CMMC Level 2: The Good, the Bad and the Ugly

THE GOOD: UNCHANGED REQUIREMENTS, SECURITY CONTROLS AND ASSESSMENT METHODOLOGY

The good news: CMMC Level 2 does not introduce any new controls. The proposed CMMC Level 2 will not require a Federal contractor or subcontractor to implement any controls that are not already part of the existing DFARS requirements (32 C.F.R. 170.4(b)). This is so regardless of whether a covered contract requires a CMMC Level 2 Self-Assessment or a CMMC Level 2 Certification Assessment (more on the difference between these below). The preamble to the proposed rule confirms this multiple times, but perhaps most clearly as follows:

CMMC does not require implementation of any additional security protection requirements beyond those identified in current FAR clause 52.204-21 and in NIST SP 800-171 Rev 2 for CMMC Levels 1 and Level 2, respectively. (88 Fed. Reg., 89,058 at 89,074).

CMMC Level 2 codifies an assessment process that closely conforms to the security controls and associated discussions of NIST SP 800-171 Rev 2 and incorporates many aspects of DoD Assessment Methodology, Version 1.2.1 (2020 Assessment Methodology) first published in June 2020. These security controls have been a required component of the existing self-assessment methodology established by DFARS 252.204-7019, in November 2020. The scoring of individual controls under CMMC Level 2 follows the same 110-point scale as the 2020 Assessment Methodology, with one-, three- or five-point deductions for unimplemented controls. Like CMMC Level 1, CMMC Level 2 adopts the assessment procedure in NIST SP 800-171A for these controls.

The CMMC Level 2 controls are identical to the NIST SP 800-171 Rev 2 controls, merely adding a prefix of “DD.L2” to the number of the control. The “DD” field contains the two-letter domain abbreviation from NIST SP 800-171 Rev 2 and L2 stands for CMMC Level 2 (32 C.F.R. 170.14; see also 32 Fed Reg. at 89,065). For example, NIST SP 800-171 control, 3.1.8 (Limit unsuccessful logon attempts) is numbered AC.L2-3.1.8 in CMMC.

Upon completion of a CMMC Level 2 Self-Assessment, just like with the 2020 Assessment Methodology, contractors must submit the following in the Supplier Performance Risk System (SPRS):

• CMMC Level (in this case Level 2).
• Assessment Date.
• Assessment Score.
• All industry CAGE code(s) associated with the information system(s) assessed by the CMMC Assessment Score.
• Overall self-assessment score (out of 110).
• Plan of actions and milestones (POA&M) usage and compliance status (if applicable for scores under 110).

The bottom line: An entity that has (1) implemented NIST SP 800-171, (2) completed a System Security Plan (SSP) for each relevant system, (3) maintained a POA&M where necessary, (4) performed self-assessments using the 2020 Assessment Methodology and (5) submitted a score to the SPRS every three years following its self-assessments is in a very good position to obtain certification at CMMC Level 2. As a bonus, for any contractor that underwent a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) High Assessment under the 2020 Assessment Methodology and received a perfect score, the new rule provides a mechanism to obtain a CMMC Level 2 certification, valid for three years after the date of the DIBCAC High Assessment, as long as the system has the same scope, after providing required attestations (32 C.F.R. § 170.20).

THE BAD: SCOPING, ASSESSMENT/CERTIFICATION TIERS, SCORING AND POA&MS

Unfortunately, security controls are just about the only part of the compliance process that will not change under CMMC Level 2. Despite DoD’s assurances that the CMMC rule does not require implementation of any “new” controls, the proposed rule does introduce the following significant changes to the existing process:

• A two-tiered approach to CMMC Level 2 (Self-Assessment by the contractor and Certification Assessment by a CMMC Third-Party Assessor Organization (C3PAO)), replacing the 2020 Assessment Methodology’s three-tiered approach (Basic, Medium and High Assessments);
• Scoping requirements, including explicit inclusion of Security Protection Assets, a limited check of Contractor Risk Managed Assets and required documentation of Specialized Assets;
• A newly established minimum score of 88;
• A list of controls that must be met, regardless of score, limiting the use of POA&Ms;
• Required affirmations after submission of the score and yearly thereafter;
• A deadline of 180 days after assessment for completion of all items in a POA&M, including the performance of an additional closeout assessment; and
• Additional affirmations of compliance.

