Pentagon Releases Updated CMMC Documentation

iStock photo

The Defense Department has been increasingly focused in recent years on protecting controlled unclassified information, or CUI, within its supply chain. Until recently, contractors were working to implement requirements set forth under CMMC Version 1.0 in anticipation of the rollout.

However, the Pentagon announced CMMC Version 2.0 in November and released key documentation with implications for contractors.
CMMC 2.0 simplifies certain aspects of CMMC 1.0 and requires compliance with fewer technical controls. A key difference between the versions is the reduction in the levels from five to three in CMMC 2.0 — Foundational (Level 1), Advanced (Level 2) and Expert (Level 3) — as well as the elimination of all maturity processes.

Under the new version, a Level 1 self-assessment is required where federal contract information, or FCI, is involved. A Level 2 self-assessment/attestation or third-party certification is required where CUI is involved, and a Level 3 assessment is required when the Defense Department determines that a contractor must implement additional practices to reduce the risk associated with advanced persistent threats.

The Pentagon has stated that CMMC 2.0 will not be a contractual requirement until the department completes the rulemaking needed to implement the program. However, it released key documentation over the final weeks of 2021 that provides insight into forthcoming program requirements, including: a model overview document; self-assessment scopes for Level 1 and 2 assessments/certifications; assessment guides for Level 1 and 2 attestations/certifications; and the artifact hashing tool user guide.

Although that rulemaking process is estimated at nine to 24 months, these documents are highly relevant to any contractors selling to the department.

The newly released overview document outlines the general requirements that contractors must implement to achieve each level. It affirms that Level 1 of CMMC 2.0 is equivalent to all of the safeguarding requirements from Federal Acquisition Regulation clause 52.204-21 and Level 2 is equivalent to all of the technical controls in NIST SP 800-171 Rev. 2. It also indicates that Level 3 certification requirements will be a subset of the requirements in NIST SP 800-172, “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171,” but it does not specify which requirements will apply.

In each case, the levels build on one another, i.e., a contractor must implement all of the technical controls at Levels 1 and 2 plus additional Level 3 requirements to achieve a Level 3 certification.

The CMMC self-assessment scope for Level 1 and Level 2 is used to define those assets within the contractor’s environment that will be in scope of the assessment and self-attestation/third-party certification. Specifically, this document relates to the description of the environment that will store, process, and/or transmit FCI (Level 1) or CUI (Level 2), which are considered to be “in-scope assets.”

Each of these documents makes clear that there are no documentation requirements for out-of-scope assets and that such assets should not be part of the assessment. Notably, each document addresses “specialized assets,” which include: government property; internet of things or industrial internet of things; operational technology; restricted information systems; and test equipment.

Specialized assets are not part of the assessment scope under Level 1 and are therefore not assessed against CMMC practices.

Specialized assets are part of the assessment scope under Level 2, however, and contractors are required to document these assets in the system security plan and detail how they are managed using the contractor’s risk-based information security policy, procedures and practices.

The Level 1 and Level 2 assessment guides are intended to provide certified assessors, contractors, and IT and cybersecurity professionals with guidance to help prepare for an assessment, including self-assessments. The two guides are similarly organized, and each provides: an overview of the assessment and certification process; information about assessment criteria and methodology; clarification of the intent and scope of various terms of the CMMC; and assessment requirements and specifics for each practice.

Specific information in the guides includes the type of documentation to be assessed, documentation of assessment findings, and examples of implemented technical practices, among other things. The Level 2 assessment guide also indicates that it leverages information included in NIST SP 800-171A, “Assessing Security Requirements for Controlled Unclassified Information.”

The artificial hashing tool user guide provides an overview of the CMMC’s artifact hashing tool, which is used to create a unique digital fingerprint (i.e. SHA-256 hash) for each document, file, or other artifact used as proof of compliance. The document explains that assessors do not take copies of artifacts of evidence with them after an assessment because these articles are proprietary to the contractor. Instead, the assessor generates unique fingerprints of each file using the tool and follows the instructions set forth in the guide so that the assessor can document the exact artifacts, and the contractor could produce those artifacts in the future, if needed.

Susan Cassidy and Ashden Fein are partners and Robert Huffman is senior of counsel at Covington & Burling LLP. Ryan Burnette, an associate at the firm, also contributed to this article.

Topics: Cybersecurity