more than 2 years. So, the implementation schedule caused consternation with manufacturers and suppliers.
The ‘roll back’ from a 5 tier to 3 tier model
In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:
• Safeguard sensitive information to enable and protect the warfighter
• Dynamically enhance DIB cybersecurity to meet evolving threats
• Ensure accountability while minimizing barriers to compliance with DoD requirements
• Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience
• Maintain public trust through high professional and ethical standards
• Basis: SP 800–171 and SP 800–172
Comparing CMMC 1.0 and 2.0
As noted before, the CMMC 1.0 model was comprised of 5 levels and included 171 practices (and controls), which embodied the NIST SP 800–171r1 controls (110 controls). The additional 60+ controls confused suppliers/manufacturers, so the CMMC 2.0 model was released. The CMMC 2.0 model contains 3 levels and embodies the NIST SP 800–171r2 (newer version) in Levels 1 and 2 of the CMMC 2.0 model and added in the NIST SP 800–172 to support Level 3. The model, as described by DoD (OSD) is noted below:
Looking deeper into the CMMC 1.0 vs the CMMC 2.0 model, DoD noted that the 2.0 model was (a) a more Streamlined Model (moved from 5 levels to 3), (b) will result in more Reliable Assessments (clearer understanding by manufacturers and suppliers), and © would result in Flexible Implementation (that is, Level 1 is accomplished first, Level 2, second, etc.). A table is noted below that represents these changes:
Rulemaking and the CMMC 2.0
One of the items that I get upset with is that vendors state the immediate need to be CMMC 2.0 compliant — right now! And many of these vendors charge quite a bit. In my opinion, they are snake oil salesmen of the compliance era. That is, it is my opinion as an expert in the field that organizations can work directly with the NIST SP 800–171r2 on their own (first), hire in a consultant to verify their NIST SP 800–171r2 work, and ignore for now the CMMC 2.0 salespeople.
The rulemaking for CMMC 2.0 will be implemented in CFR (Code of Federal Regulations) 32 and 48, which probably will not be addressed by the US Congress for at least 18 months. So, in effect, the CMMC 2.0 is not an active items, whereas the NIST SP 800–171r2 is. So, vendors have been marketing the ‘urgent’ need for CMMC 2.0 when it has yet to be addressed by CFR 32 and 48. In summary:
• The changes reflected in CMMC 2.0 will be implemented through the rulemaking process (CFR 32 & 48).
• Companies will be required to comply once the forthcoming rules go into effect (anticipated 18 months for CMMC). However, DFARS compliance is embodied in the existing NIST SP 800–171r2.
• DoD intends to pursue rulemaking both in Part 32 of the Code of Federal Regulations (C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R. < TBA
• Both CFR 32 & 48 will have a public comment period. While these rulemaking efforts are ongoing, the DoD intends to suspend the current CMMC Piloting efforts and will not approve inclusion of a CMMC requirement in any DoD solicitation.
In general, during this interim period, until CMMC 2.0 is set in stone by CFR 32 and 48, there are a few recommendations including:
• DoD encourages contractors to continue to enhance their cybersecurity posture during the interim period while the rulemaking is underway. This is embodied in implementing the 110 controls in the NIST SP 800–171r2.
• The Department has developed Project Spectrum to help DIB companies assess their cyber readiness and begin adopting sound cybersecurity practices.
• The DoD is exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC certification in the interim period. << e.g. CMMC audits are not occurring, except in ‘pilot’ testing instances
Where to start?
So, if you are a manufacturer or supplier for DoD, or an organization that wants to use a robust model to secure your intellectual property, where can you start? Here is a general starter list, that certainly needs additional work following this list:
• CMMC 2.0 is a heavy lift
• Small set of controls for CMMC 2.0 Level 1
• For CMMC 2.0 Level 2 — Start with the 110 controls embodied in NIST 800–171r2
• Approximately 40–45% contain some or all technical controls/mitigation
• Encryption at rest, transmission
• Layered network architecture
• Roles-based access control (RBAC)
• MFA, etc.
• Approximately 55–60% are administrative controls (policies, procedures, practices, training)
• For CMMC 2.0 Level 3: Continue with the NIST 800–172
The bottom line is that CMMC 2.0 is a vast improvement over the CMMC 1.0. Further, with the creation of CMMC 2.0, the DoD did listen to their manufacturers and suppliers (finally). The 2.0 model incorporates the NIST SP 800–171r2 and the NIST SP 800–172, and omits the additional controls (practices) initially put in place by CMMC 1.0. The good thing is that you do not need to implement CMMC 2.0 (yet) and can hold off on contacting all the vendors that are attempting to sell you high dollar services for CMMC 2.0.
I also created a video and posted it on YouTube that discusses this. Please see this link: https://www.youtube.com/watch?v=8om_haHoJr4&t=1s
And, by the way, of course the items expressed in this article are my opinions. Please feel free to contact me. I can be reached at ron@highervista.com
Notes
• SP 800–171r2 is “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”
• SP 800–172 is “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800–171”
Useful References
· Carnegie Mellon University — Software Engineering Institute: https://www.sei.cmu.edu/
· Center for Internet Security (CIS) Critical Security Controls: https://www.cisecurity.org/controls
· CMU Capability Maturity Model: https://www.sei.cmu.edu/about/history-of-innovation-at-the-sei/display.cfm?customel_datapageid_40842=41036
· US DoD OSD CMMC: https://www.acq.osd.mil/cmmc/
· What is CMMC? https://gsa.federalschedules.com/resources/get-up-to-speed-on-cmmc/
· What is DFARS? https://www.federalregister.gov/defense-federal-acquisition-regulation-supplement-dfars-
About the Author
Ron McFarland, PhD, CISSP is a Senior Cybersecurity Consultant at CMTC (California Manufacturing Technology Consulting) in Torrance, CA. He received his doctorate from NSU’s School of Engineering and Computer Science, MSc in Computer Science from Arizona State University, and a Post-Doc graduate research program in Cyber Security Technologies from the University of Maryland. He taught Cisco CCNA (Cisco Certified Network Associate), CCNP (Cisco Certified Network Professional), CCDA (Design), CCNA-Security and other Cisco courses and was honored with the Cisco Academy Instructor (CAI) Excellence Award in 2010, 2011, and 2012 for excellence in teaching. He also holds multiple security certifications including the prestigious Certified Information Systems Security Professional (CISSP) certification and several Cisco certifications.
CONTACT Dr. Ron McFarland, MSc, PhD, CDNA, CISSP
CMTC Email: rmcfarland@cmtc.com
Email: highervista@gmail.com
LinkedIn: https://www.linkedin.com/in/highervista/
Website: https://www.highervista.com
YouTube Channel: https://www.youtube.com/channel/UCJ57_1OgZ5H1nMVdGElcvrw