Self-Assessments Versus C3PAO Assessment

The proposed CMMC rule distinguishes between CMMC Level 2 Self-Assessments and CMMC Level 2 Certification Assessments. CMMC Level 2 Certification Assessments are issued by C3PAOs and fulfill one of the primary goals of the CMMC Program: independent verification of contractor compliance with CMMC security requirements. CMMC Self-Assessments are performed by the contractor. The results of each assessment must be submitted to SPRS (for Self-Assessments) or Enterprise Mission Assurance Support Services (eMASS) (submitted by the C3PAO for Certification Assessments).

The proposed rule refers to a contractor pursuing a Self-Assessment or Certification Assessment as an “Organization Seeking Assessment” or “OSA.” A contractor pursuing a Certification Assessment is also referred to as an “Organization Seeking Certification” or “OSC.” Our discussion below will simply refer to “contractors” but will distinguish between Self-Assessments and Certification Assessments.

As CMMC is phased in, each Federal contract or renewal will identify the required certification as determined by the agency. Although future contractual requirements may vary, Federal contractors will likely need to decide on an approach far sooner. Even if a contractor’s existing contracts are not likely to require C3PAO certification themselves, the market for CMMC Level 2 Certification Assessment may drive the decision. Prime contractors in particular will need to make strategic decisions about subcontractor requirements.

Interestingly, DoD seems to be planning for a significant majority of CMMC Level 2 requirements to be C3PAO-led Certification Assessments. Included in the proposed CMMC rule are tables that estimate the breakdown of CMMC Level 2 certifications over the next 10 years. These tables list 9,510 entities performing Self-Assessments in that timeframe, but almost 20 times as many entities (182,105) performing Certification Assessments (88 Fed. Reg. at 89,091–89,095). It is not clear whether DoD incorporated market and flowdown pressures into these estimates, but it is clear that many contractors will not be in a position to rely on Self-Assessment for their CMMC Level 2 requirements. Contractors that have obtained a CMMC Level 2 Certification Assessment can be expected to aggressively lobby agencies during pre-solicitation and question-and-answer phases to incorporate Certification Assessment requirements in solicitations and limit competition.

Scope of the Environment 

The proposed rule clarifies some existing scoping considerations, introduces new defined terms and explicitly incorporates certain new concepts into an entity’s scoping for CMMC Level 2 assessments. The environment must be scoped to include the following:

• Controlled Unclassified Information (CUI) Assets. Assets that process, store or transmit CUI.
• Security Protection Assets. Assets that provide security functions or capabilities to the assets that make up the contractor’s CMMC Assessment Scope.
• Contractor Risk Managed Assets. Assets that are associated with the assets that make up the contractor’s CMMC Assessment Scope, but are not themselves intended to process, store or transmit CUI.
• Specialized Assets. Assets that can process, store or transmit CUI but are unable to be fully secured.
• External Service Providers (ESPs) (other than Cloud Service Providers) to the contractor, which must have a CMMC Level 2 Final Certification Assessment.
• Cloud Service Providers (CSPs) to the contractor, which must have FedRamp Moderate or equivalent controls.

Security Protection Assets

Although including security protection components in any system assessment is not a new requirement, CMMC establishes a defined term, Security Protection Assets, to categorize these components. Security Protection Assets are “assets providing security functions or capabilities to the contractor’s CMMC Assessment Scope, irrespective of whether or not these assets process, store or transmit CUI.” This definition clarifies the existing NIST SP 800-171 Rev. 2 requirement to incorporate both components “that process, store or transmit CUI” and components “that provide security protection for such components” into the assessment scope (NIST SP 800-171, Rev 2. § 1.1, page 2. “The requirements apply to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components,” emphasis added). Like CUI Assets, these Security Protection Assets are fully in scope for CMMC assessments. See also the discussion of Security Protection Data, below.

Contractor Risk Managed Assets

The proposed rule introduces a new asset category, Contractor Risk Managed Assets. These assets are defined as “Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices.” The CMMC rule also describes them as “Assets [that] are not required to be physically or logically separated from CUI assets” (32 C.F.R. § 170.19(c)(1), Table 1). Unlike Security Protection Assets, Contractor Risk Managed Assets do not align with existing requirements under NIST SP 800-171 Rev. 2.

