CMMC Town Hall

The Cyber AB Townhall on April 30 dealt with CMMC legal updates, new CMMC Terminology followed by an extended question and answer period.

The DFARS title 48 rule has not been published (due in March) because the DARS Regulatory Control officer identified issues with the proposed rule to the case manager. Figure below shows a 2-month slip. The projection is still that CMMC will be requirement in some DOD solicitations by calendar year 1Q 2025.

Most likely Timeline

CMMC Terminology
Below are terms the CMMC uses to provide clearer distinction between roles and responsibilities in the CMMC / Cyber AB ecosystem.
Certification – the provision of written assurance that a person, organization, product, or service
meets specific requirements. This written assurance (certificate) is generated by the C3PAO organization that has staffed CCP, CCA, CCI who are certified.
Accreditation – the formal recognition by an independent body that a certification body operates
according to required standards. Note the CAICO and the C3PAO are accredited by the Cyber AB. Note the Cyber AB is not accredited.
Authorization – the act or conveying permission or authority upon another. Applies to C3PAO that they meet the requirements to be a C3PAO and conduct assessments.
Designation – title or status conferred by a professional body in recognition of a person’s expertise and the right to practice in a given professional field, This applies to RPOs, RPAs and lead assessors.
Register – a roster of qualified or available individuals or organizations.
Licensed– in receipt of permission to act with a grant of rights. This applies to trainers and publishers.
Acronyms and Definitions contained in the Proposed Rule 170.4 – clarifying the difference between an assessment (self-review) vs certification (third party review)
Organization Seeking Assessment (OSA) – the entity seeking to conduct obtain or maintain a CMMC assessment for a given information system at a particular CMMC level (this is for SELF assessment)
Organization Seeking Certification (OSC) – the entity seeking to conduct obtain or maintain a CMMC certification for a given information system at a particular CMMC level (this is for Independent 3rd party assessment)
Clarification on Data Processing / Storage / Transmission
Process – data can be used by an asset (e.g., accessed, entered, edited, generated, manipulated or printed)
Store – data is inactive or at rest on an asset (e.g., located on electronic media in system component memory, or in physical format such as paper documents)
Transmit – data is being transferred from one asset to another (e.g., data in transit using physical
or digital transport methods) Clarification on third party service providers:
External Service Providers (ESP) external people, technology, or facilities that and organization utilizes for provision and management of comprehensive IT and or cybersecurity services on behalf of the organization.
Cloud Service Provider (CSP) means an external company that provides a platform, infrastructure, applications and/or storage services for its clients.
Note: ESP needs to be CMMC certified and CSP needs to be FedRAMP moderate certified or
equivalent.

Question and Answer Section

Q: If an OSC is seeking CMMC level 2 and uses an ESP, does the ESP need to be CMMC level 2?
A: Yes

Q: Does a DIB company need to be assessed before it can be certified?
A: No – you can go to a certification without first getting formally assessed.

Q: What exactly is joint surveillance?
A: Joint Surveillance is an active program available to current DOD contractors done by DIBCAC and an authorized C3PAO – if you pass the assessment will be converted to a CMMC level 2 certification.

Q: For the CMMC level 2 certification, while this is a 3 year certification, you need to attest annually. Is this a self-attestation?
A: Yes – however you need to identify any conditions that have changed since the certification.

Q: If an OCS feels the assessment was incorrect, what is the appeals process?
A: The first level of appeal will go to the C3PAO that employees the assessors. The C3PAO should have an independent appeals board. If the OSC is still not satisfied they can raise the appeal to the Cyber AB. The Cyber AB will have a final appeals board.

Reminder:
Lastly – if you are a company going through the CMMC process, and find you lack policies,
procedures, handbooks – we have these artifacts that you can tailor to your specific organization.
Companies have saved hundreds of labor hours using these documents.
Also, for current clients of ASCERTIS. DOD has changed how the scorecard is being used for
RFP assessment. Previously the only criteria were the submission of the cyber scorecard. Now
they are using the actual score. For those that purchased the Level 1 assessment engine, it is
recommended that you upgrade to the level 2 assessment engine so that you can credit for
<some> of the 93 controls that are not in level 1.

  Also, for current clients of ASCERTIS, if you recommend our application or documents to
another organization which results in a purchase, we will pay your organization 10% of the initial sale price