Here is the news from the last few weeks (between mid-December and early January)
C3PAOs eating their own dog food
We already knew that C3PAOs (CMMC assessment organizations) need to pass a CMMC level 3 assessment of their own information system before they can start work. This is why there aren’t any assessments yet, because there is a bottleneck at this stage in the process.
The CMMC-AB just announced that C3PAOs have new requirements if they use cloud systems for CUI. These requirements were provided by the DoD Project Management Office for CMMC.
If a C3PAO uses an external cloud service provider to store, process or transmit CUI, the C3PAO shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) High baseline , and ensure that any gaps between FedRAMP High and CMMC Level 3 have been addressed.
If a C3PAO selects services from an external cloud service provider that have not been FedRAMP authorized, the C3PAO is responsible for the independent assessment of the cloud service provider and providing this assessment information to DCMA as part of their CMMC Level 3 assessment
Assessment guides supersede the Appendixes
This statement is on page 9 of the CMMC Assessment Guide for Level 3
Additional references are available in the table of the CMMC Model Overview
document. The additional references provide information related to the practice or
process to further understand the concepts. However, this CMMC Assessment Guide and
the CMMC Model Overview document are the only authoritative sources for CMMC
practices.
I confirmed with a CMMC-AB Board member and with CMU-SEI that this is correct. The CMMC Model Appendix is considered outdated at this point. Change your bookmarks to the Assessment Guides.
Congress requiring DoD to get evaluated against CMMC levels?
This is second-hand, so I might have it wrong, but apparently this text is in the National Defense Authorization Act which was just passed (despite the veto).
1742. Department of Defense cyber hygiene and Cybersecurity Maturity Model Certification framework (a)Cyber security practices and capabilities in the Department of Defense (1)In general Not later than March 1, 2021, the Secretary of Defense, acting through the Chief Information Officer of the Department of Defense and the Commander, Joint Forces Headquarters-Department of Defense Information Network, shall assess each Department component against the Cybersecurity Maturity Model Certification (CMMC) framework and submit to the congressional defense committees a report that identifies each such component’s CMMC level and implementation of the cybersecurity practices and capabilities required in each of the levels of the CMMC framework. The report shall include, for each component that does not achieve at least level 3 status (referred to as good cyber hygiene in CMMC Model ver. 1.02), a determination as to whether and details as to how— (A)such component will implement relevant security measures to achieve a desired CMMC or other appropriate capability and performance threshold prior to March 1, 2022; and (B)such component will mitigate potential risks until such measures are implemented. (2)Comptroller General report required Not later than 180 days after the submission of the report required under paragraph (1), the Comptroller General of the United States shall conduct an independent review of the report and provide a briefing to the congressional defense committees on the findings of the review.
The obvious problem is the 3-month deadline when so much about the CMMC is not figured out yet. Something will get reported, but it probably won’t be CMMC compliance.
Other Federal Agencies adopting the CMMC for their contracts?
Although the CMMC isn’t set to roll out to all defense contractors for another five years, it may already be gaining momentum in other parts of the government, according to Arrington.
“In January, you’re going to see, it’s their story to tell, but you’ll hear at least two federal agencies that are going to formally acknowledge and say that they’re adopting the CMMC,” she said. “I think that this is definitely going to go outside DOD. I know it is.”
Microsoft 365 GCC High easier to apply for
Microsoft expands qualifications accepted for Office 365 / Microsoft 365 Government Cloud (Gov and GCC High)
Previously, Microsoft required a formal sponsor letter from a government agency, or from a current Gov / GCC High client, to get access to GCC High. This posed problems for the following types of companies:
- Companies that are just getting into government contracting but don’t have a contract yet.
- Service providers for government contractors (such as MSPs or subcontractors).
Microsoft just announced that they will accept SAM.gov / DUNS registration as an alternate proof of being eligible for Government contracting. This removes a huge roadblock for many companies that are supporting the Defense Industrial Base and want to switch to GCC High.
This isn’t an endorsement, but it is an acknowledgement that Microsoft is a major leader in DFARS 7012-compliant cloud systems. Many DIB subcontractors, vendors, and MSPs would like to switch to GCC High if they could. And now they have the opportunity to.
NSA Advisory about hardening authentication systems
I recommend checking out our other recent articles here. Lots of new information this week!