Contractor Risk Managed Assets must be documented in the asset inventory, the SSP and the network diagram of the CMMC Assessment Scope (just like CUI Assets and Security Protection Assets). However, they are not fully in scope of the assessment. Assessment of these assets is only required if they are not sufficiently documented or if the contractor’s risk-based security policies, procedures and practice documentation raise any questions about these assets. This limited check should not materially raise the assessment’s duration or cost, but otherwise will be assessed against the same CMMC assessment requirements.

The way this CMMC rule is drafted raises significant questions about how Contractor Risk Management Assets will be handled in practice. It’s not clear what will constitute “sufficient” documentation or what would raise questions about these assets. What is clear is that scoping itself is of material importance for the assessment process.

Specialized Assets

The CMMC rule also introduces Specialized Assets. Specialized Assets are described as assets that can process, store or transmit CUI but are unable to be fully secured, including Internet of Things devices, Industrial Internet of Things devices, Operational Technology, Government Furnished Equipment, Restricted Information Systems and Test Equipment (id.) These assets are required to be documented in the asset inventory, the SSP and the network diagram. The contractor is also required to show that these assets are managed using the contractor’s risk-based security policies, procedures and practices; however, the assessment does not evaluate any other CMMC requirements.

Scoring

CMMC Level 2 scoring is built from the 2020 Assessment Methodology. Each required control is scored using the control objectives in NIST SP 800-171A and results in a finding of MET, NOT MET or NOT APPLICABLE. The maximum score is 110, representing a finding of MET for each of the 110 NIST SP 800-171 controls. However, each required control has a weighted number of points: five, three or one (note that the weighting of the individual controls remains the same for CMMC Level 2). Thus, an entity’s score can be as low as -203 if none of the required controls are implemented. Controls with a finding of NOT MET reduce the score, even if there is an entry in a POA&M addressing the control. Findings of NOT APPLICABLE have no effect on the overall score.

The first key change in scoring is that the proposed CMMC Level 2 introduces a minimum score of 88. This minimum was calculated as the assessment score divided by the total number of security requirements, with the requirement set at greater than or equal to 0.8 (32 C.F.R. § 170.21). The existing DFARS self-assessment process does not provide any scoring calculations and does not set a minimum score. Instead, Federal contractors are directed to provide, for any score less than 110, a date by which the contractor expects to obtain a score of 110, as determined by the contractor’s POA&M.

The second key change in scoring is that in addition to the minimum score, a finding of NOT MET for certain controls results in an incomplete assessment, thus limiting the use of POA&Ms significantly. Entities seeking CMMC Level 2 certification must therefore meet both a specific control requirement and a minimum score in order to complete their certification. To complicate matters, any assessment score between 88 and 109 is only a “CMMC Level 2 Conditional Self-Assessment” (32 C.F.R. § 170.16(a)(1)(ii)) or a “CMMC Level 2 Conditional Certification Assessment” (32 C.F.R. § 170.17(a)(1)(ii)). A “CMMC Level 2 Final Self-Assessment” (32 C.F.R. § 170.16(a)(1)(iii)) and a “CMMC Level 2 Final Certification Assessment” (32 C.F.R. § 170.17(a)(1)(iii)) are defined as assessments that achieve a perfect score and have no POA&M. Contractors with a Conditional Self-Assessment or Conditional Certification Assessment must obtain a Final Certification within 180 days in order to maintain their status.

CMMC Level 2 Final Certification Assessments (i.e., a perfect score assessed by a C3PAO) are required for any entity that is planning to achieve a Level 3 certification for the entire scope of assets that are covered in the Level 3 certification, which is not surprising (32 C.F.R. § 170.24(c)(3), “The CMMC Level 3 scoring methodology reflects the fact that all CMMC Level 2 security requirements must already be MET (for the Level 3 CMMC Assessment Scope). A maximum CMMC Level 2 assessment score is required to be eligible for conduct of a CMMC Level 3 Certification Assessment”).

A final scoring development in the proposed rule is that any non-CSP ESP for a contractor seeking CMMC Level 2 certification may be required to have its own CMMC Level 2 Final Certification Assessment in order to continue providing services to that contractor (32 C.F.R. § 170.19(c)(2)). This means that ESPs would need to obtain a perfect score well in advance of their customers’ own assessment needs.

POA&Ms

POA&Ms, which are allowed as part of the existing DFARS self-assessment process, are of much more limited utility for CMMC Level 2 certification. As described in more detail above, a successful CMMC Level 2 assessment must result in a score of 88 or greater, and only certain controls are eligible to be included in a POA&M. Any control on a POA&M must be implemented and reassessed within 180 days. None of the security requirements eligible to be included in a POA&M have a point value of greater than one, except that SC.L2-3.13.11 (CUI Encryption) may be included on a POA&M if it has a value of one or three. None of the following controls may be on a POA&M:

• AC.L2–3.1.20 External Connections (CUI Data).
• AC.L2–3.1.22 Control Public Information (CUI Data).
• PE.L2–3.10.3 Escort Visitors (CUI Data).
• PE.L2–3.10.4 Physical Access Logs (CUI Data).
• PE.L2–3.10.5 Manage Physical Access (CUI Data).

For any Conditional Assessment, information about the associated POA&M is a required part of the SPRS (or eMASS) submission. The current DFARS self-assessment process allows an entity working towards full implementation of the NIST 800-171 controls to fulfill its DFARS 252.204-7012 and -7019 obligations through the use of a POA&M that can cover any number of controls and for which the contractor sets its own completion date. Three years after the introduction of the self-assessment process, DoD is signaling that this lenience is over. The proposed rule significantly restricts partial implementation and requires that Federal contractors meet a full compliance timeline set by DoD.

Required Affirmations

The CMMC rule introduces new requirements for affirmations that must be provided by a contractor senior official who is responsible for ensuring the contractor’s compliance with the CMMC Program. The affirmation requirement is in addition to contract certifications. Following a CMMC Level 2 certification (Self-Assessment or Certification Assessment), a senior official will file an affirmation statement, under the official’s own name, attesting that the contractor has implemented and will maintain implementation of all applicable CMMC requirements for all information systems within the relevant CMMC Assessment Scope at the applicable CMMC Level (32 C.F.R. § 170.22). This affirmation must be made upon completion of the initial assessment, annually thereafter and following any POA&M closeout assessment (32 C.F.R. § 170.22).

These affirmations present a heightened risk to Federal contractors of False Claims Act violations (31 U.S.C. §§ 3729-3733). The annual affirmation requirement in particular requires Federal contractors to be vigilant in maintaining their assessed environments, to identify and surface any changes that would affect the environment’s compliance with CMMC requirements, and to have a process to ensure that the senior officials making the affirmations have accurate and complete information regarding the entity’s CMMC compliance.

THE UGLY: EXPANDING THE CMMC ECOSYSTEM, UNCERTAINTY REGARDING WHICH CONTRACTS WILL REQUIRE CMMC LEVEL 2 SELF-ASSESSMENTS AND CERTIFICATION ASSESSMENTS, AND FUTURE COMPLICATIONS

Expanding the CMMC Ecosystem

External Service Providers

Even if some current Federal contractors are not surprised by the proposed CMMC rule, the rule introduces Federal contracting requirements and risks to the fast-growing ESP sector. Certain types of ESPs, including those that provide managed services, will now need to undertake CMMC compliance projects even where they themselves have no Federal contracts.

ESPs, such as external IT or cybersecurity support services, whose services are in-scope for a customer’s CMMC Level 2 assessment, will now not only be subject to customer requirements to obtain CMMC Level 2 self-assessment or certification assessment in advance of the customer’s own CMMC certification (32 C.F.R. § 170.19(c)(2)). It seems likely that ESPs will also be held to a higher standard than their clients, as the proposed CMMC rule requires ESPs obtain the same type of certification as their customers.  An ESP with a single customer seeking certification assessment will need to obtain certification assessment. This will give a significant advantage to ESPs already in the Federal contracting ecosystem, as well as entities that are able to devote resources and time to meeting CMMC requirements in the short term.

Security Protection Data

As part of its inclusion of ESPs, the proposed CMMC rule introduces a new defined term, “Security Protection Data,” but then does not define it. Security Protection Data is used three times in the CMMC rule, each time in the context of an ESP, and each time it is followed with the parenthetical “(e.g., log data, configuration data)” (88 Fed. Reg. at 89,121; 89,134; and 89, 135). So, at best we know that Security Protection Data includes log data and configuration data, but it could also include other types of data. The first use of the defined term is in relation to the ESP definition:

External Service Provider (ESP) means external people, technology, or facilities that an organization utilizes for provision and management of comprehensive IT and/or cybersecurity services on behalf of the organization. In the CMMC Program, CUI or Security Protection Data (e.g., log data, configuration data), must be processed, stored, or transmitted on the ESP assets to be considered an ESP. (88 Fed. Reg. at 89,121, emphasis added.)

In addition to being undefined, the use of the term as a condition in the definition of an ESP is problematic. The likely intent is that an ESP is only an ESP if it stores, processes or transmits CUI or “Security Protection Data,” whatever that term is. However, the way the condition is added to the definition implies that an entity can avoid being an ESP (as defined in the CMMC rule) if it merely processes, stores or transmits CUI or Security Protection Data on assets that do not belong to the ESP. Perhaps the final rule will provide clarity by modifying this condition and clearly defining Security Protection Data.

Uncertainty Regarding Application

CMMC Level 2 is intended to provide increased assurance to DoD that the industrial base is safeguarding CUI. CMMC Level 2 will therefore apply to procurements where a contractor must process, store or transmit CUI. As multiple US Government Accountability Office and DoD Inspector General Reports have observed, Federal agencies have been anything but consistent when identifying and marking CUI. And all too often, Federal agencies incorrectly mark as CUI information that is not CUI, or, when uncertain whether information is CUI, err on the side of marking it as CUI.

Overmarking of CUI will necessarily result in over-application of CMMC Level 2, which necessarily restricts competition to contractors with a CMMC Level 2 Self-Assessment or Certification Assessment. As a result, without better guidance to procuring agencies on how to determine whether a particular procurement truly will require the contractor to process, store or transmit CUI, the Government’s ability to obtain full and open competition to the maximum extent practicable is in real jeopardy. Whether DoD will provide any substantial guidance in DFARS Case 2019-D041, Assessing Contractor Implementation of Cybersecurity Requirements, or whether DoD will expect contracting officers to simply defer to the CUI designations made by program offices, is entirely uncertain.

Equally uncertain is when contracting officers will require a CMMC Level 2 Certification Assessment for a particular procurement and whether CMMC Level 2 Self-Assessments will eventually be phased out. As noted above, the proposed CMMC rule contemplates that CMMC Level 2 Certification Assessment requirements will not regularly appear in solicitations or contracts until 18 months after the start of implementation. Ultimately, however, DoD estimates that the vast majority of CMMC Level 2 contractors will eventually undergo a Certification Assessment. One would think that given the broad range of information that constitutes CUI and the varying degrees of risk posed by disclosure of the different types of CUI, the pro-competitive benefits of requiring a CMMC Level 2 Self-Assessment would outweigh the enhanced security benefits of a CMMC Level 2 Certification Assessment in a substantial number of procurements. But again, without meaningful guidance to contracting officials on how to balance those competing concerns, it seems likely that many will take the “safe” route and simply default to requiring a CMMC Level 2 Certification Assessment.

Future Complications

NIST SP 800, Rev. 2

DoD codifies a specific revision of NIST SP 800-171, revision 2, into the CMMC rule. This is in contrast to the incorporation of NIST SP 800-171 without a specific revision into DFARS 252.2047-7012 (DFARS 7012). This is significant because there is a draft revision of NIST SP 800-171, revision 3, that was published on July 14, 2023 (public comments are now closed). Without a revision version specified in DFARS 7012, the new version of NIST SP 800-171 will become required by this contract clause once revision 3 is finalized.

Revision 3 of NIST SP 800-171 revises the 110 controls of revision 2 to 138 controls that more closely align with NIST SP 800-53 (the original source of the NIST SP 800-171 controls). NIST characterizes 49 controls as “Significant Change,” 18 controls as “Minor Change,” 26 controls as “New Requirement,” 27 controls as “Withdrawn Requirement” and 53 controls that include new Organization-defined Parameters. Only 18 controls have no significant change from revision 2 to revision 3.

If NIST SP 800-171, revision 3, is finalized with the CMMC rule as it is currently drafted and with DFARS 7012 as it is currently drafted, DoD contractors may be put into a position where they have to demonstrate compliance with two separate revisions of the standard at the same time. DoD stated in the CMMC rule that it does not intend to impose “duplicative cybersecurity protection nor asset requirements”:

DoD does not intend to impose duplicative cybersecurity protection or assessment requirements. There is no conflict between the CMMC cybersecurity protection requirements described in this rule and DoD’s current information safeguarding requirements, including those set forth in DFARS clause 252.204-7012. This CMMC rule adds new requirements for the assessment of contractor implementation of underlying information security standards and guidelines, as applicable, such as those set forth in FAR clause 52.204-21 and in the NIST SP 800-171 Rev 2. (88 Fed. Reg. at 89,077.)

However, for this to be the case, DoD will have to update DFARS 7012 to hardcode NIST SP 800-171, revision 2, or update the CMMC rule to account for the updated controls (including renumbering the 110 Level 2 controls and redoing the scoring profile), either of which would likely require a new draft rule and comment period. This likely means that NIST SP 800-171, revision 3, will not be finalized any time soon, or even if it is finalized, it won’t be required by DoD.

Key Takeaways

CMMC Level 2 is not, for some, a totally new frontier. However, even those adept at NIST SP 800-171 security controls will face at least some adjustment to obtain or ensure continued compliance with CMMC Level 2 certification.

The Good:

• NIST SP 800-171 rev. 2 security controls, by any other name, apply the same: The 110 controls that make up NIST SP 800-171 rev. 2 are the security requirements for CMMC Level 2, with a different label.
• Familiarity: DoD Assessment Methodology and NIST SP 800-171A, both already incorporated into the existing self-assessment process, remain relevant to the CMMC Level 2 certification process.
• Modification, not creation: Federal contractors that have met their existing DFARS self-assessment obligations are likely in good shape to obtain CMMC Level 2 certification.

The Bad:

• Scope it out: CMMC Level 2 scoping includes not only newly defined terms but also asset types newly identified as important to include in review.
• Two types of assessments: CMMC Level 2 consists of not one but two types of certification – Self-Assessment and Certification Assessment. DoD appears to anticipate that the majority of CMMC Level 2 requirements will be Certification Assessment requirements, but the requirement for Self-Assessment versus Certification will be dictated by the solicitation, once DFARS 25.204-7021 is finalized.
• Newly established minimum: Unlike before, to gain certification contractors will have to meet a minimum score of 88, regardless of whether the entity is subject to Self-Assessment or Certification Assessment.
• Limitations to otherwise open use of POA&M: Now, only certain controls can be placed on a POA&M for future implementation, and further, there is a 180 day-limit on the implementation of those controls.
• Yearly affirmations: In addition to the CMMC Level 2 assessments themselves, Federal contractors will now have an obligation to file initial and annual affirmations of continued compliance, signed by senior officials.

The Ugly:

• Garbage in, garbage out: Improper marking of CUI and uncertainty regarding what is CUI will necessarily result in improper application of CMMC and uncertainty how CMMC should be implemented.
• ESPs may be unprepared: Many service providers to Federal contractors will now find themselves in scope for those contractors’ assessments and may themselves be subject to certification requirements. ESPs should start their own CMMC preparation process now in order to keep pace with potential demand.
• Duplicative requirements: The proposed rule adopts NIST SP 800-171 rev. 2 itself, instead of taking a more flexible approach that would allow it to update revisions as they are published by NIST. Contractors may find themselves attempting to assert compliance with two sets of controls. CMMC compliance efforts will be ongoing, and contractors should ensure that the initial push to obtain certification is aligned with future cybersecurity goals.
• Vague requirements: Security Protection Data, a concept that will be integral to determining whether service providers are in or out of scope, is poorly defined and seems likely to cause confusion during scoping, which may affect an entity’s assessment. Contractors should undertake CMMC Level 2 scoping carefully and reach out to CMMC service providers when there is any question regarding what assets or providers are in scope.

Stay tuned for our continuing analysis of the proposed CMMC rule